diff options
author | Nick Kralevich <nnk@google.com> | 2015-02-24 13:40:43 -0800 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-02-24 13:40:43 -0800 |
commit | 35778253a5ed71e87a608ca590b63729d9f88567 (patch) | |
tree | d9e6112654bf2faa754abd9f28bc20c2ccccff57 /libc/bionic | |
parent | 2aef607b25c463baed5ae70d14212e24ea7bcf2b (diff) | |
download | bionic-35778253a5ed71e87a608ca590b63729d9f88567.zip bionic-35778253a5ed71e87a608ca590b63729d9f88567.tar.gz bionic-35778253a5ed71e87a608ca590b63729d9f88567.tar.bz2 |
Fix "faccessat ignores flags"
The kernel system call faccessat() does not have any flags arguments,
so passing flags to the kernel is currently ignored.
Fix the kernel system call so that no flags argument is passed in.
Ensure that we don't support AT_SYMLINK_NOFOLLOW. This non-POSIX
(http://pubs.opengroup.org/onlinepubs/9699919799/functions/access.html)
flag is a glibc extension, and has non-intuitive, error prone behavior.
For example, consider the following code:
symlink("foo.is.dangling", "foo");
if (faccessat(AT_FDCWD, "foo", R_OK, AT_SYMLINK_NOFOLLOW) == 0) {
int fd = openat(AT_FDCWD, "foo", O_RDONLY | O_NOFOLLOW);
}
The faccessat() call in glibc will return true, but an attempt to
open the dangling symlink will end up failing. GLIBC documents this
as returning the access mode of the symlink itself, which will
always return true for any symlink on Linux.
Some further discussions of this are at:
* http://lists.landley.net/pipermail/toybox-landley.net/2014-September/003617.html
* http://permalink.gmane.org/gmane.linux.lib.musl.general/6952
AT_SYMLINK_NOFOLLOW seems broken by design. I suspect this is why this
function was never added to POSIX. (note that "access" is pretty much
broken by design too, since it introduces a race condition between
check and action). We shouldn't support this until it's clearly
documented by POSIX or we can have it produce intuitive results.
Don't support AT_EACCESS for now. Implementing it is complicated, and
pretty much useless on Android, since we don't have setuid binaries.
See http://git.musl-libc.org/cgit/musl/commit/?id=0a05eace163cee9b08571d2ff9d90f5e82d9c228
for how an implementation might look.
Bug: 18867827
Change-Id: I25b86c5020f3152ffa3ac3047f6c4152908d0e04
Diffstat (limited to 'libc/bionic')
-rw-r--r-- | libc/bionic/faccessat.cpp | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/libc/bionic/faccessat.cpp b/libc/bionic/faccessat.cpp new file mode 100644 index 0000000..5f375e0 --- /dev/null +++ b/libc/bionic/faccessat.cpp @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <fcntl.h> +#include <unistd.h> +#include <errno.h> + +extern "C" int ___faccessat(int, const char*, int); + +int faccessat(int dirfd, const char* pathname, int mode, int flags) { + // "The mode specifies the accessibility check(s) to be performed, + // and is either the value F_OK, or a mask consisting of the + // bitwise OR of one or more of R_OK, W_OK, and X_OK." + if ((mode != F_OK) && ((mode & ~(R_OK | W_OK | X_OK)) != 0) && + ((mode & (R_OK | W_OK | X_OK)) == 0)) { + errno = EINVAL; + return -1; + } + + if (flags != 0) { + // We deliberately don't support AT_SYMLINK_NOFOLLOW, a glibc + // only feature which is error prone and dangerous. + // + // AT_EACCESS isn't supported either. Android doesn't have setuid + // programs, and never runs code with euid!=uid. It could be + // implemented in an expensive way, following the model at + // https://gitlab.com/bminor/musl/commit/0a05eace163cee9b08571d2ff9d90f5e82d9c228 + // but not worth it. + errno = EINVAL; + return -1; + } + + return ___faccessat(dirfd, pathname, mode); +} |