Commit Graph

8 Commits

Author SHA1 Message Date
Yabin Cui
c6e5874a4c Loosen fchmodat AT_SYMLINK_NOFOLLOW test on symlink.
It has been reported in b2/19657449 and b2/19381040 that fchmodat
AT_SYMLINK_NOFOLLOW operation on symlink can succeed. It seems to be
controlled by kernel(version or configuration) or user configuration
whether chmod is allowed on symlinks. Unless we can disable chmod on
symlinks in bionic explicitly, we can not guarantee that the test can
pass. But it seems reasonable to allow chmod on symlink if kernel allows
to. So We prefer to loosen the test here, accepting both success and
failure when doing chmod operation on symlinks.

Bug: 19657449
Bug: 19381040
Change-Id: I780e84f0b50d0412fbac9f1c240d07e984892a28
2015-03-09 18:13:15 -07:00
Nick Kralevich
35778253a5 Fix "faccessat ignores flags"
The kernel system call faccessat() does not have any flags arguments,
so passing flags to the kernel is currently ignored.

Fix the kernel system call so that no flags argument is passed in.

Ensure that we don't support AT_SYMLINK_NOFOLLOW. This non-POSIX
(http://pubs.opengroup.org/onlinepubs/9699919799/functions/access.html)
flag is a glibc extension, and has non-intuitive, error prone behavior.

For example, consider the following code:

  symlink("foo.is.dangling", "foo");
  if (faccessat(AT_FDCWD, "foo", R_OK, AT_SYMLINK_NOFOLLOW) == 0) {
    int fd = openat(AT_FDCWD, "foo", O_RDONLY | O_NOFOLLOW);
  }

The faccessat() call in glibc will return true, but an attempt to
open the dangling symlink will end up failing. GLIBC documents this
as returning the access mode of the symlink itself, which will
always return true for any symlink on Linux.

Some further discussions of this are at:

  * http://lists.landley.net/pipermail/toybox-landley.net/2014-September/003617.html
  * http://permalink.gmane.org/gmane.linux.lib.musl.general/6952

AT_SYMLINK_NOFOLLOW seems broken by design. I suspect this is why this
function was never added to POSIX. (note that "access" is pretty much
broken by design too, since it introduces a race condition between
check and action). We shouldn't support this until it's clearly
documented by POSIX or we can have it produce intuitive results.

Don't support AT_EACCESS for now. Implementing it is complicated, and
pretty much useless on Android, since we don't have setuid binaries.
See http://git.musl-libc.org/cgit/musl/commit/?id=0a05eace163cee9b08571d2ff9d90f5e82d9c228
for how an implementation might look.

Bug: 18867827
Change-Id: I25b86c5020f3152ffa3ac3047f6c4152908d0e04
2015-02-24 13:40:43 -08:00
Nick Kralevich
3cbc6c627f Add fchmodat(AT_SYMLINK_NOFOLLOW) and fchmod O_PATH support
Many libc functions have an option to not follow symbolic
links. This is useful to avoid security sensitive code
from inadvertantly following attacker supplied symlinks
and taking inappropriate action on files it shouldn't.
For example, open() has O_NOFOLLOW, chown() has
lchown(), stat() has lstat(), etc.

There is no such equivalent function for chmod(), such as lchmod().
To address this, POSIX introduced fchmodat(AT_SYMLINK_NOFOLLOW),
which is intended to provide a way to perform a chmod operation
which doesn't follow symlinks.

Currently, the Linux kernel doesn't implement AT_SYMLINK_NOFOLLOW.
In GLIBC, attempting to use the AT_SYMLINK_NOFOLLOW flag causes
fchmodat to return ENOTSUP. Details are in "man fchmodat".

Bionic currently differs from GLIBC in that AT_SYMLINK_NOFOLLOW
is silently ignored and treated as if the flag wasn't present.

This patch provides a userspace implementation of
AT_SYMLINK_NOFOLLOW for bionic. Using open(O_PATH | O_NOFOLLOW),
we can provide a way to atomically change the permissions on
files without worrying about race conditions.

As part of this change, we add support for fchmod on O_PATH
file descriptors, because it's relatively straight forward
and could be useful in the future.

The basic idea behind this implementation comes from
https://sourceware.org/bugzilla/show_bug.cgi?id=14578 , specifically
comment #10.

Change-Id: I1eba0cdb2c509d9193ceecf28f13118188a3cfa7
2015-02-02 13:17:17 -08:00
Elliott Hughes
ca8e84c6ff Add mkfifoat(3).
Looks like I missed one of the *at functions when I added the rest.

Change-Id: If16de82dbf6f9a3ea7bfdcba406ca1c74a3f2279
2014-10-23 19:10:54 -07:00
Christopher Ferris
528ad742c6 Fix sys_stat.mkfifo when not run as root.
It's not allowed for a shell user to create a fifo in /data/local/tmp.
Make the test do nothing if not run as root.

Bug: 17646702

(cherry picked from commit 6c69afdb6d)

Change-Id: Ia3a862ed4586413b7bb393557ab57e0a7141d888
2014-09-24 16:50:30 -07:00
Elliott Hughes
db1ea34748 Implement some of the missing LFS64 support.
This gives us:

* <dirent.h>
  struct dirent64
  readdir64, readdir64_r, alphasort64, scandir64

* <fcntl.h>
  creat64, openat64, open64.

* <sys/stat.h>
  struct stat64
  fstat64, fstatat64, lstat64, stat64.

* <sys/statvfs.h>
  struct statvfs64
  statvfs64, fstatvfs64.

* <sys/vfs.h>
  struct statfs64
  statfs64, fstatfs64.

This also removes some of the incorrect #define hacks we've had in the
past (for stat64, for example, which we promised to clean up way back
in bug 8472078).

Bug: 11865851
Bug: 8472078
Change-Id: Ia46443521918519f2dfa64d4621027dfd13ac566
2014-02-18 15:39:24 -08:00
Elliott Hughes
594b1a4af2 Make sure we have a mkfifo symbol.
Bug: https://code.google.com/p/android/issues/detail?id=58888
Change-Id: Ic0a883a5f30beb82cb7be3c4e81b6d693d5fbb4d
2013-10-22 12:03:19 -07:00
Elliott Hughes
d0be7c8f9a Add futimens.
Bug: 10239370
Change-Id: I518340084103dc339ef8a065d4837d6258a1381d
2013-08-08 17:13:33 -07:00