diff options
author | Lennart Poettering <lennart@poettering.net> | 2018-01-04 20:00:28 +0100 |
---|---|---|
committer | Sven Eden <yamakuzure@gmx.net> | 2018-05-30 07:50:08 +0200 |
commit | 941f374947c8db8311bbde1bba478749d455be43 (patch) | |
tree | e3da7023270163af0924169d33d1c42ca8c19f21 /src/basic/fs-util.c | |
parent | e2c4475028606343176752bd0974df2c5ed6a520 (diff) |
fs-util: add new chase_symlinks() flag CHASE_OPEN
The new flag returns the O_PATH fd of the final component, which may be
converted into a proper fd by open()ing it again through the
/proc/self/fd/xyz path.
Together with O_SAFE this provides us with a somewhat safe way to open()
files in directories potentially owned by unprivileged code, where we
want to refuse operation if any symlink tricks are played pointing to
privileged files.
Diffstat (limited to 'src/basic/fs-util.c')
-rw-r--r-- | src/basic/fs-util.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c index 154163535..32b1fb605 100644 --- a/src/basic/fs-util.c +++ b/src/basic/fs-util.c @@ -647,6 +647,10 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags, assert(path); + /* Either the file may be missing, or we return an fd to the final object, but both make no sense */ + if ((flags & (CHASE_NONEXISTENT|CHASE_OPEN)) == (CHASE_NONEXISTENT|CHASE_OPEN)) + return -EINVAL; + /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following * symlinks relative to a root directory, instead of the root of the host. * @@ -896,6 +900,19 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags, done = NULL; } + if (flags & CHASE_OPEN) { + int q; + + /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by + * opening /proc/self/fd/xyz. */ + + assert(fd >= 0); + q = fd; + fd = -1; + + return q; + } + return exists; } |