| c6e5874a4c19f398eb179a23de9b1d2c06bccea0 |
|
09-Mar-2015 |
Yabin Cui <yabinc@google.com> |
Loosen fchmodat AT_SYMLINK_NOFOLLOW test on symlink.
It has been reported in b2/19657449 and b2/19381040 that fchmodat
AT_SYMLINK_NOFOLLOW operation on symlink can succeed. It seems to be
controlled by kernel(version or configuration) or user configuration
whether chmod is allowed on symlinks. Unless we can disable chmod on
symlinks in bionic explicitly, we can not guarantee that the test can
pass. But it seems reasonable to allow chmod on symlink if kernel allows
to. So We prefer to loosen the test here, accepting both success and
failure when doing chmod operation on symlinks.
Bug: 19657449
Bug: 19381040
Change-Id: I780e84f0b50d0412fbac9f1c240d07e984892a28
|
| 35778253a5ed71e87a608ca590b63729d9f88567 |
|
24-Feb-2015 |
Nick Kralevich <nnk@google.com> |
Fix "faccessat ignores flags"
The kernel system call faccessat() does not have any flags arguments,
so passing flags to the kernel is currently ignored.
Fix the kernel system call so that no flags argument is passed in.
Ensure that we don't support AT_SYMLINK_NOFOLLOW. This non-POSIX
(http://pubs.opengroup.org/onlinepubs/9699919799/functions/access.html)
flag is a glibc extension, and has non-intuitive, error prone behavior.
For example, consider the following code:
symlink("foo.is.dangling", "foo");
if (faccessat(AT_FDCWD, "foo", R_OK, AT_SYMLINK_NOFOLLOW) == 0) {
int fd = openat(AT_FDCWD, "foo", O_RDONLY | O_NOFOLLOW);
}
The faccessat() call in glibc will return true, but an attempt to
open the dangling symlink will end up failing. GLIBC documents this
as returning the access mode of the symlink itself, which will
always return true for any symlink on Linux.
Some further discussions of this are at:
* http://lists.landley.net/pipermail/toybox-landley.net/2014-September/003617.html
* http://permalink.gmane.org/gmane.linux.lib.musl.general/6952
AT_SYMLINK_NOFOLLOW seems broken by design. I suspect this is why this
function was never added to POSIX. (note that "access" is pretty much
broken by design too, since it introduces a race condition between
check and action). We shouldn't support this until it's clearly
documented by POSIX or we can have it produce intuitive results.
Don't support AT_EACCESS for now. Implementing it is complicated, and
pretty much useless on Android, since we don't have setuid binaries.
See http://git.musl-libc.org/cgit/musl/commit/?id=0a05eace163cee9b08571d2ff9d90f5e82d9c228
for how an implementation might look.
Bug: 18867827
Change-Id: I25b86c5020f3152ffa3ac3047f6c4152908d0e04
|
| 3cbc6c627fe57c9a9783c52d148078f8d52f7b96 |
|
01-Feb-2015 |
Nick Kralevich <nnk@google.com> |
Add fchmodat(AT_SYMLINK_NOFOLLOW) and fchmod O_PATH support
Many libc functions have an option to not follow symbolic
links. This is useful to avoid security sensitive code
from inadvertantly following attacker supplied symlinks
and taking inappropriate action on files it shouldn't.
For example, open() has O_NOFOLLOW, chown() has
lchown(), stat() has lstat(), etc.
There is no such equivalent function for chmod(), such as lchmod().
To address this, POSIX introduced fchmodat(AT_SYMLINK_NOFOLLOW),
which is intended to provide a way to perform a chmod operation
which doesn't follow symlinks.
Currently, the Linux kernel doesn't implement AT_SYMLINK_NOFOLLOW.
In GLIBC, attempting to use the AT_SYMLINK_NOFOLLOW flag causes
fchmodat to return ENOTSUP. Details are in "man fchmodat".
Bionic currently differs from GLIBC in that AT_SYMLINK_NOFOLLOW
is silently ignored and treated as if the flag wasn't present.
This patch provides a userspace implementation of
AT_SYMLINK_NOFOLLOW for bionic. Using open(O_PATH | O_NOFOLLOW),
we can provide a way to atomically change the permissions on
files without worrying about race conditions.
As part of this change, we add support for fchmod on O_PATH
file descriptors, because it's relatively straight forward
and could be useful in the future.
The basic idea behind this implementation comes from
https://sourceware.org/bugzilla/show_bug.cgi?id=14578 , specifically
comment #10.
Change-Id: I1eba0cdb2c509d9193ceecf28f13118188a3cfa7
|
| ca8e84c6ff55640aef94d25a86a25778a542bfc2 |
|
24-Oct-2014 |
Elliott Hughes <enh@google.com> |
Add mkfifoat(3).
Looks like I missed one of the *at functions when I added the rest.
Change-Id: If16de82dbf6f9a3ea7bfdcba406ca1c74a3f2279
|
| 528ad742c671f17a9f8731ad8de4bcc931631bc9 |
|
25-Sep-2014 |
Christopher Ferris <cferris@google.com> |
Fix sys_stat.mkfifo when not run as root.
It's not allowed for a shell user to create a fifo in /data/local/tmp.
Make the test do nothing if not run as root.
Bug: 17646702
(cherry picked from commit 6c69afdb6ddd56e011b59e3060f12a5bdffb5f5c)
Change-Id: Ia3a862ed4586413b7bb393557ab57e0a7141d888
|
| 6c69afdb6ddd56e011b59e3060f12a5bdffb5f5c |
|
25-Sep-2014 |
Christopher Ferris <cferris@google.com> |
Fix sys_stat.mkfifo when not run as root.
It's not allowed for a shell user to create a fifo in /data/local/tmp.
Make the test do nothing if not run as root.
Bug: 17646702
Change-Id: I932262fa233eae8b5dd607a2398a47c50a208701
|
| db1ea3474899ebbd783aba872d3005f95a816d0f |
|
18-Jan-2014 |
Elliott Hughes <enh@google.com> |
Implement some of the missing LFS64 support.
This gives us:
* <dirent.h>
struct dirent64
readdir64, readdir64_r, alphasort64, scandir64
* <fcntl.h>
creat64, openat64, open64.
* <sys/stat.h>
struct stat64
fstat64, fstatat64, lstat64, stat64.
* <sys/statvfs.h>
struct statvfs64
statvfs64, fstatvfs64.
* <sys/vfs.h>
struct statfs64
statfs64, fstatfs64.
This also removes some of the incorrect #define hacks we've had in the
past (for stat64, for example, which we promised to clean up way back
in bug 8472078).
Bug: 11865851
Bug: 8472078
Change-Id: Ia46443521918519f2dfa64d4621027dfd13ac566
|
| 594b1a4af204aa9de2b4913182f4556e38d71648 |
|
22-Oct-2013 |
Elliott Hughes <enh@google.com> |
Make sure we have a mkfifo symbol.
Bug: https://code.google.com/p/android/issues/detail?id=58888
Change-Id: Ic0a883a5f30beb82cb7be3c4e81b6d693d5fbb4d
|
| 840a114eb12773c5af39c0c97675b27aa6dee78c |
|
09-Aug-2013 |
Elliott Hughes <enh@google.com> |
Add futimens.
(cherry picked from commit d0be7c8f9a06b3ca8ea7647ea35c8f9dc63f0fe1)
Bug: 10239370
Change-Id: I0087e85a94d83b6ce68ec6a0768c44cbe4bd0132
|
| d0be7c8f9a06b3ca8ea7647ea35c8f9dc63f0fe1 |
|
09-Aug-2013 |
Elliott Hughes <enh@google.com> |
Add futimens.
Bug: 10239370
Change-Id: I518340084103dc339ef8a065d4837d6258a1381d
|