diff options
Diffstat (limited to 'meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch')
-rw-r--r-- | meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch | 264 |
1 files changed, 0 insertions, 264 deletions
diff --git a/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch b/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch deleted file mode 100644 index 7b1f82d577..0000000000 --- a/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch +++ /dev/null | |||
@@ -1,264 +0,0 @@ | |||
1 | commit 7e67d082737b3df4788caf85fedd607b3acd9786 | ||
2 | Author: Peter Seebach <peter.seebach@windriver.com> | ||
3 | Date: Fri May 16 15:53:06 2014 -0500 | ||
4 | |||
5 | permissions updates: improve fchmodat, mask out write bits | ||
6 | |||
7 | Upstream-Status: Backport of several patches from 1.6 branch, | ||
8 | combined. | ||
9 | |||
10 | Backport from pseudo 1.6 of improvements to fchmodat (handle | ||
11 | AT_SYMLINK_NOFOLLOW by rejecting it if the host system does, | ||
12 | to make GNU tar happier), also mask out write bits from filesystem | ||
13 | modes to avoid security problems. | ||
14 | |||
15 | Also start tracking umask so we can use the right modes for | ||
16 | open, mkdir, and mknod. | ||
17 | |||
18 | The 1.6 patches are: | ||
19 | |||
20 | 87c53ea58befef48677846693aab445df1850e16 | ||
21 | 3c716e0bab4f0cfe4be84caa9ce5fd5e3f5e2a23 | ||
22 | c98e4f43b5d6499748a5057134408f4ba4854fb4 | ||
23 | 2f71a021b725c1aa415439209a89327f0b997d02 | ||
24 | 14925786b55202d8147b0af719038e8a23ef73c0 | ||
25 | |||
26 | diff --git a/ChangeLog.txt b/ChangeLog.txt | ||
27 | index 113f675..cc966ce 100644 | ||
28 | --- a/ChangeLog.txt | ||
29 | +++ b/ChangeLog.txt | ||
30 | @@ -1,3 +1,18 @@ | ||
31 | +2014-05-27: | ||
32 | + * (seebs) start noticing umask, mask it out from open or mkdir | ||
33 | + calls rather than relying on underlying open/mkdir to do it. | ||
34 | + | ||
35 | +2014-05-16: | ||
36 | + * (seebs) fchmodat: don't drop flags, report failures, to improve | ||
37 | + compatibility/consistency. Cache the knowledge that | ||
38 | + AT_SYMLINK_NOFOLLOW gets ENOTSUP. | ||
39 | + * (seebs) mask out group/other write bits in real filesystem to | ||
40 | + reduce risks when assembling a rootfs including world-writeable | ||
41 | + directories. | ||
42 | + | ||
43 | +2014-05-15: | ||
44 | + * (seebs) drop flags when calling fchmodat() to appease GNU tar. | ||
45 | + | ||
46 | 2013-02-27: | ||
47 | * (seebs) Oh, hey, what if I took out my debug messages? | ||
48 | * (seebs) update docs a bit to reduce bitrot | ||
49 | diff --git a/makewrappers b/makewrappers | ||
50 | index e87cc56..0127766 100755 | ||
51 | --- a/makewrappers | ||
52 | +++ b/makewrappers | ||
53 | @@ -204,6 +204,7 @@ class Function: | ||
54 | 'uid_t': '0', | ||
55 | 'int': '-1', | ||
56 | 'long': '-1', | ||
57 | + 'mode_t': '0', | ||
58 | 'ssize_t': '-1' | ||
59 | } | ||
60 | |||
61 | diff --git a/ports/darwin/guts/open.c b/ports/darwin/guts/open.c | ||
62 | index c66cc15..520bb70 100644 | ||
63 | --- a/ports/darwin/guts/open.c | ||
64 | +++ b/ports/darwin/guts/open.c | ||
65 | @@ -9,6 +9,9 @@ | ||
66 | struct stat buf = { }; | ||
67 | int existed = 1; | ||
68 | int save_errno; | ||
69 | + | ||
70 | + /* mask out mode bits appropriately */ | ||
71 | + mode = mode & ~pseudo_umask; | ||
72 | #ifdef PSEUDO_FORCE_ASYNCH | ||
73 | flags &= ~O_SYNC; | ||
74 | #endif | ||
75 | diff --git a/ports/linux/guts/__xmknodat.c b/ports/linux/guts/__xmknodat.c | ||
76 | index 59b4f2f..0888b8a 100644 | ||
77 | --- a/ports/linux/guts/__xmknodat.c | ||
78 | +++ b/ports/linux/guts/__xmknodat.c | ||
79 | @@ -9,6 +9,9 @@ | ||
80 | pseudo_msg_t *msg; | ||
81 | struct stat64 buf; | ||
82 | |||
83 | + /* mask out mode bits appropriately */ | ||
84 | + mode = mode & ~pseudo_umask; | ||
85 | + | ||
86 | /* we don't use underlying call, so _ver is irrelevant to us */ | ||
87 | (void) ver; | ||
88 | |||
89 | diff --git a/ports/linux/guts/openat.c b/ports/linux/guts/openat.c | ||
90 | index 8460073..4053549 100644 | ||
91 | --- a/ports/linux/guts/openat.c | ||
92 | +++ b/ports/linux/guts/openat.c | ||
93 | @@ -10,6 +10,9 @@ | ||
94 | int existed = 1; | ||
95 | int save_errno; | ||
96 | |||
97 | + /* mask out mode bits appropriately */ | ||
98 | + mode = mode & ~pseudo_umask; | ||
99 | + | ||
100 | #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS | ||
101 | if (dirfd != AT_FDCWD) { | ||
102 | errno = ENOSYS; | ||
103 | diff --git a/ports/unix/guts/fchmodat.c b/ports/unix/guts/fchmodat.c | ||
104 | index 59a92ce..69a953c 100644 | ||
105 | --- a/ports/unix/guts/fchmodat.c | ||
106 | +++ b/ports/unix/guts/fchmodat.c | ||
107 | @@ -8,6 +8,7 @@ | ||
108 | */ | ||
109 | PSEUDO_STATBUF buf; | ||
110 | int save_errno = errno; | ||
111 | + static int picky_fchmodat = 0; | ||
112 | |||
113 | #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS | ||
114 | if (dirfd != AT_FDCWD) { | ||
115 | @@ -15,6 +16,16 @@ | ||
116 | return -1; | ||
117 | } | ||
118 | if (flags & AT_SYMLINK_NOFOLLOW) { | ||
119 | + /* Linux, as of this writing, will always reject this. | ||
120 | + * GNU tar relies on getting the rejection. To cut down | ||
121 | + * on traffic, we check for the failure, and if we saw | ||
122 | + * a failure previously, we reject it right away and tell | ||
123 | + * the caller to retry. | ||
124 | + */ | ||
125 | + if (picky_fchmodat) { | ||
126 | + errno = ENOTSUP; | ||
127 | + return -1; | ||
128 | + } | ||
129 | rc = base_lstat(path, &buf); | ||
130 | } else { | ||
131 | rc = base_stat(path, &buf); | ||
132 | @@ -50,13 +61,22 @@ | ||
133 | |||
134 | /* user bits added so "root" can always access files. */ | ||
135 | #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS | ||
136 | - /* note: if path was a symlink, and AT_NOFOLLOW_SYMLINKS was | ||
137 | + /* note: if path was a symlink, and AT_SYMLINK_NOFOLLOW was | ||
138 | * specified, we already bailed previously. */ | ||
139 | real_chmod(path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode))); | ||
140 | #else | ||
141 | - real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); | ||
142 | + rc = real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); | ||
143 | + /* AT_SYMLINK_NOFOLLOW isn't supported by fchmodat. GNU tar | ||
144 | + * tries to use it anyway, figuring it can just retry if that | ||
145 | + * fails. So we want to report that *particular* failure instead | ||
146 | + * of doing the fallback. | ||
147 | + */ | ||
148 | + if (rc == -1 && errno == ENOTSUP && (flags & AT_SYMLINK_NOFOLLOW)) { | ||
149 | + picky_fchmodat = 1; | ||
150 | + return -1; | ||
151 | + } | ||
152 | #endif | ||
153 | - /* we ignore a failure from underlying fchmod, because pseudo | ||
154 | + /* we otherwise ignore failures from underlying fchmod, because pseudo | ||
155 | * may believe you are permitted to change modes that the filesystem | ||
156 | * doesn't. Note that we also don't need to know whether the | ||
157 | * file might be a (pseudo) block device or some such; pseudo | ||
158 | diff --git a/ports/unix/guts/mkdirat.c b/ports/unix/guts/mkdirat.c | ||
159 | index e846b70..e0b6af9 100644 | ||
160 | --- a/ports/unix/guts/mkdirat.c | ||
161 | +++ b/ports/unix/guts/mkdirat.c | ||
162 | @@ -6,11 +6,14 @@ | ||
163 | * wrap_mkdirat(int dirfd, const char *path, mode_t mode) { | ||
164 | * int rc = -1; | ||
165 | */ | ||
166 | + /* mask out mode bits appropriately */ | ||
167 | + mode = mode & ~pseudo_umask; | ||
168 | #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS | ||
169 | if (dirfd != AT_FDCWD) { | ||
170 | errno = ENOSYS; | ||
171 | return -1; | ||
172 | } | ||
173 | + | ||
174 | rc = real_mkdir(path, PSEUDO_FS_MODE(mode, 1)); | ||
175 | #else | ||
176 | rc = real_mkdirat(dirfd, path, PSEUDO_FS_MODE(mode, 1)); | ||
177 | diff --git a/ports/unix/guts/mknodat.c b/ports/unix/guts/mknodat.c | ||
178 | index 6fd5b42..5d8d47c 100644 | ||
179 | --- a/ports/unix/guts/mknodat.c | ||
180 | +++ b/ports/unix/guts/mknodat.c | ||
181 | @@ -10,6 +10,9 @@ | ||
182 | PSEUDO_STATBUF buf; | ||
183 | int save_errno = errno; | ||
184 | |||
185 | + /* mask out mode bits appropriately */ | ||
186 | + mode = mode & ~pseudo_umask; | ||
187 | + | ||
188 | #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS | ||
189 | if (dirfd != AT_FDCWD) { | ||
190 | errno = ENOSYS; | ||
191 | diff --git a/ports/unix/guts/umask.c b/ports/unix/guts/umask.c | ||
192 | new file mode 100644 | ||
193 | index 0000000..6b060d3 | ||
194 | --- /dev/null | ||
195 | +++ b/ports/unix/guts/umask.c | ||
196 | @@ -0,0 +1,14 @@ | ||
197 | +/* | ||
198 | + * Copyright (c) 2014 Wind River Systems; see | ||
199 | + * guts/COPYRIGHT for information. | ||
200 | + * | ||
201 | + * mode_t umask(mode_t mask) | ||
202 | + * mode_t rc = 0; | ||
203 | + */ | ||
204 | + | ||
205 | + pseudo_umask = mask; | ||
206 | + rc = real_umask(mask); | ||
207 | + | ||
208 | +/* return rc; | ||
209 | + * } | ||
210 | + */ | ||
211 | diff --git a/ports/unix/wrapfuncs.in b/ports/unix/wrapfuncs.in | ||
212 | index 8460a65..e0e9739 100644 | ||
213 | --- a/ports/unix/wrapfuncs.in | ||
214 | +++ b/ports/unix/wrapfuncs.in | ||
215 | @@ -67,3 +67,4 @@ void sync(void); /* async_skip= */ | ||
216 | int syncfs(int fd); /* async_skip=0 */ | ||
217 | int sync_file_range(int fd, off64_t offset, off64_t nbytes, unsigned int flags); /* async_skip=0 */ | ||
218 | int msync(void *addr, size_t length, int flags); /* async_skip=0 */ | ||
219 | +mode_t umask(mode_t mask); | ||
220 | diff --git a/pseudo_client.c b/pseudo_client.c | ||
221 | index b6d11a6..535c810 100644 | ||
222 | --- a/pseudo_client.c | ||
223 | +++ b/pseudo_client.c | ||
224 | @@ -71,6 +71,8 @@ int pseudo_disabled = 0; | ||
225 | int pseudo_allow_fsync = 0; | ||
226 | static int pseudo_local_only = 0; | ||
227 | |||
228 | +int pseudo_umask = 022; | ||
229 | + | ||
230 | static char **fd_paths = NULL; | ||
231 | static int nfds = 0; | ||
232 | static int messages = 0; | ||
233 | @@ -219,6 +221,9 @@ pseudo_init_client(void) { | ||
234 | if (!pseudo_disabled && !pseudo_inited) { | ||
235 | char *pseudo_path = 0; | ||
236 | |||
237 | + pseudo_umask = umask(022); | ||
238 | + umask(pseudo_umask); | ||
239 | + | ||
240 | pseudo_path = pseudo_prefix_path(NULL); | ||
241 | if (pseudo_prefix_dir_fd == -1) { | ||
242 | if (pseudo_path) { | ||
243 | diff --git a/pseudo_client.h b/pseudo_client.h | ||
244 | index f36a772..5bf820e 100644 | ||
245 | --- a/pseudo_client.h | ||
246 | +++ b/pseudo_client.h | ||
247 | @@ -72,6 +72,8 @@ extern char *pseudo_passwd; | ||
248 | extern size_t pseudo_chroot_len; | ||
249 | extern int pseudo_nosymlinkexp; | ||
250 | |||
251 | +extern int pseudo_umask; | ||
252 | + | ||
253 | /* Root can read and write files, and enter directories which have no | ||
254 | * read, write, or execute permissions. (But can't execute files without | ||
255 | * execute permissions!) | ||
256 | @@ -85,6 +87,6 @@ extern int pseudo_nosymlinkexp; | ||
257 | * None of this will behave very sensibly if umask has 0700 bits in it; | ||
258 | * this is a known limitation. | ||
259 | */ | ||
260 | -#define PSEUDO_FS_MODE(mode, isdir) ((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) | ||
261 | -#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0700) | ((user_mode & 0700))) | ||
262 | +#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) | ||
263 | +#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0722) | ((user_mode & 0722))) | ||
264 | |||