aboutsummaryrefslogtreecommitdiffstats
path: root/lib/libc
diff options
context:
space:
mode:
authorKonstantin Belousov <kib@FreeBSD.org>2020-09-22 22:54:54 +0000
committerKonstantin Belousov <kib@FreeBSD.org>2020-09-22 22:54:54 +0000
commit1f305be431e07cfe5a40b3140775238ef44cdcbb (patch)
tree46c73eefad6134e1bec9f3f2145c77a262f17fbb /lib/libc
parent1317da4349f7295eb5153c791cf034730c31d0ea (diff)
downloadsrc-1f305be431e07cfe5a40b3140775238ef44cdcbb.tar.gz
src-1f305be431e07cfe5a40b3140775238ef44cdcbb.zip
Document {O,AT}_RESOLVE_BENEATH and new O_BENEATH behavior for relative paths.
PR: 248335 Reviewed by: markj Tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D25886
Notes
Notes: svn path=/head/; revision=366023
Diffstat (limited to 'lib/libc')
-rw-r--r--lib/libc/sys/access.29
-rw-r--r--lib/libc/sys/chflags.29
-rw-r--r--lib/libc/sys/chmod.29
-rw-r--r--lib/libc/sys/chown.29
-rw-r--r--lib/libc/sys/fhlink.29
-rw-r--r--lib/libc/sys/getfh.29
-rw-r--r--lib/libc/sys/link.29
-rw-r--r--lib/libc/sys/open.238
-rw-r--r--lib/libc/sys/stat.29
-rw-r--r--lib/libc/sys/unlink.29
-rw-r--r--lib/libc/sys/utimensat.29
11 files changed, 113 insertions, 15 deletions
diff --git a/lib/libc/sys/access.2 b/lib/libc/sys/access.2
index 4ab31d3a99e8..1cd7eed1301b 100644
--- a/lib/libc/sys/access.2
+++ b/lib/libc/sys/access.2
@@ -28,7 +28,7 @@
.\" @(#)access.2 8.2 (Berkeley) 4/1/94
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt ACCESS 2
.Os
.Sh NAME
@@ -127,6 +127,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
Even if a process's real or effective user has appropriate privileges
diff --git a/lib/libc/sys/chflags.2 b/lib/libc/sys/chflags.2
index 2b8ca12950b5..b6b0b43249c7 100644
--- a/lib/libc/sys/chflags.2
+++ b/lib/libc/sys/chflags.2
@@ -28,7 +28,7 @@
.\" @(#)chflags.2 8.3 (Berkeley) 5/2/95
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt CHFLAGS 2
.Os
.Sh NAME
@@ -102,6 +102,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/chmod.2 b/lib/libc/sys/chmod.2
index 2f1b6afbb837..1d66408e3891 100644
--- a/lib/libc/sys/chmod.2
+++ b/lib/libc/sys/chmod.2
@@ -28,7 +28,7 @@
.\" @(#)chmod.2 8.1 (Berkeley) 6/4/93
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt CHMOD 2
.Os
.Sh NAME
@@ -109,6 +109,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/chown.2 b/lib/libc/sys/chown.2
index 9c571e76e83f..64bfdeaa961c 100644
--- a/lib/libc/sys/chown.2
+++ b/lib/libc/sys/chown.2
@@ -28,7 +28,7 @@
.\" @(#)chown.2 8.4 (Berkeley) 4/19/94
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt CHOWN 2
.Os
.Sh NAME
@@ -126,6 +126,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/fhlink.2 b/lib/libc/sys/fhlink.2
index db4ccf6fe403..1fcb7365fc0c 100644
--- a/lib/libc/sys/fhlink.2
+++ b/lib/libc/sys/fhlink.2
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt FHLINK 2
.Os
.Sh NAME
@@ -113,6 +113,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/getfh.2 b/lib/libc/sys/getfh.2
index d6318cdd1aa4..5dc5896af6d8 100644
--- a/lib/libc/sys/getfh.2
+++ b/lib/libc/sys/getfh.2
@@ -29,7 +29,7 @@
.\" @(#)getfh.2 8.1 (Berkeley) 6/9/93
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt GETFH 2
.Os
.Sh NAME
@@ -112,6 +112,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/link.2 b/lib/libc/sys/link.2
index e46de86a01d2..c3451da10884 100644
--- a/lib/libc/sys/link.2
+++ b/lib/libc/sys/link.2
@@ -28,7 +28,7 @@
.\" @(#)link.2 8.3 (Berkeley) 1/12/94
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt LINK 2
.Os
.Sh NAME
@@ -122,6 +122,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/open.2 b/lib/libc/sys/open.2
index c1bd88ec9d14..f54873563f0f 100644
--- a/lib/libc/sys/open.2
+++ b/lib/libc/sys/open.2
@@ -28,7 +28,7 @@
.\" @(#)open.2 8.2 (Berkeley) 11/16/93
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt OPEN 2
.Os
.Sh NAME
@@ -117,6 +117,12 @@ is specified with an absolute
a directory passed by the
.Fa fd
argument is used as the topping point for the resolution.
+When
+.Dv O_BENEATH
+is specified with a relative path, the
+.Fa fd
+argument is used both as the starting point, and as the topping point
+for the resolution.
See the definition of the
.Dv O_BENEATH
flag below.
@@ -183,7 +189,8 @@ O_TTY_INIT ignored
O_DIRECTORY error if file is not a directory
O_CLOEXEC set FD_CLOEXEC upon open
O_VERIFY verify the contents of the file
-O_BENEATH require path to be strictly relative to topping directory
+O_BENEATH require resolved path to be strictly relative to topping directory
+O_RESOLVE_BENEATH require walked path to be strictly relative to topping directory
.Ed
.Pp
Opening a file with
@@ -311,8 +318,8 @@ been verified before operating on them.
.Dv O_BENEATH
returns
.Er ENOTCAPABLE
-if the specified relative path, after resolving all symlinks and ".."
-references, does not reside in the directory hierarchy of
+if the specified path, after resolving all symlinks and ".."
+references, does not end up with tail residing in the directory hierarchy of
children beneath the topping directory.
Topping directory is the process current directory if relative
.Fa path
@@ -322,11 +329,20 @@ and the directory referenced by the
.Fa fd
argument when using
.Fn openat .
-If the specified path is absolute,
.Dv O_BENEATH
allows arbitrary prefix that ends up at the topping directory,
after which all further resolved components must be under it.
.Pp
+.Dv O_RESOLVE_BENEATH
+returns
+.Er ENOTCAPABLE
+if any intermediate component of the specified relative path does not
+reside in the directory hierarchy beneath the topping directory.
+Comparing to
+.Dv O_BENEATH,
+absolute paths or even the temporal escape from beneath of the topping
+directory is not allowed.
+.Pp
When
.Fa fd
is opened with
@@ -540,6 +556,12 @@ and
.Dv O_EXEC
or
.Dv O_SEARCH .
+.It Bq Er EINVAL
+The
+.Dv O_RESOLVE_BENEATH
+flag is specified and
+.Dv path
+is absolute.
.It Bq Er EBADF
The
.Fa path
@@ -582,6 +604,12 @@ does not have its tail fully contained under the topping directory,
or the relative
.Fa path
escapes it.
+.It Bq Er ENOTCAPABLE
+The
+.Dv O_RESOLVE_BENEATH
+flag was provided, and the relative
+.Fa path
+escapes topping directory.
.El
.Sh SEE ALSO
.Xr chmod 2 ,
diff --git a/lib/libc/sys/stat.2 b/lib/libc/sys/stat.2
index dd90420f20c9..4759d297e8da 100644
--- a/lib/libc/sys/stat.2
+++ b/lib/libc/sys/stat.2
@@ -28,7 +28,7 @@
.\" @(#)stat.2 8.4 (Berkeley) 5/1/95
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt STAT 2
.Os
.Sh NAME
@@ -120,6 +120,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/unlink.2 b/lib/libc/sys/unlink.2
index d4bdf46e6220..838d4da68af2 100644
--- a/lib/libc/sys/unlink.2
+++ b/lib/libc/sys/unlink.2
@@ -28,7 +28,7 @@
.\" @(#)unlink.2 8.1 (Berkeley) 6/4/93
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt UNLINK 2
.Os
.Sh NAME
@@ -100,6 +100,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Pp
If
diff --git a/lib/libc/sys/utimensat.2 b/lib/libc/sys/utimensat.2
index baf947e04ca0..3016d1af72aa 100644
--- a/lib/libc/sys/utimensat.2
+++ b/lib/libc/sys/utimensat.2
@@ -31,7 +31,7 @@
.\" @(#)utimes.2 8.1 (Berkeley) 6/4/93
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt UTIMENSAT 2
.Os
.Sh NAME
@@ -154,6 +154,13 @@ See the description of the
flag in the
.Xr open 2
manual page.
+.It Dv AT_RESOLVE_BENEATH
+Only walks paths below the topping directory.
+See the description of the
+.Dv O_RESOLVE_BENEATH
+flag in the
+.Xr open 2
+manual page.
.El
.Sh RETURN VALUES
.Rv -std