aboutsummaryrefslogtreecommitdiffstats
path: root/lib/libc/sys/open.2
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libc/sys/open.2')
-rw-r--r--lib/libc/sys/open.238
1 files changed, 33 insertions, 5 deletions
diff --git a/lib/libc/sys/open.2 b/lib/libc/sys/open.2
index c1bd88ec9d14..f54873563f0f 100644
--- a/lib/libc/sys/open.2
+++ b/lib/libc/sys/open.2
@@ -28,7 +28,7 @@
.\" @(#)open.2 8.2 (Berkeley) 11/16/93
.\" $FreeBSD$
.\"
-.Dd March 30, 2020
+.Dd September 23, 2020
.Dt OPEN 2
.Os
.Sh NAME
@@ -117,6 +117,12 @@ is specified with an absolute
a directory passed by the
.Fa fd
argument is used as the topping point for the resolution.
+When
+.Dv O_BENEATH
+is specified with a relative path, the
+.Fa fd
+argument is used both as the starting point, and as the topping point
+for the resolution.
See the definition of the
.Dv O_BENEATH
flag below.
@@ -183,7 +189,8 @@ O_TTY_INIT ignored
O_DIRECTORY error if file is not a directory
O_CLOEXEC set FD_CLOEXEC upon open
O_VERIFY verify the contents of the file
-O_BENEATH require path to be strictly relative to topping directory
+O_BENEATH require resolved path to be strictly relative to topping directory
+O_RESOLVE_BENEATH require walked path to be strictly relative to topping directory
.Ed
.Pp
Opening a file with
@@ -311,8 +318,8 @@ been verified before operating on them.
.Dv O_BENEATH
returns
.Er ENOTCAPABLE
-if the specified relative path, after resolving all symlinks and ".."
-references, does not reside in the directory hierarchy of
+if the specified path, after resolving all symlinks and ".."
+references, does not end up with tail residing in the directory hierarchy of
children beneath the topping directory.
Topping directory is the process current directory if relative
.Fa path
@@ -322,11 +329,20 @@ and the directory referenced by the
.Fa fd
argument when using
.Fn openat .
-If the specified path is absolute,
.Dv O_BENEATH
allows arbitrary prefix that ends up at the topping directory,
after which all further resolved components must be under it.
.Pp
+.Dv O_RESOLVE_BENEATH
+returns
+.Er ENOTCAPABLE
+if any intermediate component of the specified relative path does not
+reside in the directory hierarchy beneath the topping directory.
+Comparing to
+.Dv O_BENEATH,
+absolute paths or even the temporal escape from beneath of the topping
+directory is not allowed.
+.Pp
When
.Fa fd
is opened with
@@ -540,6 +556,12 @@ and
.Dv O_EXEC
or
.Dv O_SEARCH .
+.It Bq Er EINVAL
+The
+.Dv O_RESOLVE_BENEATH
+flag is specified and
+.Dv path
+is absolute.
.It Bq Er EBADF
The
.Fa path
@@ -582,6 +604,12 @@ does not have its tail fully contained under the topping directory,
or the relative
.Fa path
escapes it.
+.It Bq Er ENOTCAPABLE
+The
+.Dv O_RESOLVE_BENEATH
+flag was provided, and the relative
+.Fa path
+escapes topping directory.
.El
.Sh SEE ALSO
.Xr chmod 2 ,
generated by cgit v1.2.3 (git 2.25.1) at 2022-07-02 15:33:37 +0000