diff options
author | Konstantin Belousov <kib@FreeBSD.org> | 2021-11-03 12:51:06 +0000 |
---|---|---|
committer | Konstantin Belousov <kib@FreeBSD.org> | 2021-11-06 02:12:33 +0000 |
commit | 9de9a33050640a96d4ebea8d4da7089d0dfa3947 (patch) | |
tree | e1b94d01f466e29ce7c7b33b1e9fd7344084ee38 | |
parent | ba058d44b3724ba3516e71ee204f806d1031eb1f (diff) | |
download | src-9de9a33050640a96d4ebea8d4da7089d0dfa3947.tar.gz src-9de9a33050640a96d4ebea8d4da7089d0dfa3947.zip |
fexecve(2): allow O_PATH file descriptors opened without O_EXEC
(cherry picked from commit be10c0a910155709dc4e521db3349d50e0440018)
-rw-r--r-- | lib/libc/sys/open.2 | 3 | ||||
-rw-r--r-- | sys/kern/kern_descrip.c | 5 | ||||
-rw-r--r-- | sys/kern/kern_exec.c | 13 |
3 files changed, 13 insertions, 8 deletions
diff --git a/lib/libc/sys/open.2 b/lib/libc/sys/open.2 index da42c238a151..f6b061079ddf 100644 --- a/lib/libc/sys/open.2 +++ b/lib/libc/sys/open.2 @@ -334,9 +334,6 @@ but advisory locking is not allowed .It Xr close 2 .It Xr fstat 2 .It Xr fexecve 2 -requires that -.Dv O_EXEC -was also specified at open time .It Dv SCM_RIGHTS can be passed over a .Xr unix 4 diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 755b5df51c6a..794d72824cc9 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -3302,8 +3302,9 @@ _fget(struct thread *td, int fd, struct file **fpp, int flags, error = EBADF; break; case FEXEC: - if ((fp->f_flag & (FREAD | FEXEC)) == 0 || - ((fp->f_flag & FWRITE) != 0)) + if (fp->f_ops != &path_fileops && + ((fp->f_flag & (FREAD | FEXEC)) == 0 || + (fp->f_flag & FWRITE) != 0)) error = EBADF; break; case 0: diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 06812a7a93d1..7b27e5b8a885 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -498,13 +498,20 @@ interpret: } } else { AUDIT_ARG_FD(args->fd); + /* - * Descriptors opened only with O_EXEC or O_RDONLY are allowed. + * If the descriptors was not opened with O_PATH, then + * we require that it was opened with O_EXEC or + * O_RDONLY. In either case, exec_check_permissions() + * below checks _current_ file access mode regardless + * of the permissions additionally checked at the + * open(2). */ error = fgetvp_exec(td, args->fd, &cap_fexecve_rights, &newtextvp); - if (error) + if (error != 0) goto exec_fail; + if (vn_fullpath(newtextvp, &imgp->execpath, &imgp->freepath) != 0) imgp->execpath = args->fname; @@ -859,7 +866,7 @@ interpret: /* * Store the vp for use in kern.proc.pathname. This vnode was - * referenced by namei() or fgetvp_exec(). + * referenced by namei() or by fexecve variant of fname handling. */ oldtextvp = p->p_textvp; p->p_textvp = newtextvp; |