summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorShiva Prasanth <kesavarapu.siva@gmail.com>2019-04-10 10:48:28 -0700
committerShentubot <shentubot@google.com>2019-04-10 10:49:43 -0700
commit7140b1fdca1cc9c9c711955a49e6e7fc41f339d9 (patch)
tree71a783c420dd83ae620ca55aac1310ac86bb25d5
parent0e14e48b84fd8f759bb5a0f5261cdb090d1ffe90 (diff)
Fixed /proc/cpuinfo permissions
This also applies these permissions to other static proc files. Change-Id: I4167e585fed49ad271aa4e1f1260babb3239a73d PiperOrigin-RevId: 242898575
Diffstat
-rw-r--r--pkg/sentry/fs/fsutil/inode.go12
-rw-r--r--pkg/sentry/fs/proc/inode.go2
-rw-r--r--test/syscalls/linux/proc.cc4
3 files changed, 17 insertions, 1 deletions
diff --git a/pkg/sentry/fs/fsutil/inode.go b/pkg/sentry/fs/fsutil/inode.go
index 2673d73d7..37490e5b2 100644
--- a/pkg/sentry/fs/fsutil/inode.go
+++ b/pkg/sentry/fs/fsutil/inode.go
@@ -452,3 +452,15 @@ type InodeGenericChecker struct{}
func (InodeGenericChecker) Check(ctx context.Context, inode *fs.Inode, p fs.PermMask) bool {
return fs.ContextCanAccessFile(ctx, inode, p)
}
+
+// InodeDenyWriteChecker implements fs.InodeOperations.Check which denies all
+// write operations.
+type InodeDenyWriteChecker struct{}
+
+// Check implements fs.InodeOperations.Check.
+func (InodeDenyWriteChecker) Check(ctx context.Context, inode *fs.Inode, p fs.PermMask) bool {
+ if p.Write {
+ return false
+ }
+ return fs.ContextCanAccessFile(ctx, inode, p)
+}
diff --git a/pkg/sentry/fs/proc/inode.go b/pkg/sentry/fs/proc/inode.go
index 3c36af5ea..8dde2ea46 100644
--- a/pkg/sentry/fs/proc/inode.go
+++ b/pkg/sentry/fs/proc/inode.go
@@ -53,7 +53,7 @@ func (i *taskOwnedInodeOps) UnstableAttr(ctx context.Context, inode *fs.Inode) (
//
// +stateify savable
type staticFileInodeOps struct {
- fsutil.InodeGenericChecker `state:"nosave"`
+ fsutil.InodeDenyWriteChecker `state:"nosave"`
fsutil.InodeNoExtendedAttributes `state:"nosave"`
fsutil.InodeNoopRelease `state:"nosave"`
fsutil.InodeNoopTruncate `state:"nosave"`
diff --git a/test/syscalls/linux/proc.cc b/test/syscalls/linux/proc.cc
index 2da7006cf..67d3d18c7 100644
--- a/test/syscalls/linux/proc.cc
+++ b/test/syscalls/linux/proc.cc
@@ -725,6 +725,10 @@ TEST(ProcCpuinfo, RequiredFieldsArePresent) {
}
}
+TEST(ProcCpuinfo, DeniesWrite) {
+ EXPECT_THAT(open("/proc/cpuinfo", O_WRONLY), SyscallFailsWithErrno(EACCES));
+}
+
// Sanity checks that uptime is present.
TEST(ProcUptime, IsPresent) {
std::string proc_uptime = ASSERT_NO_ERRNO_AND_VALUE(GetContents("/proc/uptime"));
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-06 08:54:29 +0000