diff options
author | Dean Deng <deandeng@google.com> | 2020-04-28 20:11:43 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-04-28 20:13:01 -0700 |
commit | ce19497c1c0829af6ba56f0cc68e3a4cb33cf1c8 (patch) | |
tree | c8fe75216dfda0345e048e72d0641fc0fadcccbb /pkg/sentry/fsimpl/ext/filesystem.go | |
parent | 24abccbc1c3b7b0dd06b6da97e5b4c90c8c13907 (diff) |
Fix Unix socket permissions.
Enforce write permission checks in BoundEndpointAt, which corresponds to the
permission checks in Linux (net/unix/af_unix.c:unix_find_other).
Also, create bound socket files with the correct permissions in VFS2.
Fixes #2324.
PiperOrigin-RevId: 308949084
Diffstat (limited to 'pkg/sentry/fsimpl/ext/filesystem.go')
-rw-r--r-- | pkg/sentry/fsimpl/ext/filesystem.go | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/pkg/sentry/fsimpl/ext/filesystem.go b/pkg/sentry/fsimpl/ext/filesystem.go index 6c882d0b6..77b644275 100644 --- a/pkg/sentry/fsimpl/ext/filesystem.go +++ b/pkg/sentry/fsimpl/ext/filesystem.go @@ -486,10 +486,13 @@ func (fs *filesystem) UnlinkAt(ctx context.Context, rp *vfs.ResolvingPath) error // BoundEndpointAt implements FilesystemImpl.BoundEndpointAt. func (fs *filesystem) BoundEndpointAt(ctx context.Context, rp *vfs.ResolvingPath, opts vfs.BoundEndpointOptions) (transport.BoundEndpoint, error) { - _, _, err := fs.walk(rp, false) + _, inode, err := fs.walk(rp, false) if err != nil { return nil, err } + if err := inode.checkPermissions(rp.Credentials(), vfs.MayWrite); err != nil { + return nil, err + } // TODO(b/134676337): Support sockets. return nil, syserror.ECONNREFUSED |