Merge release-20200810.0-20-g42b610d56 (automated)

author: gVisor bot <gvisor-bot@google.com> 2020-08-13 00:22:21 +0000
committer: gVisor bot <gvisor-bot@google.com> 2020-08-13 00:22:21 +0000
commit: dacf10b01cbdac8d2cc6b002822a928c0397e408 (patch)
tree: bf7c592faf401ce1a0854e770b0b40cd5eadc912 /pkg/sentry/fsimpl/gofer
parent: 6475914b04e69d1729028739ef688e452f034f70 (diff)
parent: 42b610d56750b4bb8e3d69b680e4fb538f8fb554 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/pkg/sentry/fsimpl/gofer/filesystem.go b/pkg/sentry/fsimpl/gofer/filesystem.go
index eaef2594d..40fec890a 100644
--- a/pkg/sentry/fsimpl/gofer/filesystem.go
+++ b/pkg/sentry/fsimpl/gofer/filesystem.go
@@ -844,6 +844,13 @@ func (fs *filesystem) OpenAt(ctx context.Context, rp *vfs.ResolvingPath, opts vf
 		}
 	}
 	if rp.Done() {
+		// Reject attempts to open mount root directory with O_CREAT.
+		if mayCreate && rp.MustBeDir() {
+			return nil, syserror.EISDIR
+		}
+		if mustCreate {
+			return nil, syserror.EEXIST
+		}
 		return start.openLocked(ctx, rp, &opts)
 	}
 
@@ -856,6 +863,10 @@ afterTrailingSymlink:
 	if err := parent.checkPermissions(rp.Credentials(), vfs.MayExec); err != nil {
 		return nil, err
 	}
+	// Reject attempts to open directories with O_CREAT.
+	if mayCreate && rp.MustBeDir() {
+		return nil, syserror.EISDIR
+	}
 	// Determine whether or not we need to create a file.
 	parent.dirMu.Lock()
 	child, err := fs.stepLocked(ctx, rp, parent, false /* mayFollowSymlinks */, &ds)
author	gVisor bot <gvisor-bot@google.com>	2020-08-13 00:22:21 +0000
committer	gVisor bot <gvisor-bot@google.com>	2020-08-13 00:22:21 +0000
commit	dacf10b01cbdac8d2cc6b002822a928c0397e408 (patch)
tree	bf7c592faf401ce1a0854e770b0b40cd5eadc912 /pkg/sentry/fsimpl/gofer
parent	6475914b04e69d1729028739ef688e452f034f70 (diff)
parent	42b610d56750b4bb8e3d69b680e4fb538f8fb554 (diff)