Implement access/faccessat for VFS2.

Note that the raw faccessat system call does not actually take a flags argument; according to faccessat(2), the glibc wrapper implements the flags by using fstatat(2). Remove the flag argument that we try to extract from vfs1, which would just be a garbage value. Updates #1965 Fixes #2101 PiperOrigin-RevId: 300796067
author: Dean Deng <deandeng@google.com> 2020-03-13 11:40:13 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-03-13 11:41:08 -0700
commit: 2e38408f20a084de716962d4631e0fec1fd16c16 (patch)
tree: b2e15836e5c5f483f003e79b8c30328ad43c844f /pkg/sentry/vfs/filesystem.go
parent: f458a325e9b6aecf2ee198de19063505c48a14d7 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/sentry/vfs/filesystem.go b/pkg/sentry/vfs/filesystem.go
index 556976d0b..c43dcff3d 100644
--- a/pkg/sentry/vfs/filesystem.go
+++ b/pkg/sentry/vfs/filesystem.go
@@ -20,6 +20,7 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/fspath"
+	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 )
 
 // A Filesystem is a tree of nodes represented by Dentries, which forms part of
@@ -144,6 +145,9 @@ type FilesystemImpl interface {
 	// file data to be written to the underlying [filesystem]", as by syncfs(2).
 	Sync(ctx context.Context) error
 
+	// AccessAt checks whether a user with creds can access the file at rp.
+	AccessAt(ctx context.Context, rp *ResolvingPath, creds *auth.Credentials, ats AccessTypes) error
+
 	// GetDentryAt returns a Dentry representing the file at rp. A reference is
 	// taken on the returned Dentry.
 	//
author	Dean Deng <deandeng@google.com>	2020-03-13 11:40:13 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-03-13 11:41:08 -0700
commit	2e38408f20a084de716962d4631e0fec1fd16c16 (patch)
tree	b2e15836e5c5f483f003e79b8c30328ad43c844f /pkg/sentry/vfs/filesystem.go
parent	f458a325e9b6aecf2ee198de19063505c48a14d7 (diff)