Merge release-20200211.0-15-ga6024f7 (automated)

author: gVisor bot <gvisor-bot@google.com> 2020-02-14 02:01:38 +0000
committer: gVisor bot <gvisor-bot@google.com> 2020-02-14 02:01:38 +0000
commit: 21ccea6ecc8a88a8ace0875f83633a7ccdacd8bc (patch)
tree: 54afd8bbd7e80a9c92730ae36a74d85238d0ab47 /pkg/sentry/vfs/vfs.go
parent: b692574b021c301ee94f55537f9b3ee51485d55f (diff)
parent: a6024f7f5f6f438c11e30be0f93657b1956fd5ba (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/pkg/sentry/vfs/vfs.go b/pkg/sentry/vfs/vfs.go
index 908c69f91..9629afee9 100755
--- a/pkg/sentry/vfs/vfs.go
+++ b/pkg/sentry/vfs/vfs.go
@@ -379,6 +379,25 @@ func (vfs *VirtualFilesystem) OpenAt(ctx context.Context, creds *auth.Credential
 		fd, err := rp.mount.fs.impl.OpenAt(ctx, rp, *opts)
 		if err == nil {
 			vfs.putResolvingPath(rp)
+
+			// TODO(gvisor.dev/issue/1193): Move inside fsimpl to avoid another call
+			// to FileDescription.Stat().
+			if opts.FileExec {
+				// Only a regular file can be executed.
+				stat, err := fd.Stat(ctx, StatOptions{Mask: linux.STATX_TYPE})
+				if err != nil {
+					return nil, err
+				}
+				if stat.Mask&linux.STATX_TYPE != 0 {
+					// This shouldn't happen, but if type can't be retrieved, file can't
+					// be executed.
+					return nil, syserror.EACCES
+				}
+				if linux.FileMode(stat.Mode).FileType() != linux.ModeRegular {
+					return nil, syserror.EACCES
+				}
+			}
+
 			return fd, nil
 		}
 		if !rp.handleError(err) {
author	gVisor bot <gvisor-bot@google.com>	2020-02-14 02:01:38 +0000
committer	gVisor bot <gvisor-bot@google.com>	2020-02-14 02:01:38 +0000
commit	21ccea6ecc8a88a8ace0875f83633a7ccdacd8bc (patch)
tree	54afd8bbd7e80a9c92730ae36a74d85238d0ab47 /pkg/sentry/vfs/vfs.go
parent	b692574b021c301ee94f55537f9b3ee51485d55f (diff)
parent	a6024f7f5f6f438c11e30be0f93657b1956fd5ba (diff)