From ce19497c1c0829af6ba56f0cc68e3a4cb33cf1c8 Mon Sep 17 00:00:00 2001
From: Dean Deng <deandeng@google.com>
Date: Tue, 28 Apr 2020 20:11:43 -0700
Subject: Fix Unix socket permissions.

Enforce write permission checks in BoundEndpointAt, which corresponds to the
permission checks in Linux (net/unix/af_unix.c:unix_find_other).
Also, create bound socket files with the correct permissions in VFS2.

Fixes #2324.

PiperOrigin-RevId: 308949084
---
 pkg/sentry/vfs/filesystem.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'pkg/sentry/vfs/filesystem.go')

diff --git a/pkg/sentry/vfs/filesystem.go b/pkg/sentry/vfs/filesystem.go
index 70385a21f..1edd584c9 100644
--- a/pkg/sentry/vfs/filesystem.go
+++ b/pkg/sentry/vfs/filesystem.go
@@ -494,7 +494,13 @@ type FilesystemImpl interface {
 
 	// BoundEndpointAt returns the Unix socket endpoint bound at the path rp.
 	//
-	// - If a non-socket file exists at rp, then BoundEndpointAt returns ECONNREFUSED.
+	// Errors:
+	//
+	// - If the file does not have write permissions, then BoundEndpointAt
+	// returns EACCES.
+	//
+	// - If a non-socket file exists at rp, then BoundEndpointAt returns
+	// ECONNREFUSED.
 	BoundEndpointAt(ctx context.Context, rp *ResolvingPath, opts BoundEndpointOptions) (transport.BoundEndpoint, error)
 
 	// PrependPath prepends a path from vd to vd.Mount().Root() to b.
-- 
cgit v1.2.3