On Thu, Nov 30, 2023 at 07:21:40PM -0800, Shu-Chun Weng wrote:
> Commit b8002058 strengthened openat()'s /proc detection by calling
> realpath(3) on the given path, which allows various paths and symlinks
> that points to the /proc file system to be intercepted correctly.
>
> Using realpath(3), though, has a side effect that it reads the symlinks
> along the way, and thus changes their atime. The results in the
> following code snippet already get ~now instead of the real atime:
>
> int fd = open("/path/to/a/symlink", O_PATH | O_NOFOLLOW);
> struct stat st;
> fstat(fd, st);
> return st.st_atime;
>
> This change opens a path that doesn't appear to be part of /proc
> directly and checks the destination of /proc/self/fd/n to determine if
> it actually refers to a file in /proc.
>
> Neither this nor the existing code works with symlinks or indirect paths
> (e.g. /tmp/../proc/self/exe) that points to /proc/self/exe because it
> is itself a symlink, and both realpath(3) and /proc/self/fd/n will
> resolve into the location of QEMU.
I wonder if we can detect that by opening with O_NOFOLLOW, then
calling fstatfs() on the FD, and checking f_type == PROCFS_SUPER_MAGIC
This works with indirect or relative paths, yes, but still not symlinks. I decided not to complicate the logic further.
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index e384e14248..25e2cda10a 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -8308,8 +8308,6 @@ static int open_net_route(CPUArchState *cpu_env, int fd)
> int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
> int flags, mode_t mode, bool safe)
> {
> - g_autofree char *proc_name = NULL;
> - const char *pathname;
> struct fake_open {
> const char *filename;
> int (*fill)(CPUArchState *cpu_env, int fd);
> @@ -8333,13 +8331,39 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
> #endif
> { NULL, NULL, NULL }
> };
> + char pathname[PATH_MAX];
>
> - /* if this is a file from /proc/ filesystem, expand full name */
> - proc_name = realpath(fname, NULL);
> - if (proc_name && strncmp(proc_name, "/proc/", 6) == 0) {
> - pathname = proc_name;
> + if (strncmp(fname, "/proc/", 6) == 0) {
> + pstrcpy(pathname, sizeof(pathname), fname);
> } else {
> - pathname = fname;
> + char procpath[PATH_MAX];
> + int fd, n;
> +
> + if (safe) {
> + fd = safe_openat(dirfd, path(fname), flags, mode);
> + } else {
> + fd = openat(dirfd, path(fname), flags, mode);
> + }
> + if (fd < 0) {
> + return fd;
> + }
> +
> + /*
> + * Try to get the real path of the file we just opened. We avoid calling
> + * `realpath(3)` because it calls `readlink(2)` on symlinks which
> + * changes their atime. Note that since `/proc/self/exe` is a symlink,
> + * `pathname` will never resolves to it (neither will `realpath(3)`).
> + * That's why we check `fname` against the "/proc/" prefix first.
> + */
> + snprintf(procpath, sizeof(procpath), "/proc/self/fd/%d", fd);
g_strdup_printf() + g_autofree to avoid this PATH_MAX buffer
> + n = readlink(procpath, pathname, sizeof(pathname));
> + pathname[n < sizeof(pathname) ? n : sizeof(pathname)] = '\0';
If you call lstat() then sb_size will tell you how big the buffer
needs to be for a subsequent readlink(), whcih can be allocated
on the heap and released with g_autofree, avoiding the othuer PATH_MAX
buffer
Thanks for the suggestions, sent out v2 of the patch series eliminating both static buffers.
Shu-Chun
> +
> + /* if this is not a file from /proc/ filesystem, the fd is good as-is */
> + if (strncmp(pathname, "/proc/", 6) != 0) {
> + return fd;
> + }
> + close(fd);
> }
>
> if (is_proc_myself(pathname, "exe")) {
> @@ -8390,9 +8414,9 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
> }
>
> if (safe) {
> - return safe_openat(dirfd, path(pathname), flags, mode);
> + return safe_openat(dirfd, pathname, flags, mode);
> } else {
> - return openat(dirfd, path(pathname), flags, mode);
> + return openat(dirfd, pathname, flags, mode);
> }
> }
>
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|