From 69f41eb062bf2c3ca4495201915a3b660ea73df5 Mon Sep 17 00:00:00 2001 From: Liav A Date: Sat, 26 Nov 2022 11:48:02 +0200 Subject: [PATCH] Kernel: Reject create links on paths that were not unveiled as writable This solves one of the security issues being mentioned in issue #15996. We simply don't allow creating hardlinks on paths that were not unveiled as writable to prevent possible bypass on a certain path that was unveiled as non-writable. --- Kernel/FileSystem/VirtualFileSystem.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Kernel/FileSystem/VirtualFileSystem.cpp b/Kernel/FileSystem/VirtualFileSystem.cpp index acd5480787..9bed735a10 100644 --- a/Kernel/FileSystem/VirtualFileSystem.cpp +++ b/Kernel/FileSystem/VirtualFileSystem.cpp @@ -723,7 +723,9 @@ static bool hard_link_allowed(Credentials const& credentials, Inode const& inode ErrorOr VirtualFileSystem::link(Credentials const& credentials, StringView old_path, StringView new_path, Custody& base) { - auto old_custody = TRY(resolve_path(credentials, old_path, base)); + // NOTE: To prevent unveil bypass by creating an hardlink after unveiling a path as read-only, + // check that if write permission is allowed by the veil info on the old_path. + auto old_custody = TRY(resolve_path(credentials, old_path, base, nullptr, O_RDWR)); auto& old_inode = old_custody->inode(); RefPtr parent_custody;