RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 13:38:11 +00:00
Code Issues Activity Actions

Kernel: Allow unveiling subfolders regardless of parent's permissions

Browse source 
This fixes a bug where unveiling a subdirectory of an already unveiled
path would sometimes be allowed and sometimes not (depending on what
other unveil calls have been made).

Now, it is always allowed to unveil a subdirectory of an already
unveiled directory, even if it has higher permissions.

This removes the need for the permissions_inherited_from_root flag in
UnveilMetadata, so it has been removed.
This commit is contained in:
Max Wipfli 2021-06-06 21:03:19 +02:00 committed by Andreas Kling
parent 9d41dd2ed0
commit e8a317023d
3 changed files with 8 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

14
Kernel/Syscalls/unveil.cpp
View file

@ -1,5 +1,6 @@
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
* Copyright (c) 2021, Max Wipfli <mail@maxwipfli.ch>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
@ -90,14 +91,12 @@ KResultOr<int> Process::sys$unveil(Userspace<const Syscall::SC_unveil_params*> u
auto it = lexical_path.parts().begin();
auto& matching_node = m_unveiled_paths.traverse_until_last_accessible_node(it, lexical_path.parts().end());
if (it.is_end()) {
auto old_permissions = matching_node.permissions();
// Allow "elevating" the permissions when the permissions are inherited from root (/),
// as that would be the first time this path is unveiled.
if (old_permissions != UnveilAccess::None || !matching_node.permissions_inherited_from_root()) {
if (new_permissions & ~old_permissions)
// If the path has already been explicitly unveiled, do not allow elevating its permissions.
if (matching_node.was_explicitly_unveiled()) {
if (new_permissions & ~matching_node.permissions())
return EPERM;
}
matching_node.set_metadata({ matching_node.path(), (UnveilAccess)new_permissions, true, false });
matching_node.set_metadata({ matching_node.path(), (UnveilAccess)new_permissions, true });
return 0;
}
@ -107,8 +106,9 @@ KResultOr<int> Process::sys$unveil(Userspace<const Syscall::SC_unveil_params*> u
{ new_unveiled_path, (UnveilAccess)new_permissions, true },
[](auto& parent, auto& it) -> Optional<UnveilMetadata> {
auto path = LexicalPath::join(parent.path(), *it).string();
return UnveilMetadata { path, parent.permissions(), false, parent.permissions_inherited_from_root() };
return UnveilMetadata { path, parent.permissions(), false };
});
VERIFY(m_veil_state != VeilState::Locked);
m_veil_state = VeilState::Dropped;
return 0;