root_openat.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build unix || windows || wasip1
     6  
     7  package os
     8  
     9  import (
    10  	"runtime"
    11  	"slices"
    12  	"sync"
    13  	"syscall"
    14  	"time"
    15  )
    16  
    17  // root implementation for platforms with a function to open a file
    18  // relative to a directory.
    19  type root struct {
    20  	name string
    21  
    22  	// refs is incremented while an operation is using fd.
    23  	// closed is set when Close is called.
    24  	// fd is closed when closed is true and refs is 0.
    25  	mu     sync.Mutex
    26  	fd     sysfdType
    27  	refs   int  // number of active operations
    28  	closed bool // set when closed
    29  }
    30  
    31  func (r *root) Close() error {
    32  	r.mu.Lock()
    33  	defer r.mu.Unlock()
    34  	if !r.closed && r.refs == 0 {
    35  		syscall.Close(r.fd)
    36  	}
    37  	r.closed = true
    38  	runtime.SetFinalizer(r, nil) // no need for a finalizer any more
    39  	return nil
    40  }
    41  
    42  func (r *root) incref() error {
    43  	r.mu.Lock()
    44  	defer r.mu.Unlock()
    45  	if r.closed {
    46  		return ErrClosed
    47  	}
    48  	r.refs++
    49  	return nil
    50  }
    51  
    52  func (r *root) decref() {
    53  	r.mu.Lock()
    54  	defer r.mu.Unlock()
    55  	if r.refs <= 0 {
    56  		panic("bad Root refcount")
    57  	}
    58  	r.refs--
    59  	if r.closed && r.refs == 0 {
    60  		syscall.Close(r.fd)
    61  	}
    62  }
    63  
    64  func (r *root) Name() string {
    65  	return r.name
    66  }
    67  
    68  func rootChmod(r *Root, name string, mode FileMode) error {
    69  	_, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (struct{}, error) {
    70  		return struct{}{}, chmodat(parent, name, mode)
    71  	})
    72  	if err != nil {
    73  		return &PathError{Op: "chmodat", Path: name, Err: err}
    74  	}
    75  	return nil
    76  }
    77  
    78  func rootChown(r *Root, name string, uid, gid int) error {
    79  	_, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (struct{}, error) {
    80  		return struct{}{}, chownat(parent, name, uid, gid)
    81  	})
    82  	if err != nil {
    83  		return &PathError{Op: "chownat", Path: name, Err: err}
    84  	}
    85  	return nil
    86  }
    87  
    88  func rootLchown(r *Root, name string, uid, gid int) error {
    89  	_, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (struct{}, error) {
    90  		return struct{}{}, lchownat(parent, name, uid, gid)
    91  	})
    92  	if err != nil {
    93  		return &PathError{Op: "lchownat", Path: name, Err: err}
    94  	}
    95  	return err
    96  }
    97  
    98  func rootChtimes(r *Root, name string, atime time.Time, mtime time.Time) error {
    99  	_, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (struct{}, error) {
   100  		return struct{}{}, chtimesat(parent, name, atime, mtime)
   101  	})
   102  	if err != nil {
   103  		return &PathError{Op: "chtimesat", Path: name, Err: err}
   104  	}
   105  	return err
   106  }
   107  
   108  func rootMkdir(r *Root, name string, perm FileMode) error {
   109  	_, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (struct{}, error) {
   110  		return struct{}{}, mkdirat(parent, name, perm)
   111  	})
   112  	if err != nil {
   113  		return &PathError{Op: "mkdirat", Path: name, Err: err}
   114  	}
   115  	return nil
   116  }
   117  
   118  func rootMkdirAll(r *Root, fullname string, perm FileMode) error {
   119  	// doInRoot opens each path element in turn.
   120  	//
   121  	// openDirFunc opens all but the last path component.
   122  	// The usual default openDirFunc just opens directories with O_DIRECTORY.
   123  	// We replace it here with one that creates missing directories along the way.
   124  	openDirFunc := func(parent sysfdType, name string) (sysfdType, error) {
   125  		for try := range 2 {
   126  			fd, err := rootOpenDir(parent, name)
   127  			switch err.(type) {
   128  			case nil, errSymlink:
   129  				return fd, err
   130  			}
   131  			if try > 0 || !IsNotExist(err) {
   132  				return 0, &PathError{Op: "openat", Err: err}
   133  			}
   134  			// Try again on EEXIST, because the directory may have been created
   135  			// by another process or thread between the rootOpenDir and mkdirat calls.
   136  			if err := mkdirat(parent, name, perm); err != nil && err != syscall.EEXIST {
   137  				return 0, &PathError{Op: "mkdirat", Err: err}
   138  			}
   139  		}
   140  		panic("unreachable")
   141  	}
   142  	// openLastComponentFunc opens the last path component.
   143  	openLastComponentFunc := func(parent sysfdType, name string) (struct{}, error) {
   144  		err := mkdirat(parent, name, perm)
   145  		if err == syscall.EEXIST {
   146  			mode, e := modeAt(parent, name)
   147  			if e == nil {
   148  				if mode.IsDir() {
   149  					// The target of MkdirAll is an existing directory.
   150  					err = nil
   151  				} else if mode&ModeSymlink != 0 {
   152  					// The target of MkdirAll is a symlink.
   153  					// For consistency with os.MkdirAll,
   154  					// succeed if the link resolves to a directory.
   155  					// We don't return errSymlink here, because we don't
   156  					// want to create the link target if it doesn't exist.
   157  					fi, e := r.Stat(fullname)
   158  					if e == nil && fi.Mode().IsDir() {
   159  						err = nil
   160  					}
   161  				}
   162  			}
   163  		}
   164  		switch err.(type) {
   165  		case nil, errSymlink:
   166  			return struct{}{}, err
   167  		}
   168  		return struct{}{}, &PathError{Op: "mkdirat", Err: err}
   169  	}
   170  	_, err := doInRoot(r, fullname, openDirFunc, openLastComponentFunc)
   171  	if err != nil {
   172  		if _, ok := err.(*PathError); !ok {
   173  			err = &PathError{Op: "mkdirat", Path: fullname, Err: err}
   174  		}
   175  	}
   176  	return err
   177  }
   178  
   179  func rootReadlink(r *Root, name string) (string, error) {
   180  	target, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (string, error) {
   181  		return readlinkat(parent, name)
   182  	})
   183  	if err != nil {
   184  		return "", &PathError{Op: "readlinkat", Path: name, Err: err}
   185  	}
   186  	return target, nil
   187  }
   188  
   189  func rootRemove(r *Root, name string) error {
   190  	_, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (struct{}, error) {
   191  		return struct{}{}, removeat(parent, name)
   192  	})
   193  	if err != nil {
   194  		return &PathError{Op: "removeat", Path: name, Err: err}
   195  	}
   196  	return nil
   197  }
   198  
   199  func rootRemoveAll(r *Root, name string) error {
   200  	// Consistency with os.RemoveAll: Strip trailing /s from the name,
   201  	// so RemoveAll("not_a_directory/") succeeds.
   202  	for len(name) > 0 && IsPathSeparator(name[len(name)-1]) {
   203  		name = name[:len(name)-1]
   204  	}
   205  	if endsWithDot(name) {
   206  		// Consistency with os.RemoveAll: Return EINVAL when trying to remove .
   207  		return &PathError{Op: "RemoveAll", Path: name, Err: syscall.EINVAL}
   208  	}
   209  	_, err := doInRoot(r, name, nil, func(parent sysfdType, name string) (struct{}, error) {
   210  		return struct{}{}, removeAllFrom(parent, name)
   211  	})
   212  	if IsNotExist(err) {
   213  		return nil
   214  	}
   215  	if err != nil {
   216  		return &PathError{Op: "RemoveAll", Path: name, Err: underlyingError(err)}
   217  	}
   218  	return err
   219  }
   220  
   221  func rootRename(r *Root, oldname, newname string) error {
   222  	_, err := doInRoot(r, oldname, nil, func(oldparent sysfdType, oldname string) (struct{}, error) {
   223  		_, err := doInRoot(r, newname, nil, func(newparent sysfdType, newname string) (struct{}, error) {
   224  			return struct{}{}, renameat(oldparent, oldname, newparent, newname)
   225  		})
   226  		return struct{}{}, err
   227  	})
   228  	if err != nil {
   229  		return &LinkError{"renameat", oldname, newname, err}
   230  	}
   231  	return err
   232  }
   233  
   234  func rootLink(r *Root, oldname, newname string) error {
   235  	_, err := doInRoot(r, oldname, nil, func(oldparent sysfdType, oldname string) (struct{}, error) {
   236  		_, err := doInRoot(r, newname, nil, func(newparent sysfdType, newname string) (struct{}, error) {
   237  			return struct{}{}, linkat(oldparent, oldname, newparent, newname)
   238  		})
   239  		return struct{}{}, err
   240  	})
   241  	if err != nil {
   242  		return &LinkError{"linkat", oldname, newname, err}
   243  	}
   244  	return err
   245  }
   246  
   247  // doInRoot performs an operation on a path in a Root.
   248  //
   249  // It calls f with the FD or handle for the directory containing the last
   250  // path element, and the name of the last path element.
   251  //
   252  // For example, given the path a/b/c it calls f with the FD for a/b and the name "c".
   253  //
   254  // If openDirFunc is non-nil, it is called to open intermediate path elements.
   255  // For example, given the path a/b/c openDirFunc will be called to open a and a/b in turn.
   256  //
   257  // f or openDirFunc may return errSymlink to indicate that the path element is a symlink
   258  // which should be followed. Note that this can result in f being called multiple times
   259  // with different names. For example, give the path "link" which is a symlink to "target",
   260  // f is called with the path "link", returns errSymlink("target"), and is called again with
   261  // the path "target".
   262  //
   263  // If f or openDirFunc return a *PathError, doInRoot will set PathError.Path to the
   264  // full path which caused the error.
   265  func doInRoot[T any](r *Root, name string, openDirFunc func(parent sysfdType, name string) (sysfdType, error), f func(parent sysfdType, name string) (T, error)) (ret T, err error) {
   266  	if err := r.root.incref(); err != nil {
   267  		return ret, err
   268  	}
   269  	defer r.root.decref()
   270  
   271  	parts, suffixSep, err := splitPathInRoot(name, nil, nil)
   272  	if err != nil {
   273  		return ret, err
   274  	}
   275  	if openDirFunc == nil {
   276  		openDirFunc = rootOpenDir
   277  	}
   278  
   279  	rootfd := r.root.fd
   280  	dirfd := rootfd
   281  	defer func() {
   282  		if dirfd != rootfd {
   283  			syscall.Close(dirfd)
   284  		}
   285  	}()
   286  
   287  	// When resolving .. path components, we restart path resolution from the root.
   288  	// (We can't openat(dir, "..") to move up to the parent directory,
   289  	// because dir may have moved since we opened it.)
   290  	// To limit how many opens a malicious path can cause us to perform, we set
   291  	// a limit on the total number of path steps and the total number of restarts
   292  	// caused by .. components. If *both* limits are exceeded, we halt the operation.
   293  	const maxSteps = 255
   294  	const maxRestarts = 8
   295  
   296  	i := 0
   297  	steps := 0
   298  	restarts := 0
   299  	symlinks := 0
   300  Loop:
   301  	for {
   302  		steps++
   303  		if steps > maxSteps && restarts > maxRestarts {
   304  			return ret, syscall.ENAMETOOLONG
   305  		}
   306  
   307  		if parts[i] == ".." {
   308  			// Resolve one or more parent ("..") path components.
   309  			//
   310  			// Rewrite the original path,
   311  			// removing the elements eliminated by ".." components,
   312  			// and start over from the beginning.
   313  			restarts++
   314  			end := i + 1
   315  			for end < len(parts) && parts[end] == ".." {
   316  				end++
   317  			}
   318  			count := end - i
   319  			if count > i {
   320  				return ret, errPathEscapes
   321  			}
   322  			parts = slices.Delete(parts, i-count, end)
   323  			if len(parts) == 0 {
   324  				parts = []string{"."}
   325  			}
   326  			i = 0
   327  			if dirfd != rootfd {
   328  				syscall.Close(dirfd)
   329  			}
   330  			dirfd = rootfd
   331  			continue
   332  		}
   333  
   334  		if i == len(parts)-1 {
   335  			// This is the last path element.
   336  			// Call f to decide what to do with it.
   337  			// If f returns errSymlink, this element is a symlink
   338  			// which should be followed.
   339  			// suffixSep contains any trailing separator characters
   340  			// which we rejoin to the final part at this time.
   341  			ret, err = f(dirfd, parts[i]+suffixSep)
   342  			if err == nil {
   343  				return
   344  			}
   345  		} else {
   346  			var fd sysfdType
   347  			fd, err = openDirFunc(dirfd, parts[i])
   348  			if err == nil {
   349  				if dirfd != rootfd {
   350  					syscall.Close(dirfd)
   351  				}
   352  				dirfd = fd
   353  			}
   354  		}
   355  
   356  		switch e := err.(type) {
   357  		case nil:
   358  		case errSymlink:
   359  			symlinks++
   360  			if symlinks > rootMaxSymlinks {
   361  				return ret, syscall.ELOOP
   362  			}
   363  			newparts, newSuffixSep, err := splitPathInRoot(string(e), parts[:i], parts[i+1:])
   364  			if err != nil {
   365  				return ret, err
   366  			}
   367  			if i == len(parts)-1 {
   368  				// suffixSep contains any trailing path separator characters
   369  				// in the link target.
   370  				// If we are replacing the remainder of the path, retain these.
   371  				// If we're replacing some intermediate component of the path,
   372  				// ignore them, since intermediate components must always be
   373  				// directories.
   374  				suffixSep = newSuffixSep
   375  			}
   376  			if len(newparts) < i || !slices.Equal(parts[:i], newparts[:i]) {
   377  				// Some component in the path which we have already traversed
   378  				// has changed. We need to restart parsing from the root.
   379  				i = 0
   380  				if dirfd != rootfd {
   381  					syscall.Close(dirfd)
   382  				}
   383  				dirfd = rootfd
   384  			}
   385  			parts = newparts
   386  			continue Loop
   387  		case *PathError:
   388  			// This is strings.Join(parts[:i+1], PathSeparator).
   389  			e.Path = parts[0]
   390  			for _, part := range parts[1 : i+1] {
   391  				e.Path += string(PathSeparator) + part
   392  			}
   393  			return ret, e
   394  		default:
   395  			return ret, err
   396  		}
   397  
   398  		i++
   399  	}
   400  }
   401  
   402  // errSymlink reports that a file being operated on is actually a symlink,
   403  // and the target of that symlink.
   404  type errSymlink string
   405  
   406  func (errSymlink) Error() string { panic("errSymlink is not user-visible") }
   407
View as plain text