root_unix.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build unix || wasip1
     6  
     7  package os
     8  
     9  import (
    10  	"errors"
    11  	"internal/syscall/unix"
    12  	"runtime"
    13  	"syscall"
    14  	"time"
    15  )
    16  
    17  type sysfdType = int
    18  
    19  // openRootNolog is OpenRoot.
    20  func openRootNolog(name string) (*Root, error) {
    21  	var fd int
    22  	err := ignoringEINTR(func() error {
    23  		var err error
    24  		fd, _, err = open(name, syscall.O_CLOEXEC, 0)
    25  		return err
    26  	})
    27  	if err != nil {
    28  		return nil, &PathError{Op: "open", Path: name, Err: err}
    29  	}
    30  	return newRoot(fd, name)
    31  }
    32  
    33  // newRoot returns a new Root.
    34  // If fd is not a directory, it closes it and returns an error.
    35  func newRoot(fd int, name string) (*Root, error) {
    36  	var fs fileStat
    37  	err := ignoringEINTR(func() error {
    38  		return syscall.Fstat(fd, &fs.sys)
    39  	})
    40  	fillFileStatFromSys(&fs, name)
    41  	if err == nil && !fs.IsDir() {
    42  		syscall.Close(fd)
    43  		return nil, &PathError{Op: "open", Path: name, Err: errors.New("not a directory")}
    44  	}
    45  
    46  	// There's a race here with fork/exec, which we are
    47  	// content to live with. See ../syscall/exec_unix.go.
    48  	if !supportsCloseOnExec {
    49  		syscall.CloseOnExec(fd)
    50  	}
    51  
    52  	r := &Root{&root{
    53  		fd:   fd,
    54  		name: name,
    55  	}}
    56  	r.root.cleanup = runtime.AddCleanup(r, func(f *root) { f.Close() }, r.root)
    57  	return r, nil
    58  }
    59  
    60  // openRootInRoot is Root.OpenRoot.
    61  func openRootInRoot(r *Root, name string) (*Root, error) {
    62  	fd, err := doInRoot(r, name, func(parent int, name string) (fd int, err error) {
    63  		ignoringEINTR(func() error {
    64  			fd, err = unix.Openat(parent, name, syscall.O_NOFOLLOW|syscall.O_CLOEXEC, 0)
    65  			if isNoFollowErr(err) {
    66  				err = checkSymlink(parent, name, err)
    67  			}
    68  			return err
    69  		})
    70  		return fd, err
    71  	})
    72  	if err != nil {
    73  		return nil, &PathError{Op: "openat", Path: name, Err: err}
    74  	}
    75  	return newRoot(fd, name)
    76  }
    77  
    78  // rootOpenFileNolog is Root.OpenFile.
    79  func rootOpenFileNolog(root *Root, name string, flag int, perm FileMode) (*File, error) {
    80  	fd, err := doInRoot(root, name, func(parent int, name string) (fd int, err error) {
    81  		ignoringEINTR(func() error {
    82  			fd, err = unix.Openat(parent, name, syscall.O_NOFOLLOW|syscall.O_CLOEXEC|flag, uint32(perm))
    83  			if isNoFollowErr(err) || err == syscall.ENOTDIR {
    84  				err = checkSymlink(parent, name, err)
    85  			}
    86  			return err
    87  		})
    88  		return fd, err
    89  	})
    90  	if err != nil {
    91  		return nil, &PathError{Op: "openat", Path: name, Err: err}
    92  	}
    93  	f := newFile(fd, joinPath(root.Name(), name), kindOpenFile, unix.HasNonblockFlag(flag))
    94  	return f, nil
    95  }
    96  
    97  func rootOpenDir(parent int, name string) (int, error) {
    98  	var (
    99  		fd  int
   100  		err error
   101  	)
   102  	ignoringEINTR(func() error {
   103  		fd, err = unix.Openat(parent, name, syscall.O_NOFOLLOW|syscall.O_CLOEXEC|syscall.O_DIRECTORY, 0)
   104  		if isNoFollowErr(err) || err == syscall.ENOTDIR {
   105  			err = checkSymlink(parent, name, err)
   106  		} else if err == syscall.ENOTSUP || err == syscall.EOPNOTSUPP {
   107  			// ENOTSUP and EOPNOTSUPP are often, but not always, the same errno.
   108  			// Translate both to ENOTDIR, since this indicates a non-terminal
   109  			// path component was not a directory.
   110  			err = syscall.ENOTDIR
   111  		}
   112  		return err
   113  	})
   114  	return fd, err
   115  }
   116  
   117  func rootStat(r *Root, name string, lstat bool) (FileInfo, error) {
   118  	fi, err := doInRoot(r, name, func(parent sysfdType, n string) (FileInfo, error) {
   119  		var fs fileStat
   120  		if err := unix.Fstatat(parent, n, &fs.sys, unix.AT_SYMLINK_NOFOLLOW); err != nil {
   121  			return nil, err
   122  		}
   123  		fillFileStatFromSys(&fs, name)
   124  		if !lstat && fs.Mode()&ModeSymlink != 0 {
   125  			return nil, checkSymlink(parent, n, syscall.ELOOP)
   126  		}
   127  		return &fs, nil
   128  	})
   129  	if err != nil {
   130  		return nil, &PathError{Op: "statat", Path: name, Err: err}
   131  	}
   132  	return fi, nil
   133  }
   134  
   135  func rootSymlink(r *Root, oldname, newname string) error {
   136  	_, err := doInRoot(r, newname, func(parent sysfdType, name string) (struct{}, error) {
   137  		return struct{}{}, symlinkat(oldname, parent, name)
   138  	})
   139  	if err != nil {
   140  		return &LinkError{"symlinkat", oldname, newname, err}
   141  	}
   142  	return nil
   143  }
   144  
   145  // On systems which use fchmodat, fchownat, etc., we have a race condition:
   146  // When "name" is a symlink, Root.Chmod("name") should act on the target of that link.
   147  // However, fchmodat doesn't allow us to chmod a file only if it is not a symlink;
   148  // the AT_SYMLINK_NOFOLLOW parameter causes the operation to act on the symlink itself.
   149  //
   150  // We do the best we can by first checking to see if the target of the operation is a symlink,
   151  // and only attempting the fchmodat if it is not. If the target is replaced between the check
   152  // and the fchmodat, we will chmod the symlink rather than following it.
   153  //
   154  // This race condition is unfortunate, but does not permit escaping a root:
   155  // We may act on the wrong file, but that file will be contained within the root.
   156  func afterResolvingSymlink(parent int, name string, f func() error) error {
   157  	if err := checkSymlink(parent, name, nil); err != nil {
   158  		return err
   159  	}
   160  	return f()
   161  }
   162  
   163  func chmodat(parent int, name string, mode FileMode) error {
   164  	return afterResolvingSymlink(parent, name, func() error {
   165  		return ignoringEINTR(func() error {
   166  			return unix.Fchmodat(parent, name, syscallMode(mode), unix.AT_SYMLINK_NOFOLLOW)
   167  		})
   168  	})
   169  }
   170  
   171  func chownat(parent int, name string, uid, gid int) error {
   172  	return afterResolvingSymlink(parent, name, func() error {
   173  		return ignoringEINTR(func() error {
   174  			return unix.Fchownat(parent, name, uid, gid, unix.AT_SYMLINK_NOFOLLOW)
   175  		})
   176  	})
   177  }
   178  
   179  func lchownat(parent int, name string, uid, gid int) error {
   180  	return ignoringEINTR(func() error {
   181  		return unix.Fchownat(parent, name, uid, gid, unix.AT_SYMLINK_NOFOLLOW)
   182  	})
   183  }
   184  
   185  func chtimesat(parent int, name string, atime time.Time, mtime time.Time) error {
   186  	return afterResolvingSymlink(parent, name, func() error {
   187  		return ignoringEINTR(func() error {
   188  			utimes := chtimesUtimes(atime, mtime)
   189  			return unix.Utimensat(parent, name, &utimes, unix.AT_SYMLINK_NOFOLLOW)
   190  		})
   191  	})
   192  }
   193  
   194  func mkdirat(fd int, name string, perm FileMode) error {
   195  	return ignoringEINTR(func() error {
   196  		return unix.Mkdirat(fd, name, syscallMode(perm))
   197  	})
   198  }
   199  
   200  func removeat(fd int, name string) error {
   201  	// The system call interface forces us to know whether
   202  	// we are removing a file or directory. Try both.
   203  	e := ignoringEINTR(func() error {
   204  		return unix.Unlinkat(fd, name, 0)
   205  	})
   206  	if e == nil {
   207  		return nil
   208  	}
   209  	e1 := ignoringEINTR(func() error {
   210  		return unix.Unlinkat(fd, name, unix.AT_REMOVEDIR)
   211  	})
   212  	if e1 == nil {
   213  		return nil
   214  	}
   215  	// Both failed. See comment in Remove for how we decide which error to return.
   216  	if e1 != syscall.ENOTDIR {
   217  		return e1
   218  	}
   219  	return e
   220  }
   221  
   222  func removefileat(fd int, name string) error {
   223  	return ignoringEINTR(func() error {
   224  		return unix.Unlinkat(fd, name, 0)
   225  	})
   226  }
   227  
   228  func removedirat(fd int, name string) error {
   229  	return ignoringEINTR(func() error {
   230  		return unix.Unlinkat(fd, name, unix.AT_REMOVEDIR)
   231  	})
   232  }
   233  
   234  func renameat(oldfd int, oldname string, newfd int, newname string) error {
   235  	return unix.Renameat(oldfd, oldname, newfd, newname)
   236  }
   237  
   238  func linkat(oldfd int, oldname string, newfd int, newname string) error {
   239  	return unix.Linkat(oldfd, oldname, newfd, newname, 0)
   240  }
   241  
   242  func symlinkat(oldname string, newfd int, newname string) error {
   243  	return unix.Symlinkat(oldname, newfd, newname)
   244  }
   245  
   246  // checkSymlink resolves the symlink name in parent,
   247  // and returns errSymlink with the link contents.
   248  //
   249  // If name is not a symlink, return origError.
   250  func checkSymlink(parent int, name string, origError error) error {
   251  	link, err := readlinkat(parent, name)
   252  	if err != nil {
   253  		return origError
   254  	}
   255  	return errSymlink(link)
   256  }
   257  
   258  func readlinkat(fd int, name string) (string, error) {
   259  	for len := 128; ; len *= 2 {
   260  		b := make([]byte, len)
   261  		var (
   262  			n int
   263  			e error
   264  		)
   265  		ignoringEINTR(func() error {
   266  			n, e = unix.Readlinkat(fd, name, b)
   267  			return e
   268  		})
   269  		if e == syscall.ERANGE {
   270  			continue
   271  		}
   272  		if e != nil {
   273  			return "", e
   274  		}
   275  		if n < 0 {
   276  			n = 0
   277  		}
   278  		if n < len {
   279  			return string(b[0:n]), nil
   280  		}
   281  	}
   282  }
   283
View as plain text