From de4f57761821e3d97e841a99af38768ee9605633 Mon Sep 17 00:00:00 2001 From: Aliaksei Urbanski Date: Thu, 27 Jun 2024 06:51:47 +0300 Subject: libsandbox: fix violations where ENOENT is expected These changes revert f7d02c04 that aimed to resolve 921581 and fix it in a way that doesn't cause unwanted sandbox violations. Bug: https://bugs.gentoo.org/921581 Signed-off-by: Aliaksei Urbanski Signed-off-by: Mike Gilbert --- libsandbox/pre_check_mkdirat.c | 8 +++++--- tests/mkdirat-3.sh | 2 ++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/libsandbox/pre_check_mkdirat.c b/libsandbox/pre_check_mkdirat.c index 49c382a..c717576 100644 --- a/libsandbox/pre_check_mkdirat.c +++ b/libsandbox/pre_check_mkdirat.c @@ -37,15 +37,17 @@ bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) * will trigger a sandbox violation. */ struct stat64 st; - if (0 == lstat64(pathname, &st)) { + if (0 == lstat64(canonic, &st)) { int new_errno; sb_debug_dyn("EARLY FAIL: %s(%s[%s]) @ lstat: %s\n", func, pathname, canonic, strerror(errno)); new_errno = EEXIST; - /* Hmm, is this a broken symlink we're trying to extend ? */ - if (S_ISLNK(st.st_mode) && stat64(pathname, &st) != 0) { + /* Hmm, is this a broken symlink we're trying to extend ? + * Or is this a path like "foo/.." ? + */ + if (stat64(pathname, &st) != 0) { /* XXX: This awful hack should probably be turned into a * common func that does a better job. For now, we have * enough crap to catch gnulib tests #297026. diff --git a/tests/mkdirat-3.sh b/tests/mkdirat-3.sh index fe20579..8292af9 100755 --- a/tests/mkdirat-3.sh +++ b/tests/mkdirat-3.sh @@ -4,4 +4,6 @@ set -e mkdirat-0 -1,ENOENT .:O_DIRECTORY '' 0 +mkdirat-0 -1,ENOENT .:O_DIRECTORY 'foo/..' 0 + mkdirat-0 -1,ENOENT -3 '' 0 -- cgit v1.2.3-65-gdbad