[pve-lxc-syscalld.git] / src / sys_mknod.rs

use std::ffi::CString;
use std::os::unix::io::AsRawFd;

use anyhow::Error;
use nix::errno::Errno;
use nix::sys::stat;

use crate::fork::forking_syscall;
use crate::lxcseccomp::ProxyMessageBuffer;
use crate::process::PidFd;
use crate::sc_libc_try;
use crate::syscall::SyscallStatus;
use crate::tools::Fd;

pub async fn mknod(msg: &ProxyMessageBuffer) -> Result<SyscallStatus, Error> {
    let mode = msg.arg_mode_t(1)?;
    let dev = msg.arg_dev_t(2)?;
    if !check_mknod_dev(mode, dev) {
        return Ok(Errno::EPERM.into());
    }

    let pathname = msg.arg_c_string(0)?;
    let cwd = msg.pid_fd().fd_cwd()?;

    do_mknodat(msg.pid_fd(), cwd, pathname, mode, dev).await
}

pub async fn mknodat(msg: &ProxyMessageBuffer) -> Result<SyscallStatus, Error> {
    let mode = msg.arg_mode_t(2)?;
    let dev = msg.arg_dev_t(3)?;
    if !check_mknod_dev(mode, dev) {
        return Ok(Errno::EPERM.into());
    }

    let dirfd = msg.arg_fd(0, libc::O_DIRECTORY)?;
    let pathname = msg.arg_c_string(1)?;

    do_mknodat(msg.pid_fd(), dirfd, pathname, mode, dev).await
}

fn check_mknod_dev(mode: stat::mode_t, dev: stat::dev_t) -> bool {
    let sflag = mode & libc::S_IFMT;
    let major = stat::major(dev);
    let minor = stat::minor(dev);

    match (sflag, major, minor) {
        (libc::S_IFREG, 0, 0) => true, // touch
        (libc::S_IFCHR, 0, 0) => true, // whiteout
        (libc::S_IFCHR, 5, 0) => true, // /dev/tty
        (libc::S_IFCHR, 5, 1) => true, // /dev/console
        (libc::S_IFCHR, 5, 2) => true, // /dev/ptmx
        (libc::S_IFCHR, 1, 3) => true, // /dev/null
        (libc::S_IFCHR, 1, 5) => true, // /dev/zero
        (libc::S_IFCHR, 1, 7) => true, // /dev/full
        (libc::S_IFCHR, 1, 8) => true, // /dev/random
        (libc::S_IFCHR, 1, 9) => true, // /dev/urandom
        _ => false,
    }
}

async fn do_mknodat(
    pidfd: &PidFd,
    dirfd: Fd,
    pathname: CString,
    mode: stat::mode_t,
    dev: stat::dev_t,
) -> Result<SyscallStatus, Error> {
    let caps = pidfd.user_caps()?;

    Ok(forking_syscall(move || {
        caps.apply(&PidFd::current()?)?;
        let out =
            sc_libc_try!(unsafe { libc::mknodat(dirfd.as_raw_fd(), pathname.as_ptr(), mode, dev) });
        Ok(SyscallStatus::Ok(out.into()))
    })
    .await?)
}
Commit	Line	Data
	1	use std::ffi::CString;
	2	use std::os::unix::io::AsRawFd;
	3
	4	use anyhow::Error;
	5	use nix::errno::Errno;
	6	use nix::sys::stat;
	7
	8	use crate::fork::forking_syscall;
	9	use crate::lxcseccomp::ProxyMessageBuffer;
	10	use crate::process::PidFd;
	11	use crate::sc_libc_try;
	12	use crate::syscall::SyscallStatus;
	13	use crate::tools::Fd;
	14
	15	pub async fn mknod(msg: &ProxyMessageBuffer) -> Result<SyscallStatus, Error> {
	16	let mode = msg.arg_mode_t(1)?;
	17	let dev = msg.arg_dev_t(2)?;
	18	if !check_mknod_dev(mode, dev) {
	19	return Ok(Errno::EPERM.into());
	20	}
	21
	22	let pathname = msg.arg_c_string(0)?;
	23	let cwd = msg.pid_fd().fd_cwd()?;
	24
	25	do_mknodat(msg.pid_fd(), cwd, pathname, mode, dev).await
	26	}
	27
	28	pub async fn mknodat(msg: &ProxyMessageBuffer) -> Result<SyscallStatus, Error> {
	29	let mode = msg.arg_mode_t(2)?;
	30	let dev = msg.arg_dev_t(3)?;
	31	if !check_mknod_dev(mode, dev) {
	32	return Ok(Errno::EPERM.into());
	33	}
	34
	35	let dirfd = msg.arg_fd(0, libc::O_DIRECTORY)?;
	36	let pathname = msg.arg_c_string(1)?;
	37
	38	do_mknodat(msg.pid_fd(), dirfd, pathname, mode, dev).await
	39	}
	40
	41	fn check_mknod_dev(mode: stat::mode_t, dev: stat::dev_t) -> bool {
	42	let sflag = mode & libc::S_IFMT;
	43	let major = stat::major(dev);
	44	let minor = stat::minor(dev);
	45
	46	match (sflag, major, minor) {
	47	(libc::S_IFREG, 0, 0) => true, // touch
	48	(libc::S_IFCHR, 0, 0) => true, // whiteout
	49	(libc::S_IFCHR, 5, 0) => true, // /dev/tty
	50	(libc::S_IFCHR, 5, 1) => true, // /dev/console
	51	(libc::S_IFCHR, 5, 2) => true, // /dev/ptmx
	52	(libc::S_IFCHR, 1, 3) => true, // /dev/null
	53	(libc::S_IFCHR, 1, 5) => true, // /dev/zero
	54	(libc::S_IFCHR, 1, 7) => true, // /dev/full
	55	(libc::S_IFCHR, 1, 8) => true, // /dev/random
	56	(libc::S_IFCHR, 1, 9) => true, // /dev/urandom
	57	_ => false,
	58	}
	59	}
	60
	61	async fn do_mknodat(
	62	pidfd: &PidFd,
	63	dirfd: Fd,
	64	pathname: CString,
	65	mode: stat::mode_t,
	66	dev: stat::dev_t,
	67	) -> Result<SyscallStatus, Error> {
	68	let caps = pidfd.user_caps()?;
	69
	70	Ok(forking_syscall(move \|\| {
	71	caps.apply(&PidFd::current()?)?;
	72	let out =
	73	sc_libc_try!(unsafe { libc::mknodat(dirfd.as_raw_fd(), pathname.as_ptr(), mode, dev) });
	74	Ok(SyscallStatus::Ok(out.into()))
	75	})
	76	.await?)
	77	}