On 12/1/23 04:21, Shu-Chun Weng wrote:
Commit b8002058 strengthened openat()'s /proc detection by calling
realpath(3) on the given path, which allows various paths and symlinks
that points to the /proc file system to be intercepted correctly.
Using realpath(3), though, has a side effect that it reads the symlinks
along the way, and thus changes their atime.
Ah, ok. I didn't thought of that side effect when I came up with the patch.
Does the updated atimes trigger some real case issue ?
Helge
The results in the
following code snippet already get ~now instead of the real atime:
int fd = open("/path/to/a/symlink", O_PATH | O_NOFOLLOW);
struct stat st;
fstat(fd, st);
return st.st_atime;
This change opens a path that doesn't appear to be part of /proc
directly and checks the destination of /proc/self/fd/n to determine if
it actually refers to a file in /proc.
Neither this nor the existing code works with symlinks or indirect paths
(e.g. /tmp/../proc/self/exe) that points to /proc/self/exe because it
is itself a symlink, and both realpath(3) and /proc/self/fd/n will
resolve into the location of QEMU.
Signed-off-by: Shu-Chun Weng <s...@google.com>
---
linux-user/syscall.c | 42 +++++++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 9 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e384e14248..25e2cda10a 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8308,8 +8308,6 @@ static int open_net_route(CPUArchState *cpu_env, int fd)
int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
int flags, mode_t mode, bool safe)
{
- g_autofree char *proc_name = NULL;
- const char *pathname;
struct fake_open {
const char *filename;
int (*fill)(CPUArchState *cpu_env, int fd);
@@ -8333,13 +8331,39 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd,
const char *fname,
#endif
{ NULL, NULL, NULL }
};
+ char pathname[PATH_MAX];
- /* if this is a file from /proc/ filesystem, expand full name */
- proc_name = realpath(fname, NULL);
- if (proc_name && strncmp(proc_name, "/proc/", 6) == 0) {
- pathname = proc_name;
+ if (strncmp(fname, "/proc/", 6) == 0) {
+ pstrcpy(pathname, sizeof(pathname), fname);
} else {
- pathname = fname;
+ char procpath[PATH_MAX];
+ int fd, n;
+
+ if (safe) {
+ fd = safe_openat(dirfd, path(fname), flags, mode);
+ } else {
+ fd = openat(dirfd, path(fname), flags, mode);
+ }
+ if (fd < 0) {
+ return fd;
+ }
+
+ /*
+ * Try to get the real path of the file we just opened. We avoid
calling
+ * `realpath(3)` because it calls `readlink(2)` on symlinks which
+ * changes their atime. Note that since `/proc/self/exe` is a symlink,
+ * `pathname` will never resolves to it (neither will `realpath(3)`).
+ * That's why we check `fname` against the "/proc/" prefix first.
+ */
+ snprintf(procpath, sizeof(procpath), "/proc/self/fd/%d", fd);
+ n = readlink(procpath, pathname, sizeof(pathname));
+ pathname[n < sizeof(pathname) ? n : sizeof(pathname)] = '\0';
+
+ /* if this is not a file from /proc/ filesystem, the fd is good as-is
*/
+ if (strncmp(pathname, "/proc/", 6) != 0) {
+ return fd;
+ }
+ close(fd);
}
if (is_proc_myself(pathname, "exe")) {
@@ -8390,9 +8414,9 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd,
const char *fname,
}
if (safe) {
- return safe_openat(dirfd, path(pathname), flags, mode);
+ return safe_openat(dirfd, pathname, flags, mode);
} else {
- return openat(dirfd, path(pathname), flags, mode);
+ return openat(dirfd, pathname, flags, mode);
}
}
