Re: [PATCH 1/1] sandbox: use sane access rights for files

2024-04-10 Thread Sean Anderson 

On 4/10/24 04:38, Heinrich Schuchardt wrote:

When writing an executable, allowing other users to modify it introduces
a security issue.

Generally we should avoid giving other users write access to our files by
default.

Replace chmod(777) by chmod(755) and chmod(644).

Fixes: 47f5fcfb4169 ("sandbox: Add os_jump_to_image() to run another 
executable")
Fixes: d9165153caea ("sandbox: add flags for open() call")
Fixes: 5c2859cdc302 ("sandbox: Allow reading/writing of RAM buffer")
Signed-off-by: Heinrich Schuchardt 
---
  arch/sandbox/cpu/os.c | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/sandbox/cpu/os.c b/arch/sandbox/cpu/os.c
index cbae5109e85..1cf41578010 100644
--- a/arch/sandbox/cpu/os.c
+++ b/arch/sandbox/cpu/os.c
@@ -109,7 +109,7 @@ int os_open(const char *pathname, int os_flags)
 */
flags |= O_CLOEXEC;
  
-	return open(pathname, flags, 0777);

+   return open(pathname, flags, 0644);
  }
  
  int os_close(int fd)

@@ -746,7 +746,7 @@ int os_write_ram_buf(const char *fname)
struct sandbox_state *state = state_get_current();
int fd, ret;
  
-	fd = open(fname, O_CREAT | O_WRONLY, 0777);

+   fd = open(fname, O_CREAT | O_WRONLY, 0644);
if (fd < 0)
return -ENOENT;
ret = write(fd, state->ram_buf, state->ram_size);
@@ -791,7 +791,7 @@ static int make_exec(char *fname, const void *data, int 
size)
if (write(fd, data, size) < 0)
return -EIO;
close(fd);
-   if (chmod(fname, 0777))
+   if (chmod(fname, 0755))
return -ENOEXEC;
  
  	return 0;


Reviewed-by: Sean Anderson

[PATCH 1/1] sandbox: use sane access rights for files

2024-04-10 Thread Heinrich Schuchardt 
When writing an executable, allowing other users to modify it introduces
a security issue.

Generally we should avoid giving other users write access to our files by
default.

Replace chmod(777) by chmod(755) and chmod(644).

Fixes: 47f5fcfb4169 ("sandbox: Add os_jump_to_image() to run another 
executable")
Fixes: d9165153caea ("sandbox: add flags for open() call")
Fixes: 5c2859cdc302 ("sandbox: Allow reading/writing of RAM buffer")
Signed-off-by: Heinrich Schuchardt 
---
 arch/sandbox/cpu/os.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/sandbox/cpu/os.c b/arch/sandbox/cpu/os.c
index cbae5109e85..1cf41578010 100644
--- a/arch/sandbox/cpu/os.c
+++ b/arch/sandbox/cpu/os.c
@@ -109,7 +109,7 @@ int os_open(const char *pathname, int os_flags)
 */
flags |= O_CLOEXEC;
 
-   return open(pathname, flags, 0777);
+   return open(pathname, flags, 0644);
 }
 
 int os_close(int fd)
@@ -746,7 +746,7 @@ int os_write_ram_buf(const char *fname)
struct sandbox_state *state = state_get_current();
int fd, ret;
 
-   fd = open(fname, O_CREAT | O_WRONLY, 0777);
+   fd = open(fname, O_CREAT | O_WRONLY, 0644);
if (fd < 0)
return -ENOENT;
ret = write(fd, state->ram_buf, state->ram_size);
@@ -791,7 +791,7 @@ static int make_exec(char *fname, const void *data, int 
size)
if (write(fd, data, size) < 0)
return -EIO;
close(fd);
-   if (chmod(fname, 0777))
+   if (chmod(fname, 0755))
return -ENOEXEC;
 
return 0;
-- 
2.43.0