[PATCH 1/1] sandbox: use sane access rights for files
Sean Anderson
seanga2 at gmail.com
Thu Apr 11 04:42:06 CEST 2024
On 4/10/24 04:38, Heinrich Schuchardt wrote:
> When writing an executable, allowing other users to modify it introduces
> a security issue.
>
> Generally we should avoid giving other users write access to our files by
> default.
>
> Replace chmod(777) by chmod(755) and chmod(644).
>
> Fixes: 47f5fcfb4169 ("sandbox: Add os_jump_to_image() to run another executable")
> Fixes: d9165153caea ("sandbox: add flags for open() call")
> Fixes: 5c2859cdc302 ("sandbox: Allow reading/writing of RAM buffer")
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> ---
> arch/sandbox/cpu/os.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/sandbox/cpu/os.c b/arch/sandbox/cpu/os.c
> index cbae5109e85..1cf41578010 100644
> --- a/arch/sandbox/cpu/os.c
> +++ b/arch/sandbox/cpu/os.c
> @@ -109,7 +109,7 @@ int os_open(const char *pathname, int os_flags)
> */
> flags |= O_CLOEXEC;
>
> - return open(pathname, flags, 0777);
> + return open(pathname, flags, 0644);
> }
>
> int os_close(int fd)
> @@ -746,7 +746,7 @@ int os_write_ram_buf(const char *fname)
> struct sandbox_state *state = state_get_current();
> int fd, ret;
>
> - fd = open(fname, O_CREAT | O_WRONLY, 0777);
> + fd = open(fname, O_CREAT | O_WRONLY, 0644);
> if (fd < 0)
> return -ENOENT;
> ret = write(fd, state->ram_buf, state->ram_size);
> @@ -791,7 +791,7 @@ static int make_exec(char *fname, const void *data, int size)
> if (write(fd, data, size) < 0)
> return -EIO;
> close(fd);
> - if (chmod(fname, 0777))
> + if (chmod(fname, 0755))
> return -ENOEXEC;
>
> return 0;
Reviewed-by: Sean Anderson <seanga2 at gmail.com>
More information about the U-Boot
mailing list