From patchwork Wed Jun 3 20:39:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Hatle X-Patchwork-Id: 89281 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62A9BCD6E72 for ; Wed, 3 Jun 2026 20:39:21 +0000 (UTC) Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.30001.1780519152382188437 for ; Wed, 03 Jun 2026 13:39:12 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: kernel.crashing.org, ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) Received: from kernel.crashing.org.net (70-99-78-136.nuveramail.net [70.99.78.136] (may be forged)) by gate.crashing.org (8.18.1/8.18.1/Debian-2) with ESMTP id 653Kd9Ux2263173; Wed, 3 Jun 2026 15:39:10 -0500 From: Mark Hatle To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 1/6] Makefile.in: Add pseudo_client.h as a dependency Date: Wed, 3 Jun 2026 15:39:03 -0500 Message-Id: <1780519148-30836-2-git-send-email-mark.hatle@kernel.crashing.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Jun 2026 20:39:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4125 From: Mark Hatle Updating parts of the .h did not trigger a rebuild. Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 8719ddd..2bc259f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -158,7 +158,7 @@ pseudo_tables.o: pseudo_tables.c $(CC) $(CFLAGS) $(CFLAGS_PSEUDO) -c -o pseudo_tables.o pseudo_tables.c # no-strict-aliasing is needed for the function pointer trickery. -pseudo_wrappers.o: $(GUTS) pseudo_wrappers.c pseudo_wrapfuncs.c pseudo_wrapfuncs.h pseudo_tables.h +pseudo_wrappers.o: $(GUTS) pseudo_wrappers.c pseudo_wrapfuncs.c pseudo_wrapfuncs.h pseudo_tables.h pseudo_client.h $(CC) -fno-strict-aliasing $(CFLAGS) $(CFLAGS_PSEUDO) -D_GNU_SOURCE -c -o pseudo_wrappers.o pseudo_wrappers.c offsets32: From patchwork Wed Jun 3 20:39:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Hatle X-Patchwork-Id: 89282 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92A67CD6E73 for ; Wed, 3 Jun 2026 20:39:21 +0000 (UTC) Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.29653.1780519152381457299 for ; Wed, 03 Jun 2026 13:39:12 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: kernel.crashing.org, ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) Received: from kernel.crashing.org.net (70-99-78-136.nuveramail.net [70.99.78.136] (may be forged)) by gate.crashing.org (8.18.1/8.18.1/Debian-2) with ESMTP id 653Kd9V02263173; Wed, 3 Jun 2026 15:39:10 -0500 From: Mark Hatle To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 2/6] pseudo_client.h: Make it clear both macros must be updated together Date: Wed, 3 Jun 2026 15:39:04 -0500 Message-Id: <1780519148-30836-3-git-send-email-mark.hatle@kernel.crashing.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Jun 2026 20:39:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4124 From: Mark Hatle Both PSEUDO_FS_MODE and PSEUDO_DB_MODE must be updated together. The first defined the masking for the mode on the disk, while the second filters the masking so we know which modes from the disk can be trusted. Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle --- pseudo_client.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pseudo_client.h b/pseudo_client.h index e963d95..b5ec204 100644 --- a/pseudo_client.h +++ b/pseudo_client.h @@ -87,7 +87,10 @@ extern int read_pidfile(FILE *, int *); * When doing anything which actually writes to the filesystem, we add in * the user read/write/execute bits. When storing to the database, though, * we mask out any such bits which weren't in the original mode. + * + * Note: PSEUDO_DB_MODE must be kept in sync with PSEUDO_FS_MODE, as the + * former defined which filesystem mode bits must be loaded from the DB. */ #define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) -#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0722) | ((user_mode & 0722))) +#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~(S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH)) | ((user_mode) & (S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH))) From patchwork Wed Jun 3 20:39:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Hatle X-Patchwork-Id: 89280 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EFF5CD6E6B for ; Wed, 3 Jun 2026 20:39:21 +0000 (UTC) Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.30003.1780519152627849019 for ; Wed, 03 Jun 2026 13:39:12 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: kernel.crashing.org, ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) Received: from kernel.crashing.org.net (70-99-78-136.nuveramail.net [70.99.78.136] (may be forged)) by gate.crashing.org (8.18.1/8.18.1/Debian-2) with ESMTP id 653Kd9V12263173; Wed, 3 Jun 2026 15:39:10 -0500 From: Mark Hatle To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 3/6] tests: Add test that returned stat is correct Date: Wed, 3 Jun 2026 15:39:05 -0500 Message-Id: <1780519148-30836-4-git-send-email-mark.hatle@kernel.crashing.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Jun 2026 20:39:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4127 From: Mark Hatle There are concerns that if PSEUDO_FS_MODE and PSEUDO_DB_MODE get out of sync with each other that invalid modules could be returned in some cases. AI-Generated: Implemented with the assistance of github CoPilot (Claude Opus 4.6) Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle --- test/test-db-mode.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++ test/test-db-mode.sh | 10 +++++ 2 files changed, 127 insertions(+) create mode 100644 test/test-db-mode.c create mode 100755 test/test-db-mode.sh diff --git a/test/test-db-mode.c b/test/test-db-mode.c new file mode 100644 index 0000000..1e470c2 --- /dev/null +++ b/test/test-db-mode.c @@ -0,0 +1,117 @@ +/* + * Test that PSEUDO_DB_MODE correctly reconstructs permissions at file + * creation time. PSEUDO_DB_MODE is used when a file is created (open + * with O_CREAT, mkdir, etc.) to recover the intended mode from the + * filesystem mode (which has been mangled by PSEUDO_FS_MODE). + * + * If PSEUDO_DB_MODE is broken, the mode stored in the database at + * creation time will be wrong, which we detect by stat'ing immediately + * after creation (before any chmod). + * + * SPDX-License-Identifier: LGPL-2.1-only + */ + +#include +#include +#include +#include +#include +#include +#include + +static int test_creat_mode(mode_t mode) { + const char *path = "test-db-mode-tmp"; + struct stat st; + + /* Remove any prior file */ + unlink(path); + + /* Clear umask so it doesn't interfere */ + mode_t old_umask = umask(0); + + int fd = open(path, O_CREAT | O_WRONLY | O_EXCL, mode); + if (fd < 0) { + perror("open"); + umask(old_umask); + return 1; + } + close(fd); + + if (stat(path, &st) != 0) { + perror("stat"); + unlink(path); + umask(old_umask); + return 1; + } + + mode_t got = st.st_mode & 07777; + unlink(path); + umask(old_umask); + + if (got != mode) { + fprintf(stderr, "FAIL: open(O_CREAT, 0%04o) -> stat 0%04o\n", mode, got); + return 1; + } + return 0; +} + +static int test_mkdir_mode(mode_t mode) { + const char *path = "test-db-mode-dir-tmp"; + struct stat st; + + rmdir(path); + + mode_t old_umask = umask(0); + + if (mkdir(path, mode) != 0) { + perror("mkdir"); + umask(old_umask); + return 1; + } + + if (stat(path, &st) != 0) { + perror("stat"); + rmdir(path); + umask(old_umask); + return 1; + } + + mode_t got = st.st_mode & 07777; + rmdir(path); + umask(old_umask); + + if (got != mode) { + fprintf(stderr, "FAIL: mkdir(0%04o) -> stat 0%04o\n", mode, got); + return 1; + } + return 0; +} + +int main(void) { + int failures = 0; + int total = 0; + + /* Test all octet values simultaneously: 00000, 01111, 02222, ..., 07777 */ + mode_t modes[] = { + 00000, 01111, 02222, 03333, 04444, 05555, 06666, 07777, + }; + int num_modes = sizeof(modes) / sizeof(modes[0]); + + for (int i = 0; i < num_modes; i++) { + total++; + if (test_creat_mode(modes[i]) != 0) + failures++; + } + + for (int i = 0; i < num_modes; i++) { + total++; + if (test_mkdir_mode(modes[i]) != 0) + failures++; + } + + if (failures > 0) { + fprintf(stderr, "%d/%d mode tests failed\n", failures, total); + return 2; + } + return 0; +} diff --git a/test/test-db-mode.sh b/test/test-db-mode.sh new file mode 100755 index 0000000..b3e97ad --- /dev/null +++ b/test/test-db-mode.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# +# SPDX-License-Identifier: LGPL-2.1-only +# +# Test that PSEUDO_DB_MODE correctly reconstructs permission bits +# at file/directory creation time. + +trap "rm -rf test-db-mode-tmp test-db-mode-dir-tmp" EXIT + +./test/test-db-mode From patchwork Wed Jun 3 20:39:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Hatle X-Patchwork-Id: 89283 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 768C6CD6E74 for ; Wed, 3 Jun 2026 20:39:21 +0000 (UTC) Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.29654.1780519152627652429 for ; Wed, 03 Jun 2026 13:39:12 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: kernel.crashing.org, ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) Received: from kernel.crashing.org.net (70-99-78-136.nuveramail.net [70.99.78.136] (may be forged)) by gate.crashing.org (8.18.1/8.18.1/Debian-2) with ESMTP id 653Kd9V22263173; Wed, 3 Jun 2026 15:39:11 -0500 From: Mark Hatle To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 4/6] pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir Date: Wed, 3 Jun 2026 15:39:06 -0500 Message-Id: <1780519148-30836-5-git-send-email-mark.hatle@kernel.crashing.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Jun 2026 20:39:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4126 From: Mark Hatle During a mkdir the kernel will automatically filter out S_ISUID and S_ISGID for non-root users. This would result in an emulated ug+s on a directory losing the +s. This resolves the issue, and we need to remember to account for it in the future. AI-Generated: Implemented with the assistance of github CoPilot (Claude Opus 4.6) Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle --- pseudo_client.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pseudo_client.h b/pseudo_client.h index b5ec204..9d98ea1 100644 --- a/pseudo_client.h +++ b/pseudo_client.h @@ -90,7 +90,10 @@ extern int read_pidfile(FILE *, int *); * * Note: PSEUDO_DB_MODE must be kept in sync with PSEUDO_FS_MODE, as the * former defined which filesystem mode bits must be loaded from the DB. + * + * Note: S_ISUID and S_ISGID may be stripped during a mkdir as a user, + * account for this in PSEUDO_DB_MODE. */ #define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) -#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~(S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH)) | ((user_mode) & (S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH))) +#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~(S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)) | ((user_mode) & (S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID))) From patchwork Wed Jun 3 20:39:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Hatle X-Patchwork-Id: 89279 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46D6BCD6E71 for ; Wed, 3 Jun 2026 20:39:21 +0000 (UTC) Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.29655.1780519152835833287 for ; Wed, 03 Jun 2026 13:39:13 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: kernel.crashing.org, ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) Received: from kernel.crashing.org.net (70-99-78-136.nuveramail.net [70.99.78.136] (may be forged)) by gate.crashing.org (8.18.1/8.18.1/Debian-2) with ESMTP id 653Kd9V32263173; Wed, 3 Jun 2026 15:39:11 -0500 From: Mark Hatle To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 5/6] tests: Add setuid permission check Date: Wed, 3 Jun 2026 15:39:07 -0500 Message-Id: <1780519148-30836-6-git-send-email-mark.hatle@kernel.crashing.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Jun 2026 20:39:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4128 From: Mark Hatle Verify that +s permissions are not leaking into real filesystem. AI-Generated: Implemented with the assistance of github CoPilot (Claude Opus 4.6) Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle --- test/test-setuid-permissions.sh | 58 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100755 test/test-setuid-permissions.sh diff --git a/test/test-setuid-permissions.sh b/test/test-setuid-permissions.sh new file mode 100755 index 0000000..b6fafde --- /dev/null +++ b/test/test-setuid-permissions.sh @@ -0,0 +1,58 @@ +#!/bin/bash +# +# SPDX-License-Identifier: LGPL-2.1-only +# +set -e + +# Verify that setuid/setgid bits tracked by pseudo do not +# bleed into the real filesystem. +# +# Return vals: +# +# 2 - Setuid/setgid bits found on real file +# 1 - Unexpected command error +# 0 - Pass + +mode() { + stat -c "%a" "$1" +} + +trap "rm -f testfile" EXIT + +test_mode() { + local octal_mode="$1" + local expected_pseudo="$2" + local expected_real="$3" + + chmod $octal_mode testfile + + # Under pseudo, verify mode is as requested + local pseudo_mode=$(mode testfile) + if [ "$pseudo_mode" != "$expected_pseudo" ]; then + echo "FAIL: pseudo mode $pseudo_mode != expected $expected_pseudo (chmod $octal_mode)" + exit 1 + fi + + # Check without pseudo - real file must NOT have setuid/setgid + local real_mode=$(PSEUDO_DISABLED=1 stat -c "%a" testfile) + if [ "$real_mode" != "$expected_real" ]; then + echo "FAIL: real mode $real_mode != expected $expected_real (chmod $octal_mode)" + exit 2 + fi +} + +touch testfile + +# Test setuid only (4755) +test_mode 4755 4755 755 + +# Test setgid only (2755) +test_mode 2755 2755 755 + +# Test setuid + setgid (6755) +test_mode 6755 6755 755 + +# Test setuid + setgid + other base perms (6644) +test_mode 6644 6644 644 + +exit 0 From patchwork Wed Jun 3 20:39:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Hatle X-Patchwork-Id: 89278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3855DCD6E55 for ; Wed, 3 Jun 2026 20:39:21 +0000 (UTC) Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.29656.1780519152937675784 for ; Wed, 03 Jun 2026 13:39:13 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: kernel.crashing.org, ip: 63.228.1.57, mailfrom: mark.hatle@kernel.crashing.org) Received: from kernel.crashing.org.net (70-99-78-136.nuveramail.net [70.99.78.136] (may be forged)) by gate.crashing.org (8.18.1/8.18.1/Debian-2) with ESMTP id 653Kd9V42263173; Wed, 3 Jun 2026 15:39:11 -0500 From: Mark Hatle To: yocto-patches@lists.yoctoproject.org Cc: seebs@seebs.net, richard.purdie@linuxfoundation.org Subject: [pseudo][PATCH 6/6] client: permissions drop setuid and setgid Date: Wed, 3 Jun 2026 15:39:08 -0500 Message-Id: <1780519148-30836-7-git-send-email-mark.hatle@kernel.crashing.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> References: <1780519148-30836-1-git-send-email-mark.hatle@kernel.crashing.org> List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Jun 2026 20:39:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4129 From: Victor Kamensky Otherwise, in some situation, where code running under pseudo set setuid and setgit permission bits, they bleed into underlying files, and may result with executables that have setuid and setgid bit(s) on on real files that are owned by user who run pseudo. Signed-off-by: Victor Kamensky Added comment to indicate why we also filter setuid/setgid. Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle --- pseudo_client.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pseudo_client.h b/pseudo_client.h index 9d98ea1..83dbe08 100644 --- a/pseudo_client.h +++ b/pseudo_client.h @@ -88,12 +88,15 @@ extern int read_pidfile(FILE *, int *); * the user read/write/execute bits. When storing to the database, though, * we mask out any such bits which weren't in the original mode. * + * Additional setuid/setgid modes are also filteed as they are unsafe as + * a real executable may allow someone to setuid/gid as the running user. + * * Note: PSEUDO_DB_MODE must be kept in sync with PSEUDO_FS_MODE, as the * former defined which filesystem mode bits must be loaded from the DB. * * Note: S_ISUID and S_ISGID may be stripped during a mkdir as a user, * account for this in PSEUDO_DB_MODE. */ -#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) +#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)) #define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~(S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)) | ((user_mode) & (S_IRUSR | S_IWUSR | S_IXUSR | S_IWGRP | S_IWOTH | S_ISUID | S_ISGID)))