static void portal_add (GDBusMethodInvocation *invocation, GVariant *parameters, const char *app_id) { GDBusMessage *message; GUnixFDList *fd_list; g_autofree char *id = NULL; g_autofree char *proc_path = NULL; int fd_id, fd, fds_len, fd_flags; glnx_fd_close int dir_fd = -1; const int *fds; char path_buffer[PATH_MAX+1]; ssize_t symlink_size; struct stat st_buf, real_st_buf, real_parent_st_buf; g_autofree char *dirname = NULL; g_autofree char *name = NULL; gboolean reuse_existing, persistent; g_variant_get (parameters, "(hbb)", &fd_id, &reuse_existing, &persistent); message = g_dbus_method_invocation_get_message (invocation); fd_list = g_dbus_message_get_unix_fd_list (message); fd = -1; if (fd_list != NULL) { fds = g_unix_fd_list_peek_fds (fd_list, &fds_len); if (fd_id < fds_len) fd = fds[fd_id]; } proc_path = g_strdup_printf ("/proc/self/fd/%d", fd); if (fd == -1 || /* Must be able to get fd flags */ (fd_flags = fcntl (fd, F_GETFL)) == -1 || /* Must be O_PATH */ ((fd_flags & O_PATH) != O_PATH) || /* Must not be O_NOFOLLOW (because we want the target file) */ ((fd_flags & O_NOFOLLOW) == O_PATH) || /* Must be able to fstat */ fstat (fd, &st_buf) < 0 || /* Must be a regular file */ (st_buf.st_mode & S_IFMT) != S_IFREG || /* Must be able to read path from /proc/self/fd */ /* This is an absolute and (at least at open time) symlink-expanded path */ (symlink_size = readlink (proc_path, path_buffer, sizeof (path_buffer) - 1)) < 0) { g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_INVALID_ARGUMENT, "Invalid fd passed"); return; } path_buffer[symlink_size] = 0; /* We open the parent directory and do the stat in that, so that we have trustworthy parent dev/ino for later verification. Otherwise the caller could later replace a parent with a symlink and make us read some other file */ dirname = g_path_get_dirname (path_buffer); name = g_path_get_basename (path_buffer); dir_fd = open (dirname, O_CLOEXEC|O_PATH); if (fstat (dir_fd, &real_parent_st_buf) < 0 || fstatat (dir_fd, name, &real_st_buf, AT_SYMLINK_NOFOLLOW) < 0 || st_buf.st_dev != real_st_buf.st_dev || st_buf.st_ino != real_st_buf.st_ino) { /* Don't leak any info about real file path existance, etc */ g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_INVALID_ARGUMENT, "Invalid fd passed"); return; } g_debug ("portal_add %s", path_buffer); if (st_buf.st_dev == fuse_dev) { /* The passed in fd is on the fuse filesystem itself */ g_autoptr(XdgAppDbEntry) old_entry = NULL; id = xdp_fuse_lookup_id_for_inode (st_buf.st_ino); g_debug ("path on fuse, id %s", id); if (id == NULL) { g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_INVALID_ARGUMENT, "Invalid fd passed"); return; } /* Don't lock the db before doing the fuse call above, because it takes takes a lock that can block something calling back, causing a deadlock on the db lock */ AUTOLOCK(db); /* If the entry doesn't exist anymore, fail. Also fail if not resuse_existing, because otherwise the user could use this to get a copy with permissions and thus escape later permission revocations */ old_entry = xdg_app_db_lookup (db, id); if (old_entry == NULL || !reuse_existing) { g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_INVALID_ARGUMENT, "Invalid fd passed"); return; } } else { { AUTOLOCK(db); id = do_create_doc (&real_parent_st_buf, path_buffer, reuse_existing, persistent); if (app_id[0] != '\0') { g_autoptr(XdgAppDbEntry) entry = NULL; XdpPermissionFlags perms = XDP_PERMISSION_FLAGS_GRANT_PERMISSIONS | XDP_PERMISSION_FLAGS_READ | XDP_PERMISSION_FLAGS_WRITE; { entry = xdg_app_db_lookup (db, id); /* If its a unique one its safe for the creator to delete it at will */ if (!reuse_existing) perms |= XDP_PERMISSION_FLAGS_DELETE; do_set_permissions (entry, id, app_id, perms); } } } /* Invalidate with lock dropped to avoid deadlock */ xdp_fuse_invalidate_doc_app (id, NULL); if (app_id[0] != '\0') xdp_fuse_invalidate_doc_app (id, app_id); } g_dbus_method_invocation_return_value (invocation, g_variant_new ("(s)", id)); }
static void portal_add_named (GDBusMethodInvocation *invocation, GVariant *parameters, const char *app_id) { GDBusMessage *message; GUnixFDList *fd_list; g_autofree char *id = NULL; g_autofree char *proc_path = NULL; int parent_fd_id, parent_fd, fds_len, fd_flags; const int *fds; char parent_path_buffer[PATH_MAX+1]; g_autofree char *path = NULL; ssize_t symlink_size; struct stat parent_st_buf; const char *filename; gboolean reuse_existing, persistent; g_autoptr(GVariant) filename_v = NULL; g_variant_get (parameters, "(h@aybb)", &parent_fd_id, &filename_v, &reuse_existing, &persistent); filename = g_variant_get_bytestring (filename_v); /* This is only allowed from the host, or else we could leak existance of files */ if (*app_id != 0) { g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_NOT_ALLOWED, "Not enough permissions"); return; } message = g_dbus_method_invocation_get_message (invocation); fd_list = g_dbus_message_get_unix_fd_list (message); parent_fd = -1; if (fd_list != NULL) { fds = g_unix_fd_list_peek_fds (fd_list, &fds_len); if (parent_fd_id < fds_len) parent_fd = fds[parent_fd_id]; } if (strchr (filename, '/') != NULL) { g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_INVALID_ARGUMENT, "Invalid filename passed"); return; } proc_path = g_strdup_printf ("/proc/self/fd/%d", parent_fd); if (parent_fd == -1 || /* Must be able to get fd flags */ (fd_flags = fcntl (parent_fd, F_GETFL)) == -1 || /* Must be O_PATH */ ((fd_flags & O_PATH) != O_PATH) || /* Must not be O_NOFOLLOW (because we want the target file) */ ((fd_flags & O_NOFOLLOW) == O_PATH) || /* Must be able to fstat */ fstat (parent_fd, &parent_st_buf) < 0 || /* Must be a directory file */ (parent_st_buf.st_mode & S_IFMT) != S_IFDIR || /* Must be able to read path from /proc/self/fd */ /* This is an absolute and (at least at open time) symlink-expanded path */ (symlink_size = readlink (proc_path, parent_path_buffer, sizeof (parent_path_buffer) - 1)) < 0) { g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_INVALID_ARGUMENT, "Invalid fd passed"); return; } if (parent_st_buf.st_dev == fuse_dev) { g_dbus_method_invocation_return_error (invocation, XDG_APP_PORTAL_ERROR, XDG_APP_PORTAL_ERROR_INVALID_ARGUMENT, "Invalid fd passed"); return; } parent_path_buffer[symlink_size] = 0; path = g_build_filename (parent_path_buffer, filename, NULL); g_debug ("portal_add_named %s", path); AUTOLOCK(db); id = do_create_doc (&parent_st_buf, path, reuse_existing, persistent); g_dbus_method_invocation_return_value (invocation, g_variant_new ("(s)", id)); }
static VALUE unixfdlist_peek_fds(VALUE self) { return GFDS2ARY(g_unix_fd_list_peek_fds(_SELF(self), NULL)); }