api.c: fix file open in cg_chmod_path()

In cg_chmod_path(), the commit 96db65fbb529 ("api.c: fix TOCTOU in
cg_chmod_path()), converted the file operations from stat -> fstat and
chmod -> fchmod to fix a Coverity warning.  The newly replaced file
operations operate on file descriptors and hence introduced a side
effect of opening the file at the wrong code block, that would only work
as expected when the caller calls cg_chmod_path() with owner_is_umask
set.

Fix it by moving the file operation out of the conditional block, so it
works in both of the cases of owner_is_umask being set or unset.

Fixes: 96db65fbb529 ("api.c: fix TOCTOU in cg_chmod_path())
Suggested-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 91cf2e4b7ceb19c02d66af717c18d7bc64fa5df9)

diff --git a/src/api.c b/src/api.c
index 9589bad71d5154e73dddb5d249ad87f144310ac4..f7b6873aef4a8ca2c3d65192f0f0f4828f92c2ce 100644 (file)
--- a/src/api.c
+++ b/src/api.c
@@ -207,12 +207,12 @@ int cg_chmod_path(const char *path, mode_t mode, int owner_is_umask)
        mode_t mask = -1U;
        int fd;
 
+       fd = open(path, O_RDONLY);
+       if (fd == -1)
+               goto fail;
+
        if (owner_is_umask) {
                mode_t umask, gmask, omask;
-
-               fd = open(path, O_RDONLY);
-               if (fd == -1)
-                       goto fail;
                /*
                 * Use owner permissions as an umask for group and others
                 * permissions because we trust kernel to initialize owner