From: Christian Brauner Date: Tue, 5 May 2020 12:04:34 +0000 (+0200) Subject: compiler: support new access attributes X-Git-Tag: lxc-5.0.0~440^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=674c9692988d964a2cc841159a074f023221f887;p=thirdparty%2Flxc.git compiler: support new access attributes which will allow us to catch more oob accesses. Signed-off-by: Christian Brauner --- diff --git a/src/lxc/af_unix.h b/src/lxc/af_unix.h index 2531b0b10..5a1482c35 100644 --- a/src/lxc/af_unix.h +++ b/src/lxc/af_unix.h @@ -7,22 +7,35 @@ #include #include +#include "compiler.h" + /* does not enforce \0-termination */ extern int lxc_abstract_unix_open(const char *path, int type, int flags); extern void lxc_abstract_unix_close(int fd); /* does not enforce \0-termination */ extern int lxc_abstract_unix_connect(const char *path); + extern int lxc_abstract_unix_send_fds(int fd, int *sendfds, int num_sendfds, - void *data, size_t size); -extern int lxc_abstract_unix_send_fds_iov(int fd, int *sendfds, - int num_sendfds, struct iovec *iov, - size_t iovlen); + void *data, size_t size) +__access_r(2, 3) __access_r(4, 5); + +extern int lxc_abstract_unix_send_fds_iov(int fd, int *sendfds, int num_sendfds, + struct iovec *iov, size_t iovlen) +__access_r(2, 3); + +extern int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, + void *data, size_t size) +__access_r(2, 3) __access_r(4, 5); + extern int lxc_unix_send_fds(int fd, int *sendfds, int num_sendfds, void *data, size_t size); -extern int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, - void *data, size_t size); -extern int lxc_abstract_unix_send_credential(int fd, void *data, size_t size); -extern int lxc_abstract_unix_rcv_credential(int fd, void *data, size_t size); + +extern int lxc_abstract_unix_send_credential(int fd, void *data, size_t size) +__access_r(2, 3); + +extern int lxc_abstract_unix_rcv_credential(int fd, void *data, size_t size) +__access_w(2, 3); + extern int lxc_unix_sockaddr(struct sockaddr_un *ret, const char *path); extern int lxc_unix_connect(struct sockaddr_un *addr); extern int lxc_unix_connect_type(struct sockaddr_un *addr, int type); diff --git a/src/lxc/compiler.h b/src/lxc/compiler.h index 92cd9fd14..114fb81ba 100644 --- a/src/lxc/compiler.h +++ b/src/lxc/compiler.h @@ -57,4 +57,22 @@ #define __cgfsng_ops +/* access attribute */ +#define __access_r(x, y) +#define __access_w(x, y) +#define __access_rw(x, y) + +#ifdef __has_attribute +#if __has_attribute(access) +#undef __access_r +#define __access_r(x, y) __attribute__((access(read_only, x, y))) + +#undef __access_w +#define __access_w(x, y) __attribute__((access(write_only, x, y))) + +#undef __access_rw +#define __access_rw(x, y) __attribute__((access(read_write, x, y))) +#endif +#endif + #endif /* __LXC_COMPILER_H */ diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 346b736e1..63d6e8cfb 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -404,7 +404,8 @@ struct lxc_conf { }; extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, - size_t buf_size); + size_t buf_size) +__access_r(3, 4); #ifdef HAVE_TLS extern thread_local struct lxc_conf *current_config; diff --git a/src/lxc/confile.h b/src/lxc/confile.h index 624d9a0c2..a457c9a17 100644 --- a/src/lxc/confile.h +++ b/src/lxc/confile.h @@ -9,6 +9,8 @@ #include #include +#include "compiler.h" + struct lxc_conf; struct lxc_list; @@ -46,21 +48,24 @@ struct new_config_item { extern struct lxc_config_t *lxc_get_config(const char *key); /* List all available config items. */ -extern int lxc_list_config_items(char *retv, int inlen); +extern int lxc_list_config_items(char *retv, int inlen) +__access_rw(1, 2); /* Given a configuration key namespace (e.g. lxc.apparmor) list all associated * subkeys for that namespace. * Must be implemented when adding a new configuration key. */ extern int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv, - int inlen); + int inlen) +__access_rw(3, 4); /* List all configuration items associated with a given network. For example * pass "lxc.net.[i]" to retrieve all configuration items associated with * the network associated with index [i]. */ extern int lxc_list_net(struct lxc_conf *c, const char *key, char *retv, - int inlen); + int inlen) +__access_rw(3, 4); extern int lxc_config_read(const char *file, struct lxc_conf *conf, bool from_include); diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h index 62990e98c..1568ccec5 100644 --- a/src/lxc/confile_utils.h +++ b/src/lxc/confile_utils.h @@ -5,6 +5,7 @@ #include +#include "compiler.h" #include "conf.h" #include "confile_utils.h" @@ -49,12 +50,16 @@ extern char *lxc_ipvlan_flag_to_isolation(int mode); extern int set_config_string_item(char **conf_item, const char *value); extern int set_config_string_item_max(char **conf_item, const char *value, - size_t max); + size_t max) +__access_r(2, 3); + extern int set_config_path_item(char **conf_item, const char *value); extern int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action); extern int config_ip_prefix(struct in_addr *addr); -extern int network_ifname(char *valuep, const char *value, size_t size); +extern int network_ifname(char *valuep, const char *value, size_t size) +__access_r(2, 3); + extern void rand_complete_hwaddr(char *hwaddr); extern bool lxc_config_net_is_hwaddr(const char *line); extern bool new_hwaddr(char *hwaddr); diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h index 6d5dbf68d..f9c8abe03 100644 --- a/src/lxc/file_utils.h +++ b/src/lxc/file_utils.h @@ -12,27 +12,52 @@ #include #include +#include "compiler.h" + /* read and write whole files */ extern int lxc_write_to_file(const char *filename, const void *buf, - size_t count, bool add_newline, mode_t mode); -extern int lxc_readat(int dirfd, const char *filename, void *buf, size_t count); + size_t count, bool add_newline, mode_t mode) +__access_r(2, 3); + +extern int lxc_readat(int dirfd, const char *filename, void *buf, size_t count) +__access_w(3, 4); + extern int lxc_writeat(int dirfd, const char *filename, const void *buf, - size_t count); + size_t count) +__access_r(3, 4); + extern int lxc_write_openat(const char *dir, const char *filename, - const void *buf, size_t count); -extern int lxc_read_from_file(const char *filename, void *buf, size_t count); + const void *buf, size_t count) +__access_r(3, 4); + +extern int lxc_read_from_file(const char *filename, void *buf, size_t count) +__access_w(2, 3); /* send and receive buffers completely */ -extern ssize_t lxc_write_nointr(int fd, const void *buf, size_t count); +extern ssize_t lxc_write_nointr(int fd, const void *buf, size_t count) +__access_r(2, 3); + extern ssize_t lxc_pwrite_nointr(int fd, const void *buf, size_t count, - off_t offset); -extern ssize_t lxc_send_nointr(int sockfd, void *buf, size_t len, int flags); -extern ssize_t lxc_read_nointr(int fd, void *buf, size_t count); + off_t offset) +__access_r(2, 3); + +extern ssize_t lxc_send_nointr(int sockfd, void *buf, size_t len, int flags) +__access_r(2, 3); + +extern ssize_t lxc_read_nointr(int fd, void *buf, size_t count) +__access_w(2, 3); + extern ssize_t lxc_read_nointr_expect(int fd, void *buf, size_t count, - const void *expected_buf); + const void *expected_buf) +__access_w(2, 3); + extern ssize_t lxc_read_file_expect(const char *path, void *buf, size_t count, - const void *expected_buf); -extern ssize_t lxc_recv_nointr(int sockfd, void *buf, size_t len, int flags); + const void *expected_buf) +__access_w(2, 3); + +extern ssize_t lxc_recv_nointr(int sockfd, void *buf, size_t len, int flags) +__access_w(2, 3); + ssize_t lxc_recvmsg_nointr_iov(int sockfd, struct iovec *iov, size_t iovlen, int flags);