vmspawn: reject O_PATH and O_WRONLY fds in AddStorage

An fd opened O_PATH cannot be read, and an O_WRONLY fd cannot serve as
a backing file for a virtual disk image. Reject both at the bind-volume
entry point with -EBADF instead of letting the request proceed to QMP
where QEMU's file backend would fail to read from the fd. The
ReplaceStorage entry point grew the same checks in parallel.

Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

diff --git a/src/vmspawn/vmspawn-bind-volume.c b/src/vmspawn/vmspawn-bind-volume.c
index d67fc61de02e5298576bc86675aca17ad984b573..8466cd199e976f9ee106f2643e6913494e8562d1 100644 (file)
--- a/src/vmspawn/vmspawn-bind-volume.c
+++ b/src/vmspawn/vmspawn-bind-volume.c
@@ -124,6 +124,14 @@ int vmspawn_bind_volume_attach_fd(
         if (r < 0)
                 return r;
 
+        int oflags = fcntl(owned_fd, F_GETFL);
+        if (oflags < 0)
+                return -errno;
+        if (FLAGS_SET(oflags, O_PATH))
+                return -EBADF;
+        if ((oflags & O_ACCMODE_STRICT) == O_WRONLY)
+                return -EBADF;
+
         _cleanup_(drive_info_unrefp) DriveInfo *d = drive_info_new();
         if (!d)
                 return -ENOMEM;
@@ -135,10 +143,6 @@ int vmspawn_bind_volume_attach_fd(
         if (!d->id || !d->disk_driver || !d->format || !d->path)
                 return -ENOMEM;
 
-        int oflags = fcntl(owned_fd, F_GETFL);
-        if (oflags < 0)
-                return -errno;
-
         d->disk_type = dt;
         d->fd = TAKE_FD(owned_fd);
         if (S_ISBLK(st.st_mode))