dmz: cloned binary: set +x permissions when creating regular tmpfile

While we did set +x when "sealing" regular temporary files, the "is
executable" checks were done before then and would thus fail, causing
the fallback to not work properly.

So just set +x after we create the file. We already have a O_RDWR handle
open when we do the chmod so we won't get permission issues when writing
to the file.

Fixes: e089db3b4a ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()")

Signed-off-by: lifubang <lifubang@acmcoder.com>
This commit is contained in:
lifubang
2024-10-13 20:07:56 +08:00
parent 9112335fb2
commit 9fa324c479
+3 -3
View File
@@ -64,9 +64,6 @@ func Memfd(comment string) (*os.File, SealFunc, error) {
}
func sealFile(f **os.File) error {
if err := (*f).Chmod(0o511); err != nil {
return err
}
// When sealing an O_TMPFILE-style descriptor we need to
// re-open the path as O_PATH to clear the existing write
// handle we have.
@@ -108,6 +105,9 @@ func mktemp(dir string) (*os.File, SealFunc, error) {
if err := os.Remove(file.Name()); err != nil {
return nil, nil, fmt.Errorf("unlinking classic tmpfile: %w", err)
}
if err := file.Chmod(0o511); err != nil {
return nil, nil, fmt.Errorf("chmod classic tmpfile: %w", err)
}
var stat unix.Stat_t
if err := unix.Fstat(int(file.Fd()), &stat); err != nil {
return nil, nil, fmt.Errorf("cannot fstat classic tmpfile: %w", err)