With O_TMPFILE, open(2) takes a mode argument.
Strictly, the mode isn't really meaningful unless you supply O_EXCL,
but the kernel will take it and fstat will return it even if you
never give the file a name.
Also warn for O_TMPFILE without a mode at compile time where possible.
Bug: N/A
Test: ran tests
Change-Id: I729b6d6e6190676fd017a1190b6200bf9abdbfd8
diff --git a/libc/bionic/open.cpp b/libc/bionic/open.cpp
index 6d179c4..222e5d3 100644
--- a/libc/bionic/open.cpp
+++ b/libc/bionic/open.cpp
@@ -43,6 +43,10 @@
#endif
}
+static inline bool needs_mode(int flags) {
+ return ((flags & O_CREAT) == O_CREAT) || ((flags & O_TMPFILE) == O_TMPFILE);
+}
+
int creat(const char* pathname, mode_t mode) {
return open(pathname, O_CREAT | O_TRUNC | O_WRONLY, mode);
}
@@ -51,7 +55,7 @@
int open(const char* pathname, int flags, ...) {
mode_t mode = 0;
- if ((flags & O_CREAT) != 0) {
+ if (needs_mode(flags)) {
va_list args;
va_start(args, flags);
mode = static_cast<mode_t>(va_arg(args, int));
@@ -63,17 +67,14 @@
__strong_alias(open64, open);
int __open_2(const char* pathname, int flags) {
- if (__predict_false((flags & O_CREAT) != 0)) {
- __fortify_fatal("open(O_CREAT): called without specifying a mode");
- }
-
+ if (needs_mode(flags)) __fortify_fatal("open: called with O_CREAT/O_TMPFILE but no mode");
return __openat(AT_FDCWD, pathname, force_O_LARGEFILE(flags), 0);
}
int openat(int fd, const char *pathname, int flags, ...) {
mode_t mode = 0;
- if ((flags & O_CREAT) != 0) {
+ if (needs_mode(flags)) {
va_list args;
va_start(args, flags);
mode = static_cast<mode_t>(va_arg(args, int));
@@ -85,9 +86,6 @@
__strong_alias(openat64, openat);
int __openat_2(int fd, const char* pathname, int flags) {
- if ((flags & O_CREAT) != 0) {
- __fortify_fatal("openat(O_CREAT): called without specifying a mode");
- }
-
+ if (needs_mode(flags)) __fortify_fatal("open: called with O_CREAT/O_TMPFILE but no mode");
return __openat(fd, pathname, force_O_LARGEFILE(flags), 0);
}
diff --git a/libc/include/bits/fortify/fcntl.h b/libc/include/bits/fortify/fcntl.h
index 6b6b29c..6d90341 100644
--- a/libc/include/bits/fortify/fcntl.h
+++ b/libc/include/bits/fortify/fcntl.h
@@ -40,7 +40,7 @@
#if defined(__BIONIC_FORTIFY)
#define __open_too_many_args_error "too many arguments"
-#define __open_too_few_args_error "called with O_CREAT, but missing mode"
+#define __open_too_few_args_error "called with O_CREAT or O_TMPFILE, but missing mode"
#define __open_useless_modes_warning "has superfluous mode bits; missing O_CREAT?"
/* O_TMPFILE shares bits with O_DIRECTORY. */
#define __open_modes_useful(flags) (((flags) & O_CREAT) || ((flags) & O_TMPFILE) == O_TMPFILE)
@@ -60,7 +60,7 @@
__BIONIC_FORTIFY_INLINE
int open(const char* const __pass_object_size pathname, int flags)
__overloadable
- __clang_error_if(flags & O_CREAT, "'open' " __open_too_few_args_error) {
+ __clang_error_if(__open_modes_useful(flags), "'open' " __open_too_few_args_error) {
return __open_2(pathname, flags);
}
@@ -80,7 +80,7 @@
__BIONIC_FORTIFY_INLINE
int openat(int dirfd, const char* const __pass_object_size pathname, int flags)
__overloadable
- __clang_error_if(flags & O_CREAT, "'openat' " __open_too_few_args_error) {
+ __clang_error_if(__open_modes_useful(flags), "'openat' " __open_too_few_args_error) {
return __openat_2(dirfd, pathname, flags);
}
@@ -101,7 +101,7 @@
__BIONIC_FORTIFY_INLINE
int open(const char* pathname, int flags, ...) {
if (__builtin_constant_p(flags)) {
- if ((flags & O_CREAT) && __builtin_va_arg_pack_len() == 0) {
+ if (__open_modes_useful(flags) && __builtin_va_arg_pack_len() == 0) {
__creat_missing_mode(); /* Compile time error. */
}
}
@@ -120,7 +120,7 @@
__BIONIC_FORTIFY_INLINE
int openat(int dirfd, const char* pathname, int flags, ...) {
if (__builtin_constant_p(flags)) {
- if ((flags & O_CREAT) && __builtin_va_arg_pack_len() == 0) {
+ if (__open_modes_useful(flags) && __builtin_va_arg_pack_len() == 0) {
__creat_missing_mode(); /* Compile time error. */
}
}
diff --git a/tests/dlext_test.cpp b/tests/dlext_test.cpp
index b264e53..0dc54d0 100644
--- a/tests/dlext_test.cpp
+++ b/tests/dlext_test.cpp
@@ -824,7 +824,7 @@
const std::string lib_path = get_testlib_root() + "/libtest_simple.so";
int tmpfd = TEMP_FAILURE_RETRY(
- open(get_testlib_root().c_str(), O_TMPFILE | O_CLOEXEC | O_RDWR | O_EXCL));
+ open(get_testlib_root().c_str(), O_TMPFILE | O_CLOEXEC | O_RDWR | O_EXCL, 0));
// Ignore kernels without O_TMPFILE flag support
if (tmpfd == -1 && (errno == EISDIR || errno == EINVAL || errno == EOPNOTSUPP)) {
diff --git a/tests/fcntl_test.cpp b/tests/fcntl_test.cpp
index 1bef0f4..4532a4b 100644
--- a/tests/fcntl_test.cpp
+++ b/tests/fcntl_test.cpp
@@ -23,6 +23,8 @@
#include "TemporaryFile.h"
+#include <android-base/stringprintf.h>
+
// Glibc v2.19 doesn't include these in fcntl.h so host builds will fail without.
#if !defined(FALLOC_FL_PUNCH_HOLE) || !defined(FALLOC_FL_KEEP_SIZE)
#include <linux/falloc.h>
@@ -292,3 +294,43 @@
ASSERT_EQ(errno, EOPNOTSUPP);
}
}
+
+TEST(fcntl, open_O_TMPFILE_mode) {
+#if __BIONIC__ // Our glibc is too old for O_TMPFILE.
+ TemporaryDir dir;
+ // Without O_EXCL, we're allowed to give this a name later.
+ // (This is unrelated to the O_CREAT interaction with O_EXCL.)
+ const mode_t perms = S_IRUSR | S_IWUSR;
+ int fd = open(dir.dirname, O_TMPFILE | O_RDWR, perms);
+
+ // Ignore kernels without O_TMPFILE support (< 3.11).
+ if (fd == -1 && (errno == EISDIR || errno == EINVAL || errno == EOPNOTSUPP)) return;
+
+ ASSERT_TRUE(fd != -1) << strerror(errno);
+
+ // Does the fd claim to have the mode we set?
+ struct stat sb = {};
+ ASSERT_EQ(0, fstat(fd, &sb));
+ ASSERT_EQ(perms, (sb.st_mode & ~S_IFMT));
+
+ std::string final_path = android::base::StringPrintf("%s/named_now", dir.dirname);
+ ASSERT_EQ(0, linkat(AT_FDCWD, android::base::StringPrintf("/proc/self/fd/%d", fd).c_str(),
+ AT_FDCWD, final_path.c_str(),
+ AT_SYMLINK_FOLLOW));
+ ASSERT_EQ(0, close(fd));
+
+ // Does the resulting file claim to have the mode we set?
+ ASSERT_EQ(0, stat(final_path.c_str(), &sb));
+ ASSERT_EQ(perms, (sb.st_mode & ~S_IFMT));
+
+ // With O_EXCL, you're not allowed to add a name later.
+ fd = open(dir.dirname, O_TMPFILE | O_RDWR | O_EXCL, S_IRUSR | S_IWUSR);
+ ASSERT_TRUE(fd != -1) << strerror(errno);
+ errno = 0;
+ ASSERT_EQ(-1, linkat(AT_FDCWD, android::base::StringPrintf("/proc/self/fd/%d", fd).c_str(),
+ AT_FDCWD, android::base::StringPrintf("%s/no_chance", dir.dirname).c_str(),
+ AT_SYMLINK_FOLLOW));
+ ASSERT_EQ(ENOENT, errno);
+ ASSERT_EQ(0, close(fd));
+#endif
+}
diff --git a/tests/fortify_compilation_test.cpp b/tests/fortify_compilation_test.cpp
index 307a9c5..d859ef1 100644
--- a/tests/fortify_compilation_test.cpp
+++ b/tests/fortify_compilation_test.cpp
@@ -224,15 +224,23 @@
void test_open() {
// NOLINTNEXTLINE(whitespace/line_length)
- // GCC: error: call to '__creat_missing_mode' declared with attribute error: called with O_CREAT, but missing mode
- // CLANG: error: 'open' called with O_CREAT, but missing mode
+ // GCC: error: call to '__creat_missing_mode' declared with attribute error: called with O_CREAT or O_TMPFILE, but missing mode
+ // CLANG: error: 'open' called with O_CREAT or O_TMPFILE, but missing mode
open("/dev/null", O_CREAT);
+ // GCC: error: call to '__creat_missing_mode' declared with attribute error: called with O_CREAT or O_TMPFILE, but missing mode
+ // CLANG: error: 'open' called with O_CREAT or O_TMPFILE, but missing mode
+ open("/dev/null", O_TMPFILE);
+
// NOLINTNEXTLINE(whitespace/line_length)
// GCC: error: call to '__creat_too_many_args' declared with attribute error: too many arguments
// CLANG: error: call to unavailable function 'open': too many arguments
open("/dev/null", O_CREAT, 0, 0);
+ // GCC: error: call to '__creat_too_many_args' declared with attribute error: too many arguments
+ // CLANG: error: call to unavailable function 'open': too many arguments
+ open("/dev/null", O_TMPFILE, 0, 0);
+
// CLANG: warning: 'open' has superfluous mode bits; missing O_CREAT?
open("/dev/null", O_RDONLY, 0644);
diff --git a/tests/fortify_test.cpp b/tests/fortify_test.cpp
index 984a657..2946e23 100644
--- a/tests/fortify_test.cpp
+++ b/tests/fortify_test.cpp
@@ -985,3 +985,15 @@
timeout.tv_sec = timeout.tv_nsec = 0;
ASSERT_FORTIFY(ppoll(buf, fd_count, &timeout, NULL));
}
+
+TEST_F(DEATHTEST, open_O_CREAT_without_mode_fortified) {
+ int flags = O_CREAT; // Fool the compiler.
+ ASSERT_FORTIFY(open("", flags));
+}
+
+TEST_F(DEATHTEST, open_O_TMPFILE_without_mode_fortified) {
+#if __BIONIC__ // Our glibc is too old for O_TMPFILE.
+ int flags = O_TMPFILE; // Fool the compiler.
+ ASSERT_FORTIFY(open("", flags));
+#endif
+}