From: Heinrich Schuchardt Date: Wed, 10 Apr 2024 08:38:28 +0000 (+0200) Subject: sandbox: use sane access rights for files X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=d1fffbe3c808a9012a05b048560e17ce43f8ef9e;p=u-boot.git sandbox: use sane access rights for files When writing an executable, allowing other users to modify it introduces a security issue. Generally we should avoid giving other users write access to our files by default. Replace chmod(777) by chmod(755) and chmod(644). Fixes: 47f5fcfb4169 ("sandbox: Add os_jump_to_image() to run another executable") Fixes: d9165153caea ("sandbox: add flags for open() call") Fixes: 5c2859cdc302 ("sandbox: Allow reading/writing of RAM buffer") Signed-off-by: Heinrich Schuchardt Reviewed-by: Sean Anderson --- diff --git a/arch/sandbox/cpu/os.c b/arch/sandbox/cpu/os.c index 154a5d7749..d7869b2e36 100644 --- a/arch/sandbox/cpu/os.c +++ b/arch/sandbox/cpu/os.c @@ -109,7 +109,7 @@ int os_open(const char *pathname, int os_flags) */ flags |= O_CLOEXEC; - return open(pathname, flags, 0777); + return open(pathname, flags, 0644); } int os_close(int fd) @@ -746,7 +746,7 @@ int os_write_ram_buf(const char *fname) struct sandbox_state *state = state_get_current(); int fd, ret; - fd = open(fname, O_CREAT | O_WRONLY, 0777); + fd = open(fname, O_CREAT | O_WRONLY, 0644); if (fd < 0) return -ENOENT; ret = write(fd, state->ram_buf, state->ram_size); @@ -791,7 +791,7 @@ static int make_exec(char *fname, const void *data, int size) if (write(fd, data, size) < 0) return -EIO; close(fd); - if (chmod(fname, 0777)) + if (chmod(fname, 0755)) return -ENOEXEC; return 0;