libutil/file-descriptor: Add safer utilities for opening files relative to dirFd

Implements a safe no symlink following primitive operation for opening file descriptors. This is unix-only for the time being, since windows doesn't really suffer from symlink races, since they are admin-only. Tested with enosys --syscall openat2 as well.
2025-12-14 04:51:05 +01:00 · 2025-11-24 23:14:47 +03:00 · 2025-11-24 23:14:47 +03:00 · 77990e7cca
commit 77990e7cca
parent 5d066386b5
3 changed files with 217 additions and 0 deletions
--- a/src/libutil-tests/file-system.cc
+++ b/src/libutil-tests/file-system.cc
@ -1,3 +1,4 @@
+#include "nix/util/fs-sink.hh"
 #include "nix/util/util.hh"
 #include "nix/util/types.hh"
 #include "nix/util/file-system.hh"
@ -318,4 +319,53 @@ TEST(DirectoryIterator, nonexistent)
    ASSERT_THROW(DirectoryIterator("/schnitzel/darmstadt/pommes"), SysError);
 }

+/* ----------------------------------------------------------------------------
+ * openFileEnsureBeneathNoSymlinks
+ * --------------------------------------------------------------------------*/
+
+#ifndef _WIN32
+
+TEST(openFileEnsureBeneathNoSymlinks, works)
+{
+    std::filesystem::path tmpDir = nix::createTempDir();
+    nix::AutoDelete delTmpDir(tmpDir, /*recursive=*/true);
+
+    {
+        RestoreSink sink(/*startFsync=*/false);
+        sink.dstPath = tmpDir;
+        sink.dirFd = openDirectory(tmpDir);
+        sink.createDirectory(CanonPath("a"));
+        sink.createDirectory(CanonPath("c"));
+        sink.createDirectory(CanonPath("c/d"));
+        sink.createRegularFile(CanonPath("c/d/regular"), [](CreateRegularFileSink & crf) { crf("some contents"); });
+        sink.createSymlink(CanonPath("a/absolute_symlink"), tmpDir.string());
+        sink.createSymlink(CanonPath("a/relative_symlink"), "../.");
+        sink.createSymlink(CanonPath("a/broken_symlink"), "./nonexistent");
+    }
+
+    AutoCloseFD dirFd = openDirectory(tmpDir);
+
+    using namespace nix::unix;
+
+    auto open = [&](std::string_view path, int flags, mode_t mode = 0) {
+        return openFileEnsureBeneathNoSymlinks(dirFd.get(), CanonPath(path), flags, mode);
+    };
+
+    EXPECT_THROW(open("a/absolute_symlink", O_RDONLY), SymlinkNotAllowed);
+    EXPECT_THROW(open("a/relative_symlink", O_RDONLY), SymlinkNotAllowed);
+    EXPECT_THROW(open("a/absolute_symlink/a", O_RDONLY), SymlinkNotAllowed);
+    EXPECT_THROW(open("a/absolute_symlink/c/d", O_RDONLY), SymlinkNotAllowed);
+    EXPECT_THROW(open("a/relative_symlink/c", O_RDONLY), SymlinkNotAllowed);
+    EXPECT_EQ(open("a/broken_symlink", O_CREAT | O_WRONLY | O_EXCL, 0666), INVALID_DESCRIPTOR);
+    /* Sanity check, no symlink shenanigans and behaves the same as regular openat with O_EXCL | O_CREAT. */
+    EXPECT_EQ(errno, EEXIST);
+    EXPECT_THROW(open("a/absolute_symlink/broken_symlink", O_CREAT | O_WRONLY | O_EXCL, 0666), SymlinkNotAllowed);
+    EXPECT_EQ(open("c/d/regular/a", O_RDONLY), INVALID_DESCRIPTOR);
+    EXPECT_EQ(open("c/d/regular", O_RDONLY | O_DIRECTORY), INVALID_DESCRIPTOR);
+    EXPECT_TRUE(AutoCloseFD{open("c/d/regular", O_RDONLY)});
+    EXPECT_TRUE(AutoCloseFD{open("a/regular", O_CREAT | O_WRONLY | O_EXCL, 0666)});
+}
+
+#endif
+
 } // namespace nix