Merge pull request #14651 from NixOS/restore-sink-more-openat2

libutil: Use openFileEnsureBeneathNoSymlinks in RestoreSink::createRe…
2025-11-28 13:11:00 +01:00 · 2025-11-26 01:45:50 +00:00 · 2025-11-26 01:45:50 +00:00 · c38349583f
commit c38349583f
parent 31ce0c8169 0778b861a9
4 changed files with 10 additions and 1 deletions
--- a/src/libutil-tests/file-system.cc
+++ b/src/libutil-tests/file-system.cc
@ -351,6 +351,10 @@ TEST(openFileEnsureBeneathNoSymlinks, works)
            sink.createDirectory(
                CanonPath("a/b/c/f"), [](FileSystemObjectSink & dirSink, const CanonPath & relPath) {}),
            SymlinkNotAllowed);
+        ASSERT_THROW(
+            sink.createRegularFile(
+                CanonPath("a/b/c/regular"), [](CreateRegularFileSink & crf) { crf("some contents"); }),
+            SymlinkNotAllowed);
    }

    AutoCloseFD dirFd = openDirectory(tmpDir);
--- a/src/libutil/fs-sink.cc
+++ b/src/libutil/fs-sink.cc
@ -170,7 +170,7 @@ void RestoreSink::createRegularFile(const CanonPath & path, std::function<void(C
            constexpr int flags = O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC;
            if (!dirFd)
                return ::open(p.c_str(), flags, 0666);
-            return ::openat(dirFd.get(), path.rel_c_str(), flags, 0666);
+            return unix::openFileEnsureBeneathNoSymlinks(dirFd.get(), path, flags, 0666);
        }();
 #endif
        ;
--- a/src/libutil/include/nix/util/file-descriptor.hh
+++ b/src/libutil/include/nix/util/file-descriptor.hh
@ -263,6 +263,8 @@ struct SymlinkNotAllowed : public Error
 * @param flags O_* flags
 * @param mode Mode for O_{CREAT,TMPFILE}
 *
+ * @pre path.isRoot() is false
+ *
 * @throws SymlinkNotAllowed if any path components
 */
 Descriptor openFileEnsureBeneathNoSymlinks(Descriptor dirFd, const CanonPath & path, int flags, mode_t mode = 0);
--- a/src/libutil/unix/file-descriptor.cc
+++ b/src/libutil/unix/file-descriptor.cc
@ -269,6 +269,7 @@ openFileEnsureBeneathNoSymlinksIterative(Descriptor dirFd, const CanonPath & pat
 {
    AutoCloseFD parentFd;
    auto nrComponents = std::ranges::distance(path);
+    assert(nrComponents >= 1);
    auto components = std::views::take(path, nrComponents - 1); /* Everything but last component */
    auto getParentFd = [&]() { return parentFd ? parentFd.get() : dirFd; };

@ -320,6 +321,8 @@ openFileEnsureBeneathNoSymlinksIterative(Descriptor dirFd, const CanonPath & pat

 Descriptor unix::openFileEnsureBeneathNoSymlinks(Descriptor dirFd, const CanonPath & path, int flags, mode_t mode)
 {
+    assert(!path.rel().starts_with('/')); /* Just in case the invariant is somehow broken. */
+    assert(!path.isRoot());
 #ifdef __linux__
    auto maybeFd = linux::openat2(
        dirFd, path.rel_c_str(), flags, static_cast<uint64_t>(mode), RESOLVE_BENEATH | RESOLVE_NO_SYMLINKS);