From 908f8ad914b06304e06f796adda0c641a889ed47 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 22 Sep 2021 17:34:01 -0300 Subject: Fix TOCTOU/CodeQL CWE-367 warnings (easy ones) This should fix all such warnings on the following files: * src/fids/main.c * src/firejail/seccomp.c Misc: Besides the above reason, these are some of the more straightforward TOCTOU warning fixes and they are done without any additional refactor commits, so that's the reason for "easy ones". List of TOCTOU warnings: https://github.com/netblue30/firejail/security/code-scanning?query=id%3Acpp%2Ftoctou-race-condition See https://cwe.mitre.org/data/definitions/367.html Relates to #4503. --- src/fids/main.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) (limited to 'src/fids/main.c') diff --git a/src/fids/main.c b/src/fids/main.c index c899b55e1..8f9bc1ea0 100644 --- a/src/fids/main.c +++ b/src/fids/main.c @@ -210,22 +210,29 @@ static void process_config(const char *fname) { exit(1); } - // make sure the file is owned by root - struct stat s; - if (stat(fname, &s)) { + fprintf(stderr, "Opening config file %s\n", fname); + int fd = open(fname, O_RDONLY|O_CLOEXEC); + if (fd < 0) { if (include_level == 1) { - fprintf(stderr, "Error ids: config file not found\n"); + fprintf(stderr, "Error ids: cannot open config file %s\n", fname); exit(1); } return; } + + // make sure the file is owned by root + struct stat s; + if (fstat(fd, &s)) { + fprintf(stderr, "Error ids: cannot stat config file %s\n", fname); + exit(1); + } if (s.st_uid || s.st_gid) { fprintf(stderr, "Error ids: config file not owned by root\n"); exit(1); } - fprintf(stderr, "Loading %s config file\n", fname); - FILE *fp = fopen(fname, "r"); + fprintf(stderr, "Loading config file %s\n", fname); + FILE *fp = fdopen(fd, "r"); if (!fp) { fprintf(stderr, "Error fids: cannot open config file %s\n", fname); exit(1); -- cgit v1.2.3-54-g00ecf