diff options
| author | Alexander Larsson <alexl@redhat.com> | 2015-09-03 12:44:33 +0200 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2015-09-03 22:17:00 +0200 |
| commit | 04879fdea59bc3d30d9e700923720bfb34673e86 (patch) | |
| tree | 70c8372b40f9d615dece57268fb0f237807e3b68 /data | |
| parent | c0e480df94e7327628e9105f36d7569f2fe6a478 (diff) | |
| download | xdg-app-04879fdea59bc3d30d9e700923720bfb34673e86.tar.gz | |
Store and verify parent dir dev/ino and pass O_PATH fds
In order to be robust against symlink attacks (i.e. make a document
for a path, then replace it with a symlink somewhere else and have the
portal read that instead) we store the parent dev/ino when we create
the document id and always verify that (atomically with the *at
syscalls) on each use.
Also, we pass O_PATH fds when creating documents, as it allows us
to be a bit safer. For instance we can verify that the fd is a O_PATH
fd before doing any ops on it, and it makes it possible to avoid other
symlink trickery.
Also, we drop the double add methods, and just use the O_PATH version.
Diffstat (limited to 'data')
| -rw-r--r-- | data/org.freedesktop.portal.documents.xml | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/data/org.freedesktop.portal.documents.xml b/data/org.freedesktop.portal.documents.xml index 6b01077..88f77cc 100644 --- a/data/org.freedesktop.portal.documents.xml +++ b/data/org.freedesktop.portal.documents.xml @@ -29,11 +29,7 @@ <arg type='ay' name='path' direction='out'/> </method> <method name="Add"> - <arg type='ay' name='path' direction='in'/> - <arg type='s' name='doc_id' direction='out'/> - </method> - <method name="AddLocal"> - <arg type='h' name='fd' direction='in'/> + <arg type='h' name='o_path_fd' direction='in'/> <arg type='s' name='doc_id' direction='out'/> </method> <method name="GrantPermissions"> |