libutil: Implement unix::fchmodatTryNoFollow

Using fchmodat after a fstatat in deletePath has a slight TOCTOU
window. We can plug it by using fchmodat (the libc wrapper with
AT_SYMLINK_NOFOLLOW), but it tries fchmodat2 and falls back to the
O_PATH trick while failing when procfs isn't mounted. We can do a bit
better than that and also cache whether syscalls are unsupported to
avoid the repeated context switching that glibc would impose.

Also tests the fallback path. It's only for kernels older than 6.6 and
when procfs isn't accessible that we fall back to the racy fchmodat
without AT_SYMLINK_NOFOLLOW.

What previously used to be:

openat(AT_FDCWD, "/tmp/store-race/nix/var/nix/builds", O_RDONLY) = 11
newfstatat(11, "nix-2704212-84654554", {st_mode=S_IFDIR|000, st_size=3, ...}, AT_SYMLINK_NOFOLLOW) = 0
fchmodat(11, "nix-2704212-84654554", 040700) = 0

Is now a TOCTOU-free sequence of syscalls:

openat(AT_FDCWD, "/tmp/store-race/nix/var/nix/builds", O_RDONLY) = 11
newfstatat(11, "nix-2704953-1733606057", {st_mode=S_IFDIR|000, st_size=3, ...}, AT_SYMLINK_NOFOLLOW) = 0
fchmodat2(11, "nix-2704953-1733606057", 040700, AT_SYMLINK_NOFOLLOW) = 0

Or if the fchmodat2 is not supported:

openat(11, "nix-2705443-3010460784", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 12
fstat(12, {st_mode=S_IFDIR|000, st_size=3, ...}) = 0
chmod("/proc/self/fd/12", 040700)       = 0
openat(11, "nix-2705443-3010460784", O_RDONLY|O_NOFOLLOW|O_DIRECTORY) = 12

This prevents a potentially arbitrary chmod that follows symlinks,
though the race window is very small. Also in the case that fchmodat2
isn't supported we could instead open the /proc/self/fd/N path instead
of using openat, but that's pretty much equivalent. We only care
about ensuring that the thing we chmodded wasn't a symlink since
fchmodat follows symlinks and the support for AT_SYMLINK_NOFOLLOW
in libc for that is pretty spotty on Linux. E.g. glibc fails if the
AT_SYMLINK_NOFOLLOW is specified and procfs isn't available even on
regular files. The patch also includes a test that uses a user namespace
on Linux to test this exact scenario (though it's rather exotic).

Author: xokdvium

src/libutil-tests/package.nix

@@ -32,6 +32,7 @@ mkMesonExecutable (finalAttrs: {
     ../../.version
     ./.version
     ./meson.build
+    ./unix/meson.build
     # ./meson.options
     (fileset.fileFilter (file: file.hasExt "cc") ./.)
     (fileset.fileFilter (file: file.hasExt "hh") ./.)

src/libutil-tests/unix/file-descriptor.cc

@@ -3,11 +3,20 @@
 #include "nix/util/file-descriptor.hh"
 #include "nix/util/file-system.hh"
 #include "nix/util/fs-sink.hh"
+#include "nix/util/processes.hh"
+
+#ifdef __linux__
+#  include "nix/util/linux-namespaces.hh"
+
+#  include <sys/mount.h>
+#endif
 
 #include <cstring>
 
 namespace nix {
 
+using namespace nix::unix;
+
 /* ----------------------------------------------------------------------------
  * openFileEnsureBeneathNoSymlinks
  * --------------------------------------------------------------------------*/
@@ -16,7 +25,6 @@ TEST(openFileEnsureBeneathNoSymlinks, works)
 {
     std::filesystem::path tmpDir = nix::createTempDir();
     nix::AutoDelete delTmpDir(tmpDir, /*recursive=*/true);
-    using namespace nix::unix;
 
     {
         RestoreSink sink(/*startFsync=*/false);
@@ -66,4 +74,106 @@ TEST(openFileEnsureBeneathNoSymlinks, works)
     EXPECT_TRUE(AutoCloseFD{open("a/regular", O_CREAT | O_WRONLY | O_EXCL, 0666)});
 }
 
+/* ----------------------------------------------------------------------------
+ * fchmodatTryNoFollow
+ * --------------------------------------------------------------------------*/
+
+TEST(fchmodatTryNoFollow, works)
+{
+    std::filesystem::path tmpDir = nix::createTempDir();
+    nix::AutoDelete delTmpDir(tmpDir, /*recursive=*/true);
+
+    {
+        RestoreSink sink(/*startFsync=*/false);
+        sink.dstPath = tmpDir;
+        sink.dirFd = openDirectory(tmpDir);
+        sink.createRegularFile(CanonPath("file"), [](CreateRegularFileSink & crf) {});
+        sink.createDirectory(CanonPath("dir"));
+        sink.createSymlink(CanonPath("filelink"), "file");
+        sink.createSymlink(CanonPath("dirlink"), "dir");
+    }
+
+    ASSERT_EQ(chmod((tmpDir / "file").c_str(), 0644), 0);
+    ASSERT_EQ(chmod((tmpDir / "dir").c_str(), 0755), 0);
+
+    AutoCloseFD dirFd = openDirectory(tmpDir);
+    ASSERT_TRUE(dirFd);
+
+    struct ::stat st;
+
+    /* Check that symlinks are not followed and targets are not changed. */
+
+    fchmodatTryNoFollow(dirFd.get(), CanonPath("filelink"), 0777);
+    ASSERT_EQ(stat((tmpDir / "file").c_str(), &st), 0);
+    EXPECT_EQ(st.st_mode & 0777, 0644);
+
+    fchmodatTryNoFollow(dirFd.get(), CanonPath("dirlink"), 0777);
+    ASSERT_EQ(stat((tmpDir / "dir").c_str(), &st), 0);
+    EXPECT_EQ(st.st_mode & 0777, 0755);
+
+    /* Check fchmodatTryNoFollow works on regular files and directories. */
+
+    EXPECT_EQ(fchmodatTryNoFollow(dirFd.get(), CanonPath("file"), 0600), 0);
+    ASSERT_EQ(stat((tmpDir / "file").c_str(), &st), 0);
+    EXPECT_EQ(st.st_mode & 0777, 0600);
+
+    EXPECT_EQ(fchmodatTryNoFollow(dirFd.get(), CanonPath("dir"), 0700), 0);
+    ASSERT_EQ(stat((tmpDir / "dir").c_str(), &st), 0);
+    EXPECT_EQ(st.st_mode & 0777, 0700);
+}
+
+#ifdef __linux__
+
+TEST(fchmodatTryNoFollow, fallbackWithoutProc)
+{
+    if (!userNamespacesSupported())
+        GTEST_SKIP() << "User namespaces not supported";
+
+    std::filesystem::path tmpDir = nix::createTempDir();
+    nix::AutoDelete delTmpDir(tmpDir, /*recursive=*/true);
+
+    {
+        RestoreSink sink(/*startFsync=*/false);
+        sink.dstPath = tmpDir;
+        sink.dirFd = openDirectory(tmpDir);
+        sink.createRegularFile(CanonPath("file"), [](CreateRegularFileSink & crf) {});
+        sink.createSymlink(CanonPath("link"), "file");
+    }
+
+    ASSERT_EQ(chmod((tmpDir / "file").c_str(), 0644), 0);
+
+    Pid pid = startProcess(
+        [&] {
+            if (unshare(CLONE_NEWNS) == -1)
+                _exit(1);
+
+            if (mount(0, "/", 0, MS_PRIVATE | MS_REC, 0) == -1)
+                _exit(1);
+
+            if (mount("tmpfs", "/proc", "tmpfs", 0, 0) == -1)
+                _exit(1);
+
+            AutoCloseFD dirFd = openDirectory(tmpDir);
+            if (!dirFd)
+                exit(1);
+
+            if (fchmodatTryNoFollow(dirFd.get(), CanonPath("file"), 0600) != 0)
+                _exit(1);
+
+            if (fchmodatTryNoFollow(dirFd.get(), CanonPath("link"), 0777) != -1)
+                _exit(1);
+
+            _exit(0);
+        },
+        {.cloneFlags = CLONE_NEWUSER});
+
+    int status = pid.wait();
+    ASSERT_TRUE(statusOk(status));
+
+    struct ::stat st;
+    ASSERT_EQ(stat((tmpDir / "file").c_str(), &st), 0);
+    EXPECT_EQ(st.st_mode & 0777, 0600);
+}
+#endif
+
 } // namespace nix

src/libutil/include/nix/util/file-descriptor.hh

@@ -257,6 +257,16 @@ namespace unix {
  */
 Descriptor openFileEnsureBeneathNoSymlinks(Descriptor dirFd, const CanonPath & path, int flags, mode_t mode = 0);
 
+/**
+ * Try to change the mode of file named by \ref path relative to the parent directory denoted by \ref dirFd.
+ *
+ * @note When on linux without fchmodat2 support and without procfs mounted falls back to fchmodat without
+ * AT_SYMLINK_NOFOLLOW, since it's the best we can do without failing.
+ *
+ * @pre path.isRoot() is false
+ */
+int fchmodatTryNoFollow(Descriptor dirFd, const CanonPath & path, mode_t mode);
+
 } // namespace unix
 #endif
 

src/libutil/unix/file-descriptor.cc

@@ -17,6 +17,12 @@
 #  define HAVE_OPENAT2 0
 #endif
 
+#if defined(__linux__) && defined(__NR_fchmodat2)
+#  define HAVE_FCHMODAT2 1
+#else
+#  define HAVE_FCHMODAT2 0
+#endif
+
 #include "util-config-private.hh"
 #include "util-unix-config-private.hh"
 
@@ -265,6 +271,72 @@ std::optional<Descriptor> openat2(Descriptor dirFd, const char * path, uint64_t
 
 #endif
 
+int unix::fchmodatTryNoFollow(Descriptor dirFd, const CanonPath & path, mode_t mode)
+{
+    assert(!path.isRoot());
+
+#if HAVE_FCHMODAT2
+    /* Cache whether fchmodat2 is not supported. */
+    static std::atomic_flag fchmodat2Unsupported{};
+    if (!fchmodat2Unsupported.test()) {
+        /* Try with fchmodat2 first. */
+        auto res = ::syscall(__NR_fchmodat2, dirFd, path.rel_c_str(), mode, AT_SYMLINK_NOFOLLOW);
+        /* Cache that the syscall is not supported. */
+        if (res < 0 && errno == ENOSYS) {
+            fchmodat2Unsupported.test_and_set();
+        } else {
+            return res;
+        }
+    }
+#endif
+
+#ifdef __linux__
+    AutoCloseFD pathFd = ::openat(dirFd, path.rel_c_str(), O_PATH | O_NOFOLLOW | O_CLOEXEC);
+    if (!pathFd)
+        throw SysError(
+            "opening '%s' relative to parent directory to get an O_PATH file descriptor (fchmodat2 is unsupported)",
+            path.rel());
+
+    struct ::stat st;
+    /* Possible since https://github.com/torvalds/linux/commit/55815f70147dcfa3ead5738fd56d3574e2e3c1c2 (3.6) */
+    if (::fstat(pathFd.get(), &st) == -1)
+        throw SysError("statting '%s' relative to parent directory via O_PATH file descriptor", path.rel());
+
+    if (S_ISLNK(st.st_mode)) {
+        errno = EOPNOTSUPP;
+        return -1;
+    }
+
+    static std::atomic_flag dontHaveProc{};
+    if (!dontHaveProc.test()) {
+        static const CanonPath selfProcFd = CanonPath("/proc/self/fd");
+
+        auto selfProcFdPath = selfProcFd / std::to_string(pathFd.get());
+        if (int res = ::chmod(selfProcFdPath.c_str(), mode); res == -1) {
+            if (errno == ENOENT)
+                dontHaveProc.test_and_set();
+            else
+                throw SysError("chmod '%s' ('%s' relative to parent directory)", selfProcFdPath, path);
+        } else
+            return res;
+    }
+
+    static std::atomic<bool> warned = false;
+    warnOnce(warned, "kernel doesn't support fchmodat2 and procfs isn't mounted, falling back to fchmodat");
+#endif
+
+    return ::fchmodat(
+        dirFd,
+        path.rel_c_str(),
+        mode,
+#if defined(__APPLE__) || defined(__FreeBSD__)
+        AT_SYMLINK_NOFOLLOW
+#else
+        0
+#endif
+    );
+}
+
 static Descriptor
 openFileEnsureBeneathNoSymlinksIterative(Descriptor dirFd, const CanonPath & path, int flags, mode_t mode)
 {

src/libutil/unix/file-system.cc

@@ -140,7 +140,7 @@ static void _deletePath(
         /* Make the directory accessible. */
         const auto PERM_MASK = S_IRUSR | S_IWUSR | S_IXUSR;
         if ((st.st_mode & PERM_MASK) != PERM_MASK) {
-            if (fchmodat(parentfd, name.c_str(), st.st_mode | PERM_MASK, 0) == -1)
+            if (unix::fchmodatTryNoFollow(parentfd, CanonPath(name), st.st_mode | PERM_MASK) == -1)
                 throw SysError("chmod %1%", path);
         }