auditd: Avoid blocking on open syscall

`open` might block on FIFO files or some character/block devices such as /dev/tty.
Checking `stat` based on path introduces a TOCTOU issue.
The "correct" way to check this is using `O_PATH` option
with `open` to get a stable file descriptor, then use
that for stats, only opening for actual read later.

Author: LordGrimmauld

audisp/audispd-pconfig.c

@@ -143,9 +143,11 @@ int load_pconfig(plugin_conf_t *config, char *file)
 
 	clear_pconfig(config);
 
-	/* open the file */
-	mode = O_RDONLY;
-	rc = open(file, mode);
+	/* only get a file descriptor, don't fully open.
+	 * This avoids blocking on block/char devices and FIFO files.
+	 * We do not pass O_NOFOLLOW, which allows for symlinked configs.
+	 */
+	rc = open(file, O_PATH);
 	if (rc < 0) {
 		if (errno != ENOENT) {
 			audit_msg(LOG_ERR, "Error opening %s (%s)", file,
@@ -156,10 +158,9 @@ int load_pconfig(plugin_conf_t *config, char *file)
 			"Config file %s doesn't exist, skipping", file);
 		return 0;
 	}
-	fd = rc;
 
 	/* check the file's permissions: owned by root, not world writable,
-	 * not symlink.
+	 * pointing to regular file.
 	 */
 	if (fstat(fd, &st) < 0) {
 		audit_msg(LOG_ERR, "Error fstat'ing config file (%s)",
@@ -179,13 +180,24 @@ int load_pconfig(plugin_conf_t *config, char *file)
 		close(fd);
 		return 1;
 	}
+	// this checks if the actual file is a regular file. The initial open might have followed a symlink, which is acceptable.
 	if (!S_ISREG(st.st_mode)) {
 		audit_msg(LOG_ERR, "Error - %s is not a regular file",
 			file);
 		close(fd);
 		return 1;
 	}
 
+	/* reopen the file for reading, now that it is determined to be safe */
+	mode = O_RDONLY;
+	rc = openat(fd, "", mode);
+	if (rc < 0) {
+		audit_msg(LOG_WARNING,
+			"Error reopening file %s for reading", file);
+		return 1;
+	}
+	fd = rc;
+
 	/* it's ok, read line by line */
 	f = fdopen(fd, "rm");
 	if (f == NULL) {