version 2.0.19

Do not fail when file was successfully created.

I will test before commit. I will test before commit. I will...

debian/changelog

@@ -1,3 +1,35 @@
+qubes-utils (2.0.19) jessie; urgency=medium
+
+  * debian: O_TMPFILE already defined
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Sun, 01 Feb 2015 03:07:29 +0100
+
+qubes-utils (2.0.18) jessie; urgency=medium
+
+  * filecopy: fix handling ENOENT error
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Fri, 23 Jan 2015 01:22:10 +0100
+
+qubes-utils (2.0.17) jessie; urgency=medium
+
+  * filecopy: really do not use O_TMPFILE when use_tmpfile==0
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Wed, 21 Jan 2015 16:07:40 +0100
+
+qubes-utils (2.0.16) jessie; urgency=medium
+
+  * filecopy: create new file unaccessible to the user until fully
+    written
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Sun, 18 Jan 2015 18:05:35 +0100
+
+qubes-utils (2.0.15) jessie; urgency=medium
+
+  [ HW42 ]
+  * use systemd in debian
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Mon, 01 Dec 2014 04:32:48 +0100
+
 qubes-utils (2.0.14) jessie; urgency=medium
 
   [ Marek Marczykowski-Górecki ]

qrexec-lib/libqubes-rpc-filecopy.h

@@ -66,6 +66,8 @@ int copy_file(int outfd, int infd, long long size, unsigned long *crc32);
 const char *copy_file_status_to_str(int status);
 void set_size_limit(unsigned long long new_bytes_limit, unsigned long long new_files_limit);
 void set_verbose(int value);
+/* register open fd to /proc/PID/fd of this process */
+void set_procfs_fd(int value);
 int write_all(int fd, const void *buf, int size);
 int read_all(int fd, void *buf, int size);
 int copy_fd_all(int fdout, int fdin);

qrexec-lib/unpack.c

@@ -18,9 +18,21 @@ unsigned long long files_limit = 0;
 unsigned long long total_bytes = 0;
 unsigned long long total_files = 0;
 int verbose = 0;
+int use_tmpfile = 0;
+int procdir_fd = -1;
 
 void send_status_and_crc(int code, const char *last_filename);
 
+/* copy from asm-generic/fcntl.h */
+#ifndef __O_TMPFILE
+#define __O_TMPFILE 020000000
+#endif
+#ifndef O_TMPFILE
+/* a horrid kludge trying to make sure that this will fail on old kernels */
+#define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
+#define O_TMPFILE_MASK (__O_TMPFILE | O_DIRECTORY | O_CREAT)
+#endif
+
 void do_exit(int code, const char *last_filename)
 {
 	close(0);
@@ -39,6 +51,12 @@ void set_verbose(int value)
 	verbose = value;
 }
 
+void set_procfs_fd(int value)
+{
+	procdir_fd = value;
+	use_tmpfile = 1;
+}
+
 unsigned long crc32_sum = 0;
 int read_all_with_crc(int fd, void *buf, int size) {
 	int ret;
@@ -88,7 +106,21 @@ void process_one_file_reg(struct file_header *untrusted_hdr,
 			  const char *untrusted_name)
 {
 	int ret;
-	int fdout = open(untrusted_name, O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW, 0700);	/* safe because of chroot */
+	int fdout = -1;
+
+	/* make the file inaccessible until fully written */
+	if (use_tmpfile) {
+		fdout = open(".", O_WRONLY | O_TMPFILE, 0700);
+		if (fdout < 0) {
+		   if (errno==ENOENT)
+			   /* if it fails, do not attempt further use - most likely kernel too old */
+			   use_tmpfile = 0;
+		   else
+			   do_exit(errno, untrusted_name);
+		}
+	}
+	if (fdout < 0)
+		fdout = open(untrusted_name, O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW, 0000);	/* safe because of chroot */
 	if (fdout < 0)
 		do_exit(errno, untrusted_name);
 	/* sizes are signed elsewhere */
@@ -105,6 +137,13 @@ void process_one_file_reg(struct file_header *untrusted_hdr,
 		else
 			do_exit(errno, untrusted_name);
 	}
+	fdatasync(fdout);
+	if (use_tmpfile) {
+		char fd_str[7];
+		snprintf(fd_str, sizeof(fd_str), "%d", fdout);
+		if (linkat(procdir_fd, fd_str, AT_FDCWD, untrusted_name, AT_SYMLINK_FOLLOW) < 0)
+			do_exit(errno, untrusted_name);
+	}
 	close(fdout);
 	fix_times_and_perms(untrusted_hdr, untrusted_name);
 }

version

@@ -1 +1 @@
-2.0.14
+2.0.19