Kernel: Reject create links on paths that were not unveiled as writable

This solves one of the security issues being mentioned in issue #15996. We simply don't allow creating hardlinks on paths that were not unveiled as writable to prevent possible bypass on a certain path that was unveiled as non-writable.
author: Liav A <liavalb@gmail.com> 2022-11-26 11:48:02 +0200
committer: Andrew Kaster <andrewdkaster@gmail.com> 2022-12-03 11:00:34 -0700
commit: 69f41eb062bf2c3ca4495201915a3b660ea73df5 (patch)
tree: 0bc2c4ae0b520ca3161d17bd14741ddcc5f537ee
parent: 0eeba7084dd4e89e0502776d05604926ecc4e62f (diff)
download: serenity-69f41eb062bf2c3ca4495201915a3b660ea73df5.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/Kernel/FileSystem/VirtualFileSystem.cpp b/Kernel/FileSystem/VirtualFileSystem.cpp
index acd5480787..9bed735a10 100644
--- a/Kernel/FileSystem/VirtualFileSystem.cpp
+++ b/Kernel/FileSystem/VirtualFileSystem.cpp
@@ -723,7 +723,9 @@ static bool hard_link_allowed(Credentials const& credentials, Inode const& inode
 
 ErrorOr<void> VirtualFileSystem::link(Credentials const& credentials, StringView old_path, StringView new_path, Custody& base)
 {
-    auto old_custody = TRY(resolve_path(credentials, old_path, base));
+    // NOTE: To prevent unveil bypass by creating an hardlink after unveiling a path as read-only,
+    // check that if write permission is allowed by the veil info on the old_path.
+    auto old_custody = TRY(resolve_path(credentials, old_path, base, nullptr, O_RDWR));
     auto& old_inode = old_custody->inode();
 
     RefPtr<Custody> parent_custody;
author	Liav A <liavalb@gmail.com>	2022-11-26 11:48:02 +0200
committer	Andrew Kaster <andrewdkaster@gmail.com>	2022-12-03 11:00:34 -0700
commit	69f41eb062bf2c3ca4495201915a3b660ea73df5 (patch)
tree	0bc2c4ae0b520ca3161d17bd14741ddcc5f537ee
parent	0eeba7084dd4e89e0502776d05604926ecc4e62f (diff)
download	serenity-69f41eb062bf2c3ca4495201915a3b660ea73df5.zip