[CRIU] [PATCH] restore: open the pidfile with O_EXCL

[Tycho Andersen]

There is a potential attack here where if someone is restoring something and
criu write the pid to a file the attacker controls, the attacker can then
re-write that to whatever pid they want. ciru should instead open the file with
O_EXCL so that the restore fails if the file exists.

We don't need O_TRUNC here since we're O_EXCL-ing the file.

Reported-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 log.c        | 2 +-
 test/zdtm.sh | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/log.c b/log.c
index c5ad472..c6e64da 100644
--- a/log.c
+++ b/log.c
@@ -185,7 +185,7 @@ int write_pidfile(int pid)
 {
 	int fd;
 
-	fd = open(opts.pidfile, O_WRONLY | O_TRUNC | O_CREAT, 0600);
+	fd = open(opts.pidfile, O_WRONLY | O_EXCL | O_CREAT, 0600);
 	if (fd == -1) {
 		pr_perror("Can't open %s", opts.pidfile);
 		return -1;
diff --git a/test/zdtm.sh b/test/zdtm.sh
index 5d03ecc..d247b22 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -638,6 +638,9 @@ EOF
 				"${test}.hook" --pre-restore || return 2
 			fi
 
+			# Restore fails if --pidfile exists, so remove it.
+			rm -f $TPID || true
+
 			echo Restore
 			setsid $CRIU restore -D $ddump -o restore.log -v4 -d $gen_args || return 2
 
-- 
1.9.1