From 863eace7cb72308d10e170ee98f15d95f55235d0 Mon Sep 17 00:00:00 2001 From: deraadt Date: Sun, 1 Sep 2024 23:26:10 +0000 Subject: [PATCH] Regarding previous commit, X_OK on unveil-permitted directories does not map nicely to UNVEIL_EXEC. But we don't know before calling namei() if the path is a directory. Oh well, stick to UNVEIL_READ for that case, it is going to be good enough for the typical case. Worked out with jeremy after chrome/firefox Downloads directory issue. --- sys/kern/vfs_syscalls.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 6e1eb2d0c6c..33dab14f783 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_syscalls.c,v 1.367 2024/08/31 15:52:09 deraadt Exp $ */ +/* $OpenBSD: vfs_syscalls.c,v 1.368 2024/09/01 23:26:10 deraadt Exp $ */ /* $NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $ */ /* @@ -2002,10 +2002,8 @@ dofaccessat(struct proc *p, int fd, const char *path, int amode, int flag) vflags |= VWRITE; nd.ni_unveil |= UNVEIL_WRITE; } - if (amode & X_OK) { + if (amode & X_OK) vflags |= VEXEC; - nd.ni_unveil |= UNVEIL_EXEC; - } if ((error = namei(&nd)) != 0) goto out; vp = nd.ni_vp; -- 2.20.1