sysmaster/backport-fix-devmaster-adjust-temporary-file-permissions.patch

From 26a93ec411098bf29fa8ebe9b84940f8c9455423 Mon Sep 17 00:00:00 2001
From: chenjiayi <chenjiayi22@huawei.com>
Date: Tue, 31 Oct 2023 20:24:30 +0800
Subject: [PATCH 014/103] fix(devmaster): adjust temporary file permissions

Adjust temporary file permissions.
---
 exts/devmaster/src/lib/rules/node.rs | 10 +++++++++-
 libs/device/src/device.rs            | 22 +++++++++++++++++++---
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/exts/devmaster/src/lib/rules/node.rs b/exts/devmaster/src/lib/rules/node.rs
index 45b8b36b..9fba906e 100644
--- a/exts/devmaster/src/lib/rules/node.rs
+++ b/exts/devmaster/src/lib/rules/node.rs
@@ -33,7 +33,7 @@
 //! directory, the directory will be removed.
 
 use crate::{error::*, log_dev, log_dev_option};
-use basic::fs_util::path_simplify;
+use basic::fs_util::{chmod, path_simplify};
 use basic::fs_util::{fchmod_and_chown, futimens_opath, symlink};
 use basic::{fd_util::xopendirat, fs_util::remove_dir_until};
 use cluFlock::ExclusiveFlock;
@@ -355,6 +355,14 @@ pub(crate) fn open_prior_dir(symlink: &str) -> Result<(Dir, File)> {
         })
         .log_error(&format!("failed to create directory all '{}'", dirname))?;
 
+    if let Err(e) = chmod(dirname.as_str(), 0o750) {
+        log::error!("Failed to set permission for {}: {}", &dirname, e);
+    }
+
+    if let Err(e) = chmod("/run/devmaster/links", 0o750) {
+        log::error!("Failed to set permission for /run/devmaster/links: {}", e);
+    }
+
     let dir = nix::dir::Dir::from_fd(
         nix::fcntl::open(
             dirname.as_str(),
diff --git a/libs/device/src/device.rs b/libs/device/src/device.rs
index 5b1eff1f..5a95e0f5 100644
--- a/libs/device/src/device.rs
+++ b/libs/device/src/device.rs
@@ -15,7 +15,7 @@
 use crate::err_wrapper;
 use crate::utils::readlink_value;
 use crate::{error::*, DeviceAction};
-use basic::fs_util::{open_temporary, touch_file};
+use basic::fs_util::{chmod, open_temporary, touch_file};
 use basic::parse::{device_path_parse_devnum, parse_devnum, parse_ifindex};
 use libc::{
     dev_t, faccessat, gid_t, mode_t, uid_t, F_OK, S_IFBLK, S_IFCHR, S_IFDIR, S_IFLNK, S_IFMT,
@@ -1532,6 +1532,10 @@ impl Device {
                 .map_or_else(|| nix::Error::EIO, nix::Error::from_i32),
         })?;
 
+        if let Err(e) = chmod(DB_BASE_DIR, 0o750) {
+            log::error!("Failed to set permission for /run/devmaster/data/: {}", e);
+        }
+
         let (mut file, tmp_file) = open_temporary(&db_path).map_err(|e| {
             let errno = match e {
                 basic::error::Error::Nix { source } => source,
@@ -1546,9 +1550,9 @@ impl Device {
         fchmod(
             file.as_raw_fd(),
             if *self.db_persist.borrow() {
-                Mode::from_bits(0o1644).unwrap()
+                Mode::from_bits(0o1640).unwrap()
             } else {
-                Mode::from_bits(0o644).unwrap()
+                Mode::from_bits(0o640).unwrap()
             },
         )
         .map_err(|e| {
@@ -1697,6 +1701,18 @@ impl Device {
                 source: nix::Error::EINVAL,
             })?;
 
+            if let Err(e) = chmod(TAGS_BASE_DIR, 0o750) {
+                log::error!("Failed to set permission for {}: {}", TAGS_BASE_DIR, e);
+            }
+
+            if let Err(e) = chmod(&format!("{}{}", TAGS_BASE_DIR, tag), 0o750) {
+                log::error!(
+                    "Failed to set permission for {}: {}",
+                    format!("{}{}", TAGS_BASE_DIR, tag),
+                    e
+                );
+            }
+
             return Ok(());
         }
 
-- 
2.33.0
sync patches from upstream 2023-12-07 00:19:38 +08:00			`From 26a93ec411098bf29fa8ebe9b84940f8c9455423 Mon Sep 17 00:00:00 2001`
			`From: chenjiayi <chenjiayi22@huawei.com>`
			`Date: Tue, 31 Oct 2023 20:24:30 +0800`
			`Subject: [PATCH 014/103] fix(devmaster): adjust temporary file permissions`

			`Adjust temporary file permissions.`
			`---`
			`exts/devmaster/src/lib/rules/node.rs \| 10 +++++++++-`
			`libs/device/src/device.rs \| 22 +++++++++++++++++++---`
			`2 files changed, 28 insertions(+), 4 deletions(-)`

			`diff --git a/exts/devmaster/src/lib/rules/node.rs b/exts/devmaster/src/lib/rules/node.rs`
			`index 45b8b36b..9fba906e 100644`
			`--- a/exts/devmaster/src/lib/rules/node.rs`
			`+++ b/exts/devmaster/src/lib/rules/node.rs`
			`@@ -33,7 +33,7 @@`
			`//! directory, the directory will be removed.`

			`use crate::{error::*, log_dev, log_dev_option};`
			`-use basic::fs_util::path_simplify;`
			`+use basic::fs_util::{chmod, path_simplify};`
			`use basic::fs_util::{fchmod_and_chown, futimens_opath, symlink};`
			`use basic::{fd_util::xopendirat, fs_util::remove_dir_until};`
			`use cluFlock::ExclusiveFlock;`
			`@@ -355,6 +355,14 @@ pub(crate) fn open_prior_dir(symlink: &str) -> Result<(Dir, File)> {`
			`})`
			`.log_error(&format!("failed to create directory all '{}'", dirname))?;`

			`+ if let Err(e) = chmod(dirname.as_str(), 0o750) {`
			`+ log::error!("Failed to set permission for {}: {}", &dirname, e);`
			`+ }`
			`+`
			`+ if let Err(e) = chmod("/run/devmaster/links", 0o750) {`
			`+ log::error!("Failed to set permission for /run/devmaster/links: {}", e);`
			`+ }`
			`+`
			`let dir = nix::dir::Dir::from_fd(`
			`nix::fcntl::open(`
			`dirname.as_str(),`
			`diff --git a/libs/device/src/device.rs b/libs/device/src/device.rs`
			`index 5b1eff1f..5a95e0f5 100644`
			`--- a/libs/device/src/device.rs`
			`+++ b/libs/device/src/device.rs`
			`@@ -15,7 +15,7 @@`
			`use crate::err_wrapper;`
			`use crate::utils::readlink_value;`
			`use crate::{error::*, DeviceAction};`
			`-use basic::fs_util::{open_temporary, touch_file};`
			`+use basic::fs_util::{chmod, open_temporary, touch_file};`
			`use basic::parse::{device_path_parse_devnum, parse_devnum, parse_ifindex};`
			`use libc::{`
			`dev_t, faccessat, gid_t, mode_t, uid_t, F_OK, S_IFBLK, S_IFCHR, S_IFDIR, S_IFLNK, S_IFMT,`
			`@@ -1532,6 +1532,10 @@ impl Device {`
			`.map_or_else(\|\| nix::Error::EIO, nix::Error::from_i32),`
			`})?;`

			`+ if let Err(e) = chmod(DB_BASE_DIR, 0o750) {`
			`+ log::error!("Failed to set permission for /run/devmaster/data/: {}", e);`
			`+ }`
			`+`
			`let (mut file, tmp_file) = open_temporary(&db_path).map_err(\|e\| {`
			`let errno = match e {`
			`basic::error::Error::Nix { source } => source,`
			`@@ -1546,9 +1550,9 @@ impl Device {`
			`fchmod(`
			`file.as_raw_fd(),`
			`if *self.db_persist.borrow() {`
			`- Mode::from_bits(0o1644).unwrap()`
			`+ Mode::from_bits(0o1640).unwrap()`
			`} else {`
			`- Mode::from_bits(0o644).unwrap()`
			`+ Mode::from_bits(0o640).unwrap()`
			`},`
			`)`
			`.map_err(\|e\| {`
			`@@ -1697,6 +1701,18 @@ impl Device {`
			`source: nix::Error::EINVAL,`
			`})?;`

			`+ if let Err(e) = chmod(TAGS_BASE_DIR, 0o750) {`
			`+ log::error!("Failed to set permission for {}: {}", TAGS_BASE_DIR, e);`
			`+ }`
			`+`
			`+ if let Err(e) = chmod(&format!("{}{}", TAGS_BASE_DIR, tag), 0o750) {`
			`+ log::error!(`
			`+ "Failed to set permission for {}: {}",`
			`+ format!("{}{}", TAGS_BASE_DIR, tag),`
			`+ e`
			`+ );`
			`+ }`
			`+`
			`return Ok(());`
			`}`

			`--`
			`2.33.0`