os: add Root.Chmod

For #67002

Change-Id: Id6c3a2096bd10f5f5f6921a0441dc6d9e6cdeb3b
Reviewed-on: https://go-review.googlesource.com/c/go/+/645718
Commit-Queue: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>

6 files changed, 168 insertions, 1 deletions

diff --git a/src/os/root.go b/src/os/root.go
index f91c0f75f3..cd26144ab7 100644
--- a/src/os/root.go
+++ b/src/os/root.go
@@ -54,11 +54,16 @@ func OpenInRoot(dir, name string) (*File, error) {
 //
 //   - When GOOS=windows, file names may not reference Windows reserved device names
 //     such as NUL and COM1.
+//   - On Unix, [Root.Chmod] and [Root.Chown] are vulnerable to a race condition.
+//     If the target of the operation is changed from a regular file to a symlink
+//     while the operation is in progress, the operation may be peformed on the link
+//     rather than the link target.
 //   - When GOOS=js, Root is vulnerable to TOCTOU (time-of-check-time-of-use)
 //     attacks in symlink validation, and cannot ensure that operations will not
 //     escape the root.
 //   - When GOOS=plan9 or GOOS=js, Root does not track directories across renames.
 //     On these platforms, a Root references a directory name, not a file descriptor.
+//   - WASI preview 1 (GOOS=wasip1) does not support [Root.Chmod].
 type Root struct {
 	root *root
 }
@@ -127,6 +132,12 @@ func (r *Root) OpenRoot(name string) (*Root, error) {
 	return openRootInRoot(r, name)
 }
 
+// Chmod changes the mode of the named file in the root to mode.
+// See [Chmod] for more details.
+func (r *Root) Chmod(name string, mode FileMode) error {
+	return rootChmod(r, name, mode)
+}
+
 // Mkdir creates a new directory in the root
 // with the specified name and permission bits (before umask).
 // See [Mkdir] for more details.
diff --git a/src/os/root_noopenat.go b/src/os/root_noopenat.go
index 8be55a029f..819486f289 100644
--- a/src/os/root_noopenat.go
+++ b/src/os/root_noopenat.go
@@ -95,6 +95,16 @@ func rootStat(r *Root, name string, lstat bool) (FileInfo, error) {
 	return fi, nil
 }
 
+func rootChmod(r *Root, name string, mode FileMode) error {
+	if err := checkPathEscapes(r, name); err != nil {
+		return &PathError{Op: "chmodat", Path: name, Err: err}
+	}
+	if err := Chmod(joinPath(r.root.name, name), mode); err != nil {
+		return &PathError{Op: "chmodat", Path: name, Err: underlyingError(err)}
+	}
+	return nil
+}
+
 func rootMkdir(r *Root, name string, perm FileMode) error {
 	if err := checkPathEscapes(r, name); err != nil {
 		return &PathError{Op: "mkdirat", Path: name, Err: err}
diff --git a/src/os/root_openat.go b/src/os/root_openat.go
index a03208b4c1..97e389db8d 100644
--- a/src/os/root_openat.go
+++ b/src/os/root_openat.go
@@ -64,6 +64,16 @@ func (r *root) Name() string {
 	return r.name
 }
 
+func rootChmod(r *Root, name string, mode FileMode) error {
+	_, err := doInRoot(r, name, func(parent sysfdType, name string) (struct{}, error) {
+		return struct{}{}, chmodat(parent, name, mode)
+	})
+	if err != nil {
+		return &PathError{Op: "chmodat", Path: name, Err: err}
+	}
+	return err
+}
+
 func rootMkdir(r *Root, name string, perm FileMode) error {
 	_, err := doInRoot(r, name, func(parent sysfdType, name string) (struct{}, error) {
 		return struct{}{}, mkdirat(parent, name, perm)
diff --git a/src/os/root_test.go b/src/os/root_test.go
index cbb985b2ce..3591214ffd 100644
--- a/src/os/root_test.go
+++ b/src/os/root_test.go
@@ -389,6 +389,43 @@ func TestRootCreate(t *testing.T) {
 	}
 }
 
+func TestRootChmod(t *testing.T) {
+	if runtime.GOOS == "wasip1" {
+		t.Skip("Chmod not supported on " + runtime.GOOS)
+	}
+	for _, test := range rootTestCases {
+		test.run(t, func(t *testing.T, target string, root *os.Root) {
+			if target != "" {
+				// Create a file with no read/write permissions,
+				// to ensure we can use Chmod on an inaccessible file.
+				if err := os.WriteFile(target, nil, 0o000); err != nil {
+					t.Fatal(err)
+				}
+			}
+			if runtime.GOOS == "windows" {
+				// On Windows, Chmod("symlink") affects the link, not its target.
+				// See issue 71492.
+				fi, err := root.Lstat(test.open)
+				if err == nil && !fi.Mode().IsRegular() {
+					t.Skip("https://go.dev/issue/71492")
+				}
+			}
+			want := os.FileMode(0o666)
+			err := root.Chmod(test.open, want)
+			if errEndsTest(t, err, test.wantError, "root.Chmod(%q)", test.open) {
+				return
+			}
+			st, err := os.Stat(target)
+			if err != nil {
+				t.Fatalf("os.Stat(%q) = %v", target, err)
+			}
+			if got := st.Mode(); got != want {
+				t.Errorf("after root.Chmod(%q, %v): file mode = %v, want %v", test.open, want, got, want)
+			}
+		})
+	}
+}
+
 func TestRootMkdir(t *testing.T) {
 	for _, test := range rootTestCases {
 		test.run(t, func(t *testing.T, target string, root *os.Root) {
@@ -877,6 +914,35 @@ func TestRootConsistencyCreate(t *testing.T) {
 	}
 }
 
+func TestRootConsistencyChmod(t *testing.T) {
+	if runtime.GOOS == "wasip1" {
+		t.Skip("Chmod not supported on " + runtime.GOOS)
+	}
+	for _, test := range rootConsistencyTestCases {
+		test.run(t, func(t *testing.T, path string, r *os.Root) (string, error) {
+			chmod := os.Chmod
+			lstat := os.Lstat
+			if r != nil {
+				chmod = r.Chmod
+				lstat = r.Lstat
+			}
+
+			var m1, m2 os.FileMode
+			err := chmod(path, 0o555)
+			fi, err := lstat(path)
+			if err == nil {
+				m1 = fi.Mode()
+			}
+			err = chmod(path, 0o777)
+			fi, err = lstat(path)
+			if err == nil {
+				m2 = fi.Mode()
+			}
+			return fmt.Sprintf("%v %v", m1, m2), err
+		})
+	}
+}
+
 func TestRootConsistencyMkdir(t *testing.T) {
 	for _, test := range rootConsistencyTestCases {
 		test.run(t, func(t *testing.T, path string, r *os.Root) (string, error) {
diff --git a/src/os/root_unix.go b/src/os/root_unix.go
index 02d3b4bdad..31773ef681 100644
--- a/src/os/root_unix.go
+++ b/src/os/root_unix.go
@@ -131,6 +131,32 @@ func rootStat(r *Root, name string, lstat bool) (FileInfo, error) {
 	return fi, nil
 }
 
+// On systems which use fchmodat, fchownat, etc., we have a race condition:
+// When "name" is a symlink, Root.Chmod("name") should act on the target of that link.
+// However, fchmodat doesn't allow us to chmod a file only if it is not a symlink;
+// the AT_SYMLINK_NOFOLLOW parameter causes the operation to act on the symlink itself.
+//
+// We do the best we can by first checking to see if the target of the operation is a symlink,
+// and only attempting the fchmodat if it is not. If the target is replaced between the check
+// and the fchmodat, we will chmod the symlink rather than following it.
+//
+// This race condition is unfortunate, but does not permit escaping a root:
+// We may act on the wrong file, but that file will be contained within the root.
+func afterResolvingSymlink(parent int, name string, f func() error) error {
+	if err := checkSymlink(parent, name, nil); err != nil {
+		return err
+	}
+	return f()
+}
+
+func chmodat(parent int, name string, mode FileMode) error {
+	return afterResolvingSymlink(parent, name, func() error {
+		return ignoringEINTR(func() error {
+			return unix.Fchmodat(parent, name, syscallMode(mode), unix.AT_SYMLINK_NOFOLLOW)
+		})
+	})
+}
+
 func mkdirat(fd int, name string, perm FileMode) error {
 	return ignoringEINTR(func() error {
 		return unix.Mkdirat(fd, name, syscallMode(perm))
diff --git a/src/os/root_windows.go b/src/os/root_windows.go
index 32dfa070b7..ba809bd6e0 100644
--- a/src/os/root_windows.go
+++ b/src/os/root_windows.go
@@ -134,7 +134,7 @@ func rootOpenFileNolog(root *Root, name string, flag int, perm FileMode) (*File,
 }
 
 func openat(dirfd syscall.Handle, name string, flag int, perm FileMode) (syscall.Handle, error) {
-	h, err := windows.Openat(dirfd, name, flag|syscall.O_CLOEXEC|windows.O_NOFOLLOW_ANY, syscallMode(perm))
+	h, err := windows.Openat(dirfd, name, uint64(flag)|syscall.O_CLOEXEC|windows.O_NOFOLLOW_ANY, syscallMode(perm))
 	if err == syscall.ELOOP || err == syscall.ENOTDIR {
 		if link, err := readReparseLinkAt(dirfd, name); err == nil {
 			return syscall.InvalidHandle, errSymlink(link)
@@ -232,6 +232,50 @@ func rootStat(r *Root, name string, lstat bool) (FileInfo, error) {
 	return fi, nil
 }
 
+func chmodat(parent syscall.Handle, name string, mode FileMode) error {
+	// Currently, on Windows os.Chmod("symlink") will act on "symlink",
+	// not on any file it points to.
+	//
+	// This may or may not be the desired behavior: https://go.dev/issue/71492
+	//
+	// For now, be consistent with os.Symlink.
+	// Passing O_OPEN_REPARSE causes us to open the named file itself,
+	// not any file that it links to.
+	//
+	// If we want to change this in the future, pass O_NOFOLLOW_ANY instead
+	// and return errSymlink when encountering a symlink:
+	//
+	//     if err == syscall.ELOOP || err == syscall.ENOTDIR {
+	//         if link, err := readReparseLinkAt(parent, name); err == nil {
+	//                 return errSymlink(link)
+	//         }
+	//     }
+	h, err := windows.Openat(parent, name, syscall.O_CLOEXEC|windows.O_OPEN_REPARSE|windows.O_WRITE_ATTRS, 0)
+	if err != nil {
+		return err
+	}
+	defer syscall.CloseHandle(h)
+
+	var d syscall.ByHandleFileInformation
+	if err := syscall.GetFileInformationByHandle(h, &d); err != nil {
+		return err
+	}
+	attrs := d.FileAttributes
+
+	if mode&syscall.S_IWRITE != 0 {
+		attrs &^= syscall.FILE_ATTRIBUTE_READONLY
+	} else {
+		attrs |= syscall.FILE_ATTRIBUTE_READONLY
+	}
+	if attrs == d.FileAttributes {
+		return nil
+	}
+
+	var fbi windows.FILE_BASIC_INFO
+	fbi.FileAttributes = attrs
+	return windows.SetFileInformationByHandle(h, windows.FileBasicInfo, unsafe.Pointer(&fbi), uint32(unsafe.Sizeof(fbi)))
+}
+
 func mkdirat(dirfd syscall.Handle, name string, perm FileMode) error {
 	return windows.Mkdirat(dirfd, name, syscallMode(perm))
 }