From 5c60a0fab8fabcc828e2f6867e9eef3a211f9e4d Mon Sep 17 00:00:00 2001 From: Oliver Reiche Date: Mon, 7 Mar 2022 13:23:13 +0100 Subject: LocalCAS: Avoid writable fds when adding executables to CAS --- src/buildtool/execution_api/local/file_storage.hpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/buildtool/execution_api/local/file_storage.hpp b/src/buildtool/execution_api/local/file_storage.hpp index 07ac1204..df02d6a5 100644 --- a/src/buildtool/execution_api/local/file_storage.hpp +++ b/src/buildtool/execution_api/local/file_storage.hpp @@ -47,6 +47,7 @@ class FileStorage { private: std::filesystem::path const storage_root_{}; + static constexpr bool fd_less_{kType == ObjectType::Executable}; /// \brief Add file to storage via copy and atomic rename. /// If a race-condition occurs, the winning thread will be the one @@ -77,14 +78,20 @@ class FileStorage { [[nodiscard]] static auto CreateFileFromData( std::filesystem::path const& file_path, std::filesystem::path const& other_path) noexcept -> bool { - return FileSystemManager::CopyFileAs(other_path, file_path); + // Copy executables without opening any writeable file descriptors in + // this process to avoid those from being inherited by child processes. + return FileSystemManager::CopyFileAs( + other_path, file_path, fd_less_); } /// \brief Create file from bytes. [[nodiscard]] static auto CreateFileFromData( std::filesystem::path const& file_path, std::string const& bytes) noexcept -> bool { - return FileSystemManager::WriteFileAs(bytes, file_path); + // Write executables without opening any writeable file descriptors in + // this process to avoid those from being inherited by child processes. + return FileSystemManager::WriteFileAs( + bytes, file_path, fd_less_); } /// \brief Stage file from source path to target path. -- cgit v1.2.3