In the unlinkat syscall, the operation is performed on the directory

descriptor, not the file descriptor. The file descriptor is used only for verification so do not expect any additional capabilities on it. Reported by: antoine Tested by: antoine Discussed with: kib, emaste, bapt Sponsored by: Fudo Security
2019-04-08 14:23:52 +00:00 · 2019-04-08 14:23:52 +00:00 · de0b14f2db
commit de0b14f2db
parent ab0280c4d0
1 changed files with 1 additions and 3 deletions
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@ -1809,13 +1809,11 @@ kern_funlinkat(struct thread *td, int dfd, const char *path, int fd,
 	struct vnode *vp;
 	struct nameidata nd;
 	struct stat sb;
-	cap_rights_t rights;
 	int error;

 	fp = NULL;
 	if (fd != FD_NONE) {
-		error = getvnode(td, fd, cap_rights_init(&rights, CAP_LOOKUP),
-		    &fp);
+		error = getvnode(td, fd, &cap_no_rights, &fp);
 		if (error != 0)
 			return (error);
 	}