Don't use openat2 or statx on Android. (#312)

sunfishcode · web-flow · commit 8ee1e7fc3f71 · 2023-04-12T08:22:13.000-07:00
Some Android versions disallow these even on Linux kernel versions which
otherwise would support them, and they crash the process rather than
returning `ENOSYS` so there's no way to detect this. So disallow using
`statx` and `openat2` on Android altogether.
diff --git a/cap-primitives/src/rustix/fs/metadata_ext.rs b/cap-primitives/src/rustix/fs/metadata_ext.rs
@@ -2,7 +2,7 @@
 
 use crate::fs::{ImplFileTypeExt, Metadata, PermissionsExt};
 use crate::time::{Duration, SystemClock, SystemTime};
-#[cfg(any(target_os = "android", target_os = "linux"))]
+#[cfg(target_os = "linux")]
 use rustix::fs::{makedev, Statx, StatxFlags};
 use rustix::fs::{RawMode, Stat};
 use std::convert::{TryFrom, TryInto};
@@ -219,7 +219,7 @@ impl MetadataExt {
     }
 
     /// Constructs a new instance of `Metadata` from the given `Statx`.
-    #[cfg(any(target_os = "android", target_os = "linux"))]
+    #[cfg(target_os = "linux")]
     #[inline]
     pub(crate) fn from_rustix_statx(statx: Statx) -> Metadata {
         Metadata {
diff --git a/cap-primitives/src/rustix/fs/stat_unchecked.rs b/cap-primitives/src/rustix/fs/stat_unchecked.rs
@@ -3,9 +3,9 @@ use rustix::fs::{statat, AtFlags};
 use std::path::Path;
 use std::{fs, io};
 
-#[cfg(any(target_os = "android", target_os = "linux"))]
+#[cfg(target_os = "linux")]
 use rustix::fs::{statx, StatxFlags};
-#[cfg(any(target_os = "android", target_os = "linux"))]
+#[cfg(target_os = "linux")]
 use std::sync::atomic::{AtomicU8, Ordering};
 
 /// *Unsandboxed* function similar to `stat`, but which does not perform
@@ -20,18 +20,24 @@ pub(crate) fn stat_unchecked(
         FollowSymlinks::No => AtFlags::SYMLINK_NOFOLLOW,
     };
 
-    // `statx` is preferred on Linux because it can return creation times.
-    // Linux kernels prior to 4.11 don't have `statx` and return `ENOSYS`.
-    // Older versions of Docker/seccomp would return `EPERM` for `statx`; see
-    // <https://github.com/rust-lang/rust/pull/65685/>. We store the
-    // availability in a global to avoid unnecessary syscalls.
-    #[cfg(any(target_os = "android", target_os = "linux"))]
+    // `statx` is preferred on regular Linux because it can return creation
+    // times. Linux kernels prior to 4.11 don't have `statx` and return
+    // `ENOSYS`. Older versions of Docker/seccomp would return `EPERM` for
+    // `statx`; see <https://github.com/rust-lang/rust/pull/65685/>. We store
+    // the availability in a global to avoid unnecessary syscalls.
+    //
+    // On Android, the [seccomp policy] prevents us from even
+    // detecting whether `statx` is supported, so don't even try.
+    //
+    // [seccomp policy]: https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html
+    #[cfg(target_os = "linux")]
     {
         // 0: Unknown
         // 1: Not available
         // 2: Available
         static STATX_STATE: AtomicU8 = AtomicU8::new(0);
         let state = STATX_STATE.load(Ordering::Relaxed);
+
         if state != 1 {
             let statx_result = statx(
                 start,
diff --git a/cap-primitives/src/rustix/linux/fs/open_impl.rs b/cap-primitives/src/rustix/linux/fs/open_impl.rs
@@ -25,16 +25,24 @@ pub(crate) fn open_impl(
     path: &Path,
     options: &OpenOptions,
 ) -> io::Result<fs::File> {
-    let result = open_beneath(start, path, options);
+    // On regular Linux, attempt to use `openat2` to accelerate sandboxed
+    // lookups. On Android, the [seccomp policy] prevents us from even
+    // detecting whether `openat2` is supported, so don't even try.
+    //
+    // [seccomp policy]: https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html
+    #[cfg(target_os = "linux")]
+    {
+        let result = open_beneath(start, path, options);
 
-    // If that returned `ENOSYS`, use a fallback strategy.
-    if let Err(err) = &result {
-        if Some(rustix::io::Errno::NOSYS.raw_os_error()) == err.raw_os_error() {
-            return manually::open(start, path, options);
+        // If we got anything other than a `ENOSYS` error, that's our result.
+        match result {
+            Err(err) if err.raw_os_error() == Some(rustix::io::Errno::NOSYS.raw_os_error()) => {}
+            Err(err) => return Err(err.into()),
+            Ok(fd) => return Ok(fd),
         }
     }
 
-    result
+    manually::open(start, path, options)
 }
 
 /// Call the `openat2` system call with `RESOLVE_BENEATH`. If the syscall is
@@ -61,23 +69,6 @@ pub(crate) fn open_beneath(
         Mode::empty()
     };
 
-    // On Android, seccomp kills processes that execute unrecognized system
-    // calls, so we do an explicit version check rather than relying on
-    // getting an `ENOSYS`.
-    #[cfg(target_os = "android")]
-    {
-        static CHECKED: AtomicBool = AtomicBool::new(false);
-
-        if !CHECKED.load(Relaxed) {
-            if !openat2_supported() {
-                INVALID.store(true, Relaxed);
-                return Err(rustix::io::Errno::NOSYS.into());
-            }
-
-            CHECKED.store(true, Relaxed);
-        }
-    }
-
     // We know `openat2` needs a `&CStr` internally; to avoid allocating on
     // each iteration of the loop below, allocate the `CString` now.
     path.into_with_c_str(|path_c_str| {
@@ -135,54 +126,6 @@ pub(crate) fn open_beneath(
     })
 }
 
-/// Test whether `openat2` is supported on the currently running OS.
-#[cfg(target_os = "android")]
-fn openat2_supported() -> bool {
-    // `openat2` is supported in Linux 5.6 and later. Parse the current
-    // Linux version from the `release` field from `uname` to detect this.
-    let uname = rustix::process::uname();
-    let release = uname.release().to_bytes();
-    if let Some((major, minor)) = linux_major_minor(release) {
-        if major >= 6 || (major == 5 && minor >= 6) {
-            return true;
-        }
-    }
-
-    false
-}
-
-/// Extract the major and minor values from a Linux `release` string.
-#[cfg(target_os = "android")]
-fn linux_major_minor(release: &[u8]) -> Option<(u32, u32)> {
-    let mut parts = release.split(|b| *b == b'.');
-    if let Some(major) = parts.next() {
-        if let Ok(major) = std::str::from_utf8(major) {
-            if let Ok(major) = major.parse::<u32>() {
-                if let Some(minor) = parts.next() {
-                    if let Ok(minor) = std::str::from_utf8(minor) {
-                        if let Ok(minor) = minor.parse::<u32>() {
-                            return Some((major, minor));
-                        }
-                    }
-                }
-            }
-        }
-    }
-
-    None
-}
-
-#[cfg(target_os = "android")]
-#[test]
-fn test_linux_major_minor() {
-    assert_eq!(linux_major_minor(b"5.11.0-5489-something"), Some((5, 11)));
-    assert_eq!(linux_major_minor(b"5.10.0-9-whatever"), Some((5, 10)));
-    assert_eq!(linux_major_minor(b"5.6.0"), Some((5, 6)));
-    assert_eq!(linux_major_minor(b"2.6.34"), Some((2, 6)));
-    assert_eq!(linux_major_minor(b""), None);
-    assert_eq!(linux_major_minor(b"linux-2.6.32"), None);
-}
-
 #[cfg(racy_asserts)]
 fn check_open(start: &fs::File, path: &Path, options: &OpenOptions, file: &fs::File) {
     let check = manually::open(
