Use unix_mode crate to check file modes in binfmt registration

2025-12-08 05:38:19 +00:00 · 2022-01-07 21:08:37 +09:00
parent 248735cb8b
commit 3bb95d51ed
3 changed files with 12 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2545,6 +2545,12 @@ dependencies = [
 "regex",
 ]

+[[package]]
+name = "unix_mode"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35abed4630bb800f02451a7428205d1f37b8e125001471bfab259beee6a587ed"
+
 [[package]]
 name = "vec_map"
 version = "0.8.2"
@@ -2819,6 +2825,7 @@ dependencies = [
 "log",
 "structopt",
 "tempfile",
+ "unix_mode",
 "wasmer",
 "wasmer-cache",
 "wasmer-compiler",
--- a/lib/cli/Cargo.toml
+++ b/lib/cli/Cargo.toml
@@ -55,6 +55,9 @@ fern = { version = "0.6", features = ["colored"], optional = true }
 log = { version = "0.4", optional = true }
 tempfile = "3"

+[target.'cfg(target_os = "linux")'.dependencies]
+unix_mode = "0.1.3"
+
 [features]
 # Don't add the compiler features in default, please add them on the Makefile
 # since we might want to autoconfigure them depending on the availability on the host.
--- a/lib/cli/src/commands/binfmt.rs
+++ b/lib/cli/src/commands/binfmt.rs
@@ -43,8 +43,9 @@ fn seccheck(path: &Path) -> Result<()> {
    }
    let m = std::fs::metadata(path)
        .with_context(|| format!("Can't check permissions of {}", path.to_string_lossy()))?;
+    use unix_mode::*;
    anyhow::ensure!(
-        m.mode() & 0o2 == 0 || m.mode() & 0o1000 != 0,
+        !is_allowed(Accessor::Other, Access::Write, m.mode()) || is_sticky(m.mode()),
        "{} is world writeable and not sticky",
        path.to_string_lossy()
    );