This is an archive of the discontinued LLVM Phabricator instance.

Differential D61967

[clang-tidy] Add a close-on-exec check on pipe() in Android module.
ClosedPublic

Authored by jcai19 on May 15 2019, 3:43 PM.

Details

Reviewers
chh
hokein
aaron.ballman
JonasToth
gribozavr
Commits
rCTE362673: android: add a close-on-exec check on pipe()
rG5b2a85d0ded2: android: add a close-on-exec check on pipe()
rL362673: android: add a close-on-exec check on pipe()
Summary

pipe() is better to be replaced by pipe2() with O_CLOEXEC flag to avoid file descriptor leakage.

Diff Detail

Repository
rL LLVM

Event Timeline

jcai19 created this revision.May 15 2019, 3:43 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 15 2019, 3:43 PM
Herald added subscribers: cfe-commits, xazax.hun, mgorny. · View Herald Transcript
Harbormaster completed remote builds in B31950: Diff 199692.May 15 2019, 3:45 PM
george.burgess.iv added a comment.May 15 2019, 3:58 PM

Thanks for this!

I don't have great context on tidy, so I can't stamp this, but I do have a few drive-by nits for you.

clang-tools-extra/clang-tidy/android/CloexecPipeCheck.cpp
22 ↗(On Diff #199692)

We probably don't want to commit commented out code

27 ↗(On Diff #199692)

simplicity nit: can this be a std::string?

clang-tools-extra/clang-tidy/android/CloexecPipeCheck.h
18 ↗(On Diff #199692)

nit: should probably update this comment

clang-tools-extra/test/clang-tidy/android-cloexec-pipe.cpp
9 ↗(On Diff #199692)

(Do we have a CHECK-FIXES-NOT or CHECK-MESSAGES-NOT to apply to the things below? Or are the CHECKs here meant to be complete like clang's -verify?)

Eugene.Zelenko added a subscriber: Eugene.Zelenko.May 15 2019, 4:04 PM
Eugene.Zelenko added inline comments.
clang-tools-extra/docs/clang-tidy/checks/android-cloexec-pipe.rst
6 ↗(On Diff #199692)

Please make first sentence same as in Release Notes.

8 ↗(On Diff #199692)

I think will be good idea to highlight fork and exec with double back-ticks.

Eugene.Zelenko added reviewers: hokein, aaron.ballman, JonasToth.May 15 2019, 4:05 PM
Eugene.Zelenko added a project: Restricted Project.
Eugene.Zelenko added inline comments.
clang-tools-extra/docs/clang-tidy/checks/android-cloexec-pipe.rst
4 ↗(On Diff #199692)

Please make same length as name above.

jcai19 updated this revision to Diff 199861.May 16 2019, 11:16 AM

Add fixes based on comments

Harbormaster completed remote builds in B31996: Diff 199861.May 16 2019, 11:16 AM
jcai19 updated this revision to Diff 199870.May 16 2019, 11:34 AM
jcai19 marked 4 inline comments as done.

Fix format

Harbormaster completed remote builds in B32000: Diff 199870.May 16 2019, 11:34 AM
jcai19 marked 4 inline comments as done.May 16 2019, 11:35 AM
jcai19 added inline comments.
clang-tools-extra/clang-tidy/android/CloexecPipeCheck.cpp
27 ↗(On Diff #199692)

replaceFunc takes a llvm::StringRef as the third parameter. StringRef is "expected to be used in situations where the character data resides in some other buffer, whose lifetime extends past that of the StringRef", which is true in this case, so I think it should be fine.

clang-tools-extra/clang-tidy/android/CloexecPipeCheck.h
18 ↗(On Diff #199692)

Good catch!

clang-tools-extra/docs/clang-tidy/checks/android-cloexec-pipe.rst
4 ↗(On Diff #199692)

Thanks for the comments. I have fixed them accordingly.

jcai19 marked 2 inline comments as done.May 16 2019, 12:01 PM
jcai19 added inline comments.
clang-tools-extra/test/clang-tidy/android-cloexec-pipe.cpp
9 ↗(On Diff #199692)

Based on Testing Checks https://clang.llvm.org/extra/clang-tidy/Contributing.html, CHECK-MASSAGES and CHECK-FIXES are sufficient for clang-tidy checks. I have double checked the tests for similar checks and they don't seem to have additional FileCheck invocations other than these two.

srhines added a subscriber: jmgao.May 16 2019, 1:14 PM
george.burgess.iv added inline comments.May 16 2019, 1:36 PM
clang-tools-extra/clang-tidy/android/CloexecPipeCheck.cpp
27 ↗(On Diff #199692)

Both should be functionally equivalent in this code. My point was that it's not common to rely on temporary lifetime extension when writing the non-const& type would be equivalent (barring maybe cases with auto, but that's not applicable), and I don't see why we should break with that here.

jcai19 updated this revision to Diff 199926.May 16 2019, 4:03 PM

Use non-const& type for readbility.

Harbormaster completed remote builds in B32018: Diff 199926.May 16 2019, 4:04 PM
jcai19 marked 2 inline comments as done.May 16 2019, 4:04 PM
jcai19 added inline comments.
clang-tools-extra/clang-tidy/android/CloexecPipeCheck.cpp
27 ↗(On Diff #199692)

Make sense.

Eugene.Zelenko added inline comments.May 16 2019, 6:23 PM
clang-tools-extra/clang-tidy/android/CloexecPipeCheck.h
1 ↗(On Diff #199926)

Please extend to 80 characters. Same in source file.

jcai19 updated this revision to Diff 200068.May 17 2019, 11:11 AM
jcai19 marked an inline comment as done.

Update based on comments.

jcai19 marked an inline comment as done.May 17 2019, 11:12 AM
Harbormaster completed remote builds in B32081: Diff 200068.May 17 2019, 11:12 AM
jcai19 updated this revision to Diff 202052.May 29 2019, 1:59 PM

Add CHECK-MESSAGES-NOT checks.

Harbormaster completed remote builds in B32648: Diff 202052.May 29 2019, 2:00 PM
hokein accepted this revision.May 31 2019, 2:23 AM
hokein added inline comments.
clang-tools-extra/clang-tidy/android/CloexecPipeCheck.cpp
31 ↗(On Diff #202052)

the message doesn't seem to explain the reason, especially to the people who are not familiar with the pipe API, maybe prefer pipe2() to pipe() to avoid file descriptor leakage is clearer?

Ah, it looks like you are following the existing CloexecCreatCheck check, no need to do it in this patch.

clang-tools-extra/test/clang-tidy/android-cloexec-pipe.cpp
17 ↗(On Diff #202052)

nit: no need to do it explicitly, if a warning is shown unexpectedly, the test will fail.

This revision is now accepted and ready to land.May 31 2019, 2:23 AM
gribozavr added a subscriber: gribozavr.May 31 2019, 9:50 AM
gribozavr added inline comments.
clang-tools-extra/clang-tidy/android/CloexecPipeCheck.cpp
31 ↗(On Diff #202052)

"prefer pipe2() with O_CLOEXEC to avoid leaking file descriptors to child processes"

No need to change in this patch if you're following an existing pattern, but please do update the message in all checks in a separate patch to explain things better.

clang-tools-extra/clang-tidy/android/CloexecPipeCheck.h
18 ↗(On Diff #202052)

"Suggests to replace calls to pipe() with calls to pipe2()."

clang-tools-extra/docs/clang-tidy/checks/android-cloexec-pipe.rst
6 ↗(On Diff #202052)

WDYT about this rewrite?

"""
This check detects usage of pipe(). Using pipe() is not recommended, pipe2() is the suggested replacement.

The check also adds the O_CLOEXEC flag that marks the file descriptor to be closed in child processes. Without this flag a sensitive file descriptor can be leaked to a child process, potentially into a lower-privileged SELinux domain.
"""

16 ↗(On Diff #202052)

"Suggested replacement"

Also use a separate code block for the replacement.

gribozavr requested changes to this revision.May 31 2019, 9:50 AM
gribozavr edited reviewers, added: gribozavr; removed: alexfh.
This revision now requires changes to proceed.May 31 2019, 9:50 AM
gribozavr mentioned this in D62049: [clang-tidy] Add a close-on-exec check on pipe2() in Android module..May 31 2019, 10:01 AM
srhines added inline comments.May 31 2019, 1:04 PM
clang-tools-extra/test/clang-tidy/android-cloexec-pipe.cpp
17 ↗(On Diff #202052)

I somehow never realized this (and there seem to be several places that also don't realize it). Thanks for letting us know.

jcai19 updated this revision to Diff 202625.Jun 2 2019, 3:38 PM
jcai19 marked an inline comment as done.

Remove CHECK-MESSAGES-NOT and update description based on comments

jcai19 marked 6 inline comments as done.Jun 2 2019, 3:41 PM
jcai19 added inline comments.
clang-tools-extra/clang-tidy/android/CloexecPipeCheck.cpp
31 ↗(On Diff #202052)

Thanks for the comments. I have updated the text.

clang-tools-extra/test/clang-tidy/android-cloexec-pipe.cpp
17 ↗(On Diff #202052)

Thanks for the clarification.

Harbormaster completed remote builds in B32797: Diff 202625.Jun 2 2019, 3:44 PM
gribozavr accepted this revision.Jun 3 2019, 1:05 AM
gribozavr added inline comments.
clang-tools-extra/test/clang-tidy/android-cloexec-pipe.cpp
5 ↗(On Diff #202052)

Please give the tests informative names instead of f, g etc.

This revision is now accepted and ready to land.Jun 3 2019, 1:05 AM
jcai19 updated this revision to Diff 202835.Jun 3 2019, 6:15 PM

Update the test function names.

Harbormaster completed remote builds in B32848: Diff 202835.Jun 3 2019, 6:16 PM
jcai19 marked an inline comment as done.Jun 3 2019, 6:17 PM

Thanks for all the comments. george.burgess.iv will submit this change for me.

george.burgess.iv added a comment.Jun 3 2019, 7:29 PM

Will submit once gribozavr indicates that they're happy with the new test names. Thanks again for working on this!

gribozavr accepted this revision.Jun 4 2019, 1:40 AM
gribozavr added inline comments.
clang-tools-extra/test/clang-tidy/android-cloexec-pipe.cpp
14 ↗(On Diff #202835)

noWarningForPipeInNamespace ?

23 ↗(On Diff #202835)

noWarningForPipeMemberFunction ?

jcai19 updated this revision to Diff 202984.Jun 4 2019, 10:53 AM

Update test function names.

jcai19 marked 2 inline comments as done.Jun 4 2019, 10:54 AM
Harbormaster completed remote builds in B32888: Diff 202984.Jun 4 2019, 10:54 AM
Closed by commit rL362673: android: add a close-on-exec check on pipe() (authored by gbiv). · Explain WhyJun 5 2019, 10:19 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJun 5 2019, 10:19 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

PathSize
clang-tools-extra/
trunk/
clang-tidy/
android/
2 lines
1 line
34 lines
37 lines
docs/
5 lines
clang-tidy/
checks/
20 lines
1 line
test/
clang-tidy/
27 lines

Diff 203283

clang-tools-extra/trunk/clang-tidy/android/AndroidTidyModule.cpp

Show All 14 Lines
#include "CloexecDupCheck.h" #include "CloexecDupCheck.h"
#include "CloexecEpollCreate1Check.h" #include "CloexecEpollCreate1Check.h"
#include "CloexecEpollCreateCheck.h" #include "CloexecEpollCreateCheck.h"
#include "CloexecFopenCheck.h" #include "CloexecFopenCheck.h"
#include "CloexecInotifyInit1Check.h" #include "CloexecInotifyInit1Check.h"
#include "CloexecInotifyInitCheck.h" #include "CloexecInotifyInitCheck.h"
#include "CloexecMemfdCreateCheck.h" #include "CloexecMemfdCreateCheck.h"
#include "CloexecOpenCheck.h" #include "CloexecOpenCheck.h"
#include "CloexecPipeCheck.h"
#include "CloexecPipe2Check.h" #include "CloexecPipe2Check.h"
#include "CloexecSocketCheck.h" #include "CloexecSocketCheck.h"
#include "ComparisonInTempFailureRetryCheck.h" #include "ComparisonInTempFailureRetryCheck.h"
using namespace clang::ast_matchers; using namespace clang::ast_matchers;
namespace clang { namespace clang {
namespace tidy { namespace tidy {
Show All 14 Lines void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
CheckFactories.registerCheck<CloexecFopenCheck>("android-cloexec-fopen"); CheckFactories.registerCheck<CloexecFopenCheck>("android-cloexec-fopen");
CheckFactories.registerCheck<CloexecInotifyInit1Check>( CheckFactories.registerCheck<CloexecInotifyInit1Check>(
"android-cloexec-inotify-init1"); "android-cloexec-inotify-init1");
CheckFactories.registerCheck<CloexecInotifyInitCheck>( CheckFactories.registerCheck<CloexecInotifyInitCheck>(
"android-cloexec-inotify-init"); "android-cloexec-inotify-init");
CheckFactories.registerCheck<CloexecMemfdCreateCheck>( CheckFactories.registerCheck<CloexecMemfdCreateCheck>(
"android-cloexec-memfd-create"); "android-cloexec-memfd-create");
CheckFactories.registerCheck<CloexecOpenCheck>("android-cloexec-open"); CheckFactories.registerCheck<CloexecOpenCheck>("android-cloexec-open");
CheckFactories.registerCheck<CloexecPipeCheck>("android-cloexec-pipe");
CheckFactories.registerCheck<CloexecPipe2Check>("android-cloexec-pipe2"); CheckFactories.registerCheck<CloexecPipe2Check>("android-cloexec-pipe2");
CheckFactories.registerCheck<CloexecSocketCheck>("android-cloexec-socket"); CheckFactories.registerCheck<CloexecSocketCheck>("android-cloexec-socket");
CheckFactories.registerCheck<ComparisonInTempFailureRetryCheck>( CheckFactories.registerCheck<ComparisonInTempFailureRetryCheck>(
"android-comparison-in-temp-failure-retry"); "android-comparison-in-temp-failure-retry");
} }
}; };
// Register the AndroidTidyModule using this statically initialized variable. // Register the AndroidTidyModule using this statically initialized variable.
Show All 11 Lines

clang-tools-extra/trunk/clang-tidy/android/CMakeLists.txt

set(LLVM_LINK_COMPONENTS support) set(LLVM_LINK_COMPONENTS support)
add_clang_library(clangTidyAndroidModule add_clang_library(clangTidyAndroidModule
AndroidTidyModule.cpp AndroidTidyModule.cpp
CloexecAccept4Check.cpp CloexecAccept4Check.cpp
CloexecAcceptCheck.cpp CloexecAcceptCheck.cpp
CloexecCheck.cpp CloexecCheck.cpp
CloexecCreatCheck.cpp CloexecCreatCheck.cpp
CloexecDupCheck.cpp CloexecDupCheck.cpp
CloexecEpollCreate1Check.cpp CloexecEpollCreate1Check.cpp
CloexecEpollCreateCheck.cpp CloexecEpollCreateCheck.cpp
CloexecFopenCheck.cpp CloexecFopenCheck.cpp
CloexecInotifyInit1Check.cpp CloexecInotifyInit1Check.cpp
CloexecInotifyInitCheck.cpp CloexecInotifyInitCheck.cpp
CloexecMemfdCreateCheck.cpp CloexecMemfdCreateCheck.cpp
CloexecOpenCheck.cpp CloexecOpenCheck.cpp
CloexecPipeCheck.cpp
CloexecPipe2Check.cpp CloexecPipe2Check.cpp
CloexecSocketCheck.cpp CloexecSocketCheck.cpp
ComparisonInTempFailureRetryCheck.cpp ComparisonInTempFailureRetryCheck.cpp
LINK_LIBS LINK_LIBS
clangAST clangAST
clangASTMatchers clangASTMatchers
clangBasic clangBasic
clangLex clangLex
clangTidy clangTidy
clangTidyUtils clangTidyUtils
) )

clang-tools-extra/trunk/clang-tidy/android/CloexecPipeCheck.h

//===--- CloexecPipeCheck.h - clang-tidy-------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_PIPE_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_PIPE_H
#include "CloexecCheck.h"
namespace clang {
namespace tidy {
namespace android {
/// Suggests to replace calls to pipe() with calls to pipe2().
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/android-cloexec-pipe.html
class CloexecPipeCheck : public CloexecCheck {
public:
CloexecPipeCheck(StringRef Name, ClangTidyContext *Context)
: CloexecCheck(Name, Context) {}
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
};
} // namespace android
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_PIPE_H

clang-tools-extra/trunk/clang-tidy/android/CloexecPipeCheck.cpp

//===--- CloexecPipeCheck.cpp - clang-tidy---------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "CloexecPipeCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace android {
void CloexecPipeCheck::registerMatchers(MatchFinder *Finder) {
registerMatchersImpl(Finder,
functionDecl(returns(isInteger()), hasName("pipe"),
hasParameter(0, hasType(pointsTo(isInteger())))));
}
void CloexecPipeCheck::check(const MatchFinder::MatchResult &Result) {
std::string ReplacementText =
(Twine("pipe2(") + getSpellingArg(Result, 0) + ", O_CLOEXEC)").str();
replaceFunc(
Result,
"prefer pipe2() with O_CLOEXEC to avoid leaking file descriptors to child processes",
ReplacementText);
}
} // namespace android
} // namespace tidy
} // namespace clang

clang-tools-extra/trunk/docs/ReleaseNotes.rst

Show First 20 LinesShow All 95 Lines▼ Show 20 Lines- New :doc:`abseil-time-comparison
domain. domain.
- New :doc:`abseil-time-subtraction - New :doc:`abseil-time-subtraction
<clang-tidy/checks/abseil-time-subtraction>` check. <clang-tidy/checks/abseil-time-subtraction>` check.
Finds and fixes ``absl::Time`` subtraction expressions to do subtraction Finds and fixes ``absl::Time`` subtraction expressions to do subtraction
in the Time domain instead of the numeric domain. in the Time domain instead of the numeric domain.
- New :doc:`android-cloexec-pipe
<clang-tidy/checks/android-cloexec-pipe>` check.
This check detects usage of ``pipe()``.
- New :doc:`android-cloexec-pipe2 - New :doc:`android-cloexec-pipe2
<clang-tidy/checks/android-cloexec-pipe2>` check. <clang-tidy/checks/android-cloexec-pipe2>` check.
This checks ensures that ``pipe2()`` is called with the O_CLOEXEC flag. This checks ensures that ``pipe2()`` is called with the O_CLOEXEC flag.
- New :doc:`bugprone-unhandled-self-assignment - New :doc:`bugprone-unhandled-self-assignment
<clang-tidy/checks/bugprone-unhandled-self-assignment>` check. <clang-tidy/checks/bugprone-unhandled-self-assignment>` check.
▲ Show 20 LinesShow All 118 LinesShow Last 20 Lines

clang-tools-extra/trunk/docs/clang-tidy/checks/android-cloexec-pipe.rst

.. title:: clang-tidy - android-cloexec-pipe
android-cloexec-pipe
====================
This check detects usage of ``pipe()``. Using ``pipe()`` is not recommended, ``pipe2()`` is the
suggested replacement. The check also adds the O_CLOEXEC flag that marks the file descriptor to
be closed in child processes. Without this flag a sensitive file descriptor can be leaked to a
child process, potentially into a lower-privileged SELinux domain.
Examples:
.. code-block:: c++
pipe(pipefd);
Suggested replacement:
.. code-block:: c++
pipe2(pipefd, O_CLOEXEC);

clang-tools-extra/trunk/docs/clang-tidy/checks/list.rst

Show All 26 Lines.. toctree::
android-cloexec-dup android-cloexec-dup
android-cloexec-epoll-create android-cloexec-epoll-create
android-cloexec-epoll-create1 android-cloexec-epoll-create1
android-cloexec-fopen android-cloexec-fopen
android-cloexec-inotify-init android-cloexec-inotify-init
android-cloexec-inotify-init1 android-cloexec-inotify-init1
android-cloexec-memfd-create android-cloexec-memfd-create
android-cloexec-open android-cloexec-open
android-cloexec-pipe
android-cloexec-pipe2 android-cloexec-pipe2
android-cloexec-socket android-cloexec-socket
android-comparison-in-temp-failure-retry android-comparison-in-temp-failure-retry
boost-use-to-string boost-use-to-string
bugprone-argument-comment bugprone-argument-comment
bugprone-assert-side-effect bugprone-assert-side-effect
bugprone-bool-pointer-implicit-conversion bugprone-bool-pointer-implicit-conversion
bugprone-branch-clone bugprone-branch-clone
▲ Show 20 LinesShow All 243 LinesShow Last 20 Lines

clang-tools-extra/trunk/test/clang-tidy/android-cloexec-pipe.cpp

// RUN: %check_clang_tidy %s android-cloexec-pipe %t
extern "C" int pipe(int pipefd[2]);
void warning() {
int pipefd[2];
pipe(pipefd);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: prefer pipe2() with O_CLOEXEC to avoid leaking file descriptors to child processes [android-cloexec-pipe]
// CHECK-FIXES: pipe2(pipefd, O_CLOEXEC);
}
namespace i {
int pipe(int pipefd[2]);
void noWarningInNamespace() {
int pipefd[2];
pipe(pipefd);
}
} // namespace i
class C {
public:
int pipe(int pipefd[2]);
void noWarningForMemberFunction() {
int pipefd[2];
pipe(pipefd);
}
};