diff options
| author | Yan Wang <yawanng@google.com> | 2017-06-23 21:37:29 +0000 |
|---|---|---|
| committer | Yan Wang <yawanng@google.com> | 2017-06-23 21:37:29 +0000 |
| commit | 36206206cdb20b17f8cf80b10b483af6efd4880e (patch) | |
| tree | c2a52be2cdd73dc6be4d6461219cbda264e3f5b4 /clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h | |
| parent | d1c3780cf62ebb997c220ed0bd3bd19db4d9403c (diff) | |
| download | bcm5719-llvm-36206206cdb20b17f8cf80b10b483af6efd4880e.tar.gz bcm5719-llvm-36206206cdb20b17f8cf80b10b483af6efd4880e.zip | |
[clang-tidy][Part1] Add a new module Android and three new checks.
Summary:
A common source of security bugs is code that opens a file descriptors without using the O_CLOEXEC flag. (Without that flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain, leaking that sensitive data.).
Add a new Android module and one checks in clang-tidy.
-- open(), openat(), and open64() should include O_CLOEXEC in their flags argument. [android-file-open-flag]
Links to part2 and part3:
https://reviews.llvm.org/D33745
https://reviews.llvm.org/D33747
Reviewers: chh, alexfh, aaron.ballman, hokein
Reviewed By: alexfh, hokein
Subscribers: jbcoe, joerg, malcolm.parsons, Eugene.Zelenko, srhines, mgorny, xazax.hun, cfe-commits, krytarowski
Tags: #clang-tools-extra
Differential Revision: https://reviews.llvm.org/D33304
llvm-svn: 306165
Diffstat (limited to 'clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h')
| -rw-r--r-- | clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h b/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h new file mode 100644 index 00000000000..7c39a5ad704 --- /dev/null +++ b/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h @@ -0,0 +1,40 @@ +//===--- FileOpenFlagCheck.h - clang-tidy----------------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H +#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H + +#include "../ClangTidy.h" + +namespace clang { +namespace tidy { +namespace android { + +/// Finds code that opens file without using the O_CLOEXEC flag. +/// +/// open(), openat(), and open64() had better to include O_CLOEXEC in their +/// flags argument. Only consider simple cases that the corresponding argument +/// is constant or binary operation OR among constants like 'O_CLOEXEC' or +/// 'O_CLOEXEC | O_RDONLY'. No constant propagation is performed. +/// +/// Only the symbolic 'O_CLOEXEC' macro definition is checked, not the concrete +/// value. +class FileOpenFlagCheck : public ClangTidyCheck { +public: + FileOpenFlagCheck(StringRef Name, ClangTidyContext *Context) + : ClangTidyCheck(Name, Context) {} + void registerMatchers(ast_matchers::MatchFinder *Finder) override; + void check(const ast_matchers::MatchFinder::MatchResult &Result) override; +}; + +} // namespace android +} // namespace tidy +} // namespace clang + +#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H |
