[clang-tidy][Part1] Add a new module Android and three new checks.

Summary:
A common source of security bugs is code that opens a file descriptors without using the O_CLOEXEC flag.  (Without that flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain, leaking that sensitive data.).

Add a new Android module and one checks in clang-tidy.
-- open(), openat(), and open64() should include O_CLOEXEC in their flags argument. [android-file-open-flag]

Links to part2 and part3:
https://reviews.llvm.org/D33745
https://reviews.llvm.org/D33747


Reviewers: chh, alexfh, aaron.ballman, hokein

Reviewed By: alexfh, hokein

Subscribers: jbcoe, joerg, malcolm.parsons, Eugene.Zelenko, srhines, mgorny, xazax.hun, cfe-commits, krytarowski

Tags: #clang-tools-extra

Differential Revision: https://reviews.llvm.org/D33304

llvm-svn: 306165

4 files changed, 192 insertions, 0 deletions

diff --git a/clang-tools-extra/clang-tidy/android/AndroidTidyModule.cpp b/clang-tools-extra/clang-tidy/android/AndroidTidyModule.cpp
new file mode 100644
index 00000000000..0ff7060a548
--- /dev/null
+++ b/clang-tools-extra/clang-tidy/android/AndroidTidyModule.cpp
@@ -0,0 +1,40 @@
+//===--- AndroidTidyModule.cpp - clang-tidy--------------------------------===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+
+#include "../ClangTidy.h"
+#include "../ClangTidyModule.h"
+#include "../ClangTidyModuleRegistry.h"
+#include "FileOpenFlagCheck.h"
+
+using namespace clang::ast_matchers;
+
+namespace clang {
+namespace tidy {
+namespace android {
+
+/// This module is for Android specific checks.
+class AndroidModule : public ClangTidyModule {
+public:
+  void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
+    CheckFactories.registerCheck<FileOpenFlagCheck>("android-file-open-flag");
+  }
+};
+
+// Register the AndroidTidyModule using this statically initialized variable.
+static ClangTidyModuleRegistry::Add<AndroidModule>
+    X("android-module", "Adds Android platform checks.");
+
+} // namespace android
+
+// This anchor is used to force the linker to link in the generated object file
+// and thus register the AndroidModule.
+volatile int AndroidModuleAnchorSource = 0;
+
+} // namespace tidy
+} // namespace clang
diff --git a/clang-tools-extra/clang-tidy/android/CMakeLists.txt b/clang-tools-extra/clang-tidy/android/CMakeLists.txt
new file mode 100644
index 00000000000..ea66161cc7b
--- /dev/null
+++ b/clang-tools-extra/clang-tidy/android/CMakeLists.txt
@@ -0,0 +1,14 @@
+set(LLVM_LINK_COMPONENTS support)
+
+add_clang_library(clangTidyAndroidModule
+  AndroidTidyModule.cpp
+  FileOpenFlagCheck.cpp
+
+  LINK_LIBS
+  clangAST
+  clangASTMatchers
+  clangBasic
+  clangLex
+  clangTidy
+  clangTidyUtils
+  )
diff --git a/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.cpp b/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.cpp
new file mode 100644
index 00000000000..8cb05e40029
--- /dev/null
+++ b/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.cpp
@@ -0,0 +1,98 @@
+//===--- FileOpenFlagCheck.cpp - clang-tidy--------------------------------===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+
+#include "FileOpenFlagCheck.h"
+#include "clang/AST/ASTContext.h"
+#include "clang/ASTMatchers/ASTMatchFinder.h"
+#include "clang/Lex/Lexer.h"
+
+using namespace clang::ast_matchers;
+
+namespace clang {
+namespace tidy {
+namespace android {
+
+namespace {
+static constexpr const char *O_CLOEXEC = "O_CLOEXEC";
+
+bool HasCloseOnExecFlag(const Expr *Flags, const SourceManager &SM,
+                        const LangOptions &LangOpts) {
+  // If the Flag is an integer constant, check it.
+  if (isa<IntegerLiteral>(Flags)) {
+    if (!SM.isMacroBodyExpansion(Flags->getLocStart()))
+      return false;
+
+    // Get the Marco name.
+    auto MacroName = Lexer::getSourceText(
+        CharSourceRange::getTokenRange(Flags->getSourceRange()), SM, LangOpts);
+
+    return MacroName == O_CLOEXEC;
+  }
+  // If it's a binary OR operation.
+  if (const auto *BO = dyn_cast<BinaryOperator>(Flags))
+    if (BO->getOpcode() == clang::BinaryOperatorKind::BO_Or)
+      return HasCloseOnExecFlag(BO->getLHS()->IgnoreParenCasts(), SM,
+                                LangOpts) ||
+             HasCloseOnExecFlag(BO->getRHS()->IgnoreParenCasts(), SM, LangOpts);
+
+  // Otherwise, assume it has the flag.
+  return true;
+}
+} // namespace
+
+void FileOpenFlagCheck::registerMatchers(MatchFinder *Finder) {
+  auto CharPointerType = hasType(pointerType(pointee(isAnyCharacter())));
+
+  Finder->addMatcher(
+      callExpr(callee(functionDecl(isExternC(), returns(isInteger()),
+                                   hasAnyName("open", "open64"),
+                                   hasParameter(0, CharPointerType),
+                                   hasParameter(1, hasType(isInteger())))
+                          .bind("funcDecl")))
+          .bind("openFn"),
+      this);
+  Finder->addMatcher(
+      callExpr(callee(functionDecl(isExternC(), returns(isInteger()),
+                                   hasName("openat"),
+                                   hasParameter(0, hasType(isInteger())),
+                                   hasParameter(1, CharPointerType),
+                                   hasParameter(2, hasType(isInteger())))
+                          .bind("funcDecl")))
+          .bind("openatFn"),
+      this);
+}
+
+void FileOpenFlagCheck::check(const MatchFinder::MatchResult &Result) {
+  const Expr *FlagArg = nullptr;
+  if (const auto *OpenFnCall = Result.Nodes.getNodeAs<CallExpr>("openFn"))
+    FlagArg = OpenFnCall->getArg(1);
+  else if (const auto *OpenFnCall =
+               Result.Nodes.getNodeAs<CallExpr>("openatFn"))
+    FlagArg = OpenFnCall->getArg(2);
+  assert(FlagArg);
+
+  const auto *FD = Result.Nodes.getNodeAs<FunctionDecl>("funcDecl");
+
+  // Check the required flag.
+  SourceManager &SM = *Result.SourceManager;
+  if (HasCloseOnExecFlag(FlagArg->IgnoreParenCasts(), SM,
+                         Result.Context->getLangOpts()))
+    return;
+
+  SourceLocation EndLoc = Lexer::getLocForEndOfToken(
+      FlagArg->getLocEnd(), 0, SM, Result.Context->getLangOpts());
+
+  diag(EndLoc, "%0 should use %1 where possible")
+      << FD << O_CLOEXEC
+      << FixItHint::CreateInsertion(EndLoc, (Twine(" | ") + O_CLOEXEC).str());
+}
+
+} // namespace android
+} // namespace tidy
+} // namespace clang
diff --git a/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h b/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h
new file mode 100644
index 00000000000..7c39a5ad704
--- /dev/null
+++ b/clang-tools-extra/clang-tidy/android/FileOpenFlagCheck.h
@@ -0,0 +1,40 @@
+//===--- FileOpenFlagCheck.h - clang-tidy----------------------------------===//
+//
+//                      The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H
+#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H
+
+#include "../ClangTidy.h"
+
+namespace clang {
+namespace tidy {
+namespace android {
+
+/// Finds code that opens file without using the O_CLOEXEC flag.
+///
+/// open(), openat(), and open64() had better to include O_CLOEXEC in their
+/// flags argument. Only consider simple cases that the corresponding argument
+/// is constant or binary operation OR among constants like 'O_CLOEXEC' or
+/// 'O_CLOEXEC | O_RDONLY'. No constant propagation is performed.
+///
+/// Only the symbolic 'O_CLOEXEC' macro definition is checked, not the concrete
+/// value.
+class FileOpenFlagCheck : public ClangTidyCheck {
+public:
+  FileOpenFlagCheck(StringRef Name, ClangTidyContext *Context)
+      : ClangTidyCheck(Name, Context) {}
+  void registerMatchers(ast_matchers::MatchFinder *Finder) override;
+  void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
+};
+
+} // namespace android
+} // namespace tidy
+} // namespace clang
+
+#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H