Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 8 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/syscall/path.c">
<violation number="1" location="src/syscall/path.c:93">
P1: Root access check does not match CAP_DAC_OVERRIDE semantics: read and write should be granted unconditionally for uid 0, with only execute requiring at least one x-bit set.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Java GC, Go scheduler init, and libnuma probe
/sys/devices/system/cpu/{online,possible,present} plus per-CPU dirs to
size thread pools. macOS has no /sys, so the lack of these files made
those probes fall back to suboptimal heuristics or fail outright.
ensure_syscpu_dir lazily builds /tmp/elfuse-syscpu-XXXXXX/ on first
access, populated with online/possible/present cpumask range files
(sysconf(_SC_NPROCESSORS_ONLN) gives "0" for one CPU, "0-N-1" for N)
and one empty cpuN/ directory per host CPU. The cache/topology
subtrees stay empty so deeper queries return ENOENT until a real
consumer asks. Population is one-shot: the host CPU count does not
change at runtime so refresh is unnecessary.
Hardening guards on the open and stat paths:
- syscpu_open_is_readonly rejects non-RDONLY accmode plus O_CREAT
and O_TRUNC with EACCES so the stub stays read-only as a real
sysfs would, covering both the bare cpu root and child paths.
- syscpu_suffix_safe rejects any '..' component before path join so
a guest open of /sys/devices/system/cpu/../../etc/passwd cannot
pivot the lstat/open onto an arbitrary host file.
- ensure_syscpu_dir tears down the partial scratch dir on any
write_file/mkdir failure instead of caching a half-built state
with syscpu_dir_ok=true.
- A getpid()-vs-syscpu_owner_pid guard in syscpu_dir_cleanup keeps
clone(CLONE_VM) children from rmdir'ing the parent's still-active
scratch tree at exit.
- path_prefix_match in path.c tightens the prefix test so
/sys/devices/system/cpufoo no longer falls into the intercept
layer.
- syscpu_classify centralizes SYSFS_CPU prefix handling between
proc_intercept_open and proc_intercept_stat as one source of
truth.
While auditing access(2) for the new stub, the previous "intercept
matched, return 0" shortcut leaked false positives: a guest probing
W_OK on an intercepted path received 0 even when no W bit was set
in the synthesized stat. path_check_intercept_access now does
proper POSIX mode-bit checking against the stat result, with
standard owner/group/other selection plus a CAP_DAC_OVERRIDE-style
root branch that grants RW always and X if any X bit is set. The
synthetic stat fillers now populate st_uid/st_gid from
proc_get_uid/proc_get_gid so the owner branch matches.
faccessat SYS 48 dispatch passed x3 to sys_faccessat even though
Linux's 3-arg faccessat has no flags parameter; x3 carried whatever
garbage was in the caller's register state, and
translate_faccessat_flags would set AT_EACCESS or
AT_SYMLINK_NOFOLLOW semi-randomly. SYS 48 now forces flags=0; SYS
439 (faccessat2) keeps x3 as before.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Java GC, Go scheduler init, and libnuma probe
/sys/devices/system/cpu/{online,possible,present} plus per-CPU dirs to size thread pools. macOS has no /sys, so the lack of these files made those probes fall back to suboptimal heuristics or fail outright.
ensure_syscpu_dir lazily builds /tmp/elfuse-syscpu-XXXXXX/ on first access, populated with online/possible/present cpumask range files (sysconf(_SC_NPROCESSORS_ONLN) gives "0" for one CPU, "0-N-1" for N) and one empty cpuN/ directory per host CPU. The cache/topology subtrees stay empty so deeper queries return ENOENT until a real consumer asks. Population is one-shot: the host CPU count does not change at runtime so refresh is unnecessary.
Hardening guards on the open and stat paths:
While auditing access(2) for the new stub, the previous "intercept matched, return 0" shortcut leaked false positives: a guest probing W_OK on an intercepted path received 0 even when no W bit was set in the synthesized stat. path_check_intercept_access now does proper POSIX mode-bit checking against the stat result, with standard owner/group/other selection plus a CAP_DAC_OVERRIDE-style root branch that grants RW always and X if any X bit is set. The synthetic stat fillers now populate st_uid/st_gid from proc_get_uid/proc_get_gid so the owner branch matches.
faccessat SYS 48 dispatch passed x3 to sys_faccessat even though Linux's 3-arg faccessat has no flags parameter; x3 carried whatever garbage was in the caller's register state, and
translate_faccessat_flags would set AT_EACCESS or
AT_SYMLINK_NOFOLLOW semi-randomly. SYS 48 now forces flags=0; SYS 439 (faccessat2) keeps x3 as before.
Summary by cubic
Adds a synthetic
/sys/devices/system/cpuon hosts without sysfs so Java, Go, andlibnumacan detect CPU count reliably. Also hardens open/stat/access handling and fixes thefaccessatflags bug.New Features
/tmp/elfuse-syscpu-XXXXXX.online,possible,presentwith "0" or "0-N-1" from_SC_NPROCESSORS_ONLN.cpuN/per host CPU;cache/andtopology/return ENOENT.Bug Fixes
test-sysfs-cpu; included in the suite and skipped in the qemu reference run.Written for commit 451b77e. Summary will update on new commits.