Try to set stronger controls on arguments

fermitools · Jul 24, 2024 · 0ffeb45 · 0ffeb45
1 parent ff71817
commit 0ffeb45
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/src/C/kcron_caps.h b/src/C/kcron_caps.h
@@ -74,7 +74,7 @@ static void print_cap_error(const char *mode, const cap_value_t expected_cap[],
   }
 }
 
-int enable_capabilities(const cap_value_t expected_cap[], const int num_caps) __attribute__((nonnull(1))) __attribute__((warn_unused_result)) __attribute__((flatten)) __attribute__((hot));
+int enable_capabilities(const cap_value_t expected_cap[], const int num_caps) __attribute__((nonnull(1))) __attribute__((warn_unused_result)) __attribute__((flatten)) __attribute__((hot)) __attribute__((access(read_only, 1))) __attribute__((access(read_only, 2)));
 int enable_capabilities(const cap_value_t expected_cap[], const int num_caps) {
   cap_t capabilities = cap_get_proc();
 
@@ -124,7 +124,7 @@ int disable_capabilities(void) {
   return 0;
 }
 
-int enable_capabilities(const cap_value_t expected_cap[], const int num_caps) __attribute__((nonnull(1))) __attribute__((warn_unused_result)) __attribute__((flatten));
+int enable_capabilities(const cap_value_t expected_cap[], const int num_caps) __attribute__((nonnull(1))) __attribute__((warn_unused_result)) __attribute__((flatten)) __attribute__((access(read_only, 1))) __attribute__((access(read_only, 2)));
 int enable_capabilities(const cap_value_t expected_cap[], const int num_caps) {
   DTRACE_PROBE1(__PROGRAM_NAME, "cap-set-flag-permitted", 2);
   DTRACE_PROBE1(__PROGRAM_NAME, "cap-set-flag-effective", 2);

diff --git a/src/C/kcron_empty_keytab_file.h b/src/C/kcron_empty_keytab_file.h
@@ -44,7 +44,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-int write_empty_keytab(int filedescriptor) __attribute__((warn_unused_result));
+int write_empty_keytab(int filedescriptor) __attribute__((warn_unused_result)) __attribute__((fd_arg_write));
 int write_empty_keytab(int filedescriptor) {
 
   if (filedescriptor == 0) {

diff --git a/src/C/kcron_filename.h b/src/C/kcron_filename.h
@@ -60,8 +60,8 @@ int get_client_dirname(char *keytab_dir) {
   return 0;
 }
 
-int get_filenames(char *keytab_dir, char *keytab_filename, char *keytab) __attribute__((nonnull(1, 2, 3))) __attribute__((access(read_write, 1)))
-__attribute((access(read_write, 2))) __attribute((access(read_write, 3))) __attribute__((warn_unused_result)) __attribute__((flatten));
+int get_filenames(char *keytab_dir, char *keytab_filename, char *keytab) __attribute__((nonnull(1, 2, 3))) __attribute__((access(read_only, 1)))
+__attribute((access(read_only, 2))) __attribute((access(read_write, 3))) __attribute__((warn_unused_result)) __attribute__((flatten));
 int get_filenames(char *keytab_dir, char *keytab_filename, char *keytab) {
 
   const uid_t uid = getuid();