Skip to content

Commit 9f34ac4

Browse files
committed
Fix trust database fd analyzer contract
check_trust_database() was annotated with __attr_fd_arg_read(3), but the fd parameter is optional for path-only trust lookups. When info is NULL, the implementation does not perform integrity checks and does not read from the descriptor, so valid callers may pass sentinel values such as -1. Remove the fd_arg_read annotation from the public prototype and document that fd is only consumed when info enables integrity checks. The remaining fd annotations still describe helpers that directly consume their descriptor arguments.
1 parent 5a95ca2 commit 9f34ac4

1 file changed

Lines changed: 5 additions & 1 deletion

File tree

src/library/database.h

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,12 @@ int preconstruct_fifo(const conf_t *config) __nonnull ((1));
6060
int init_database(conf_t *config) __nonnull ((1));
6161
int do_memfd_update(int memfd, long *entries)
6262
__nonnull ((2)) __attr_fd_arg_read (1);
63+
/*
64+
* fd is only consumed when info enables integrity checks. Path-only lookups
65+
* may pass a sentinel fd because no file descriptor is available.
66+
*/
6367
int check_trust_database(const char *path, struct file_info *info, int fd)
64-
__nonnull ((1)) __attr_fd_arg_read (3);
68+
__nonnull ((1));
6569
void set_reload_trust_database(void);
6670
void close_database(void);
6771
void database_config_report(FILE *f);

0 commit comments

Comments
 (0)