[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

Donát Nagy via cfe-commits Mon, 13 May 2024 01:58:43 -0700

================
@@ -0,0 +1,170 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder 
-verify %s
+
+#include "Inputs/system-header-simulator-setgid-setuid.h"
+
+void correct_order() {
+  if (setgid(getgid()) == -1)
+    return;
+  if (setuid(getuid()) == -1)
+    return;
+  if (setgid(getgid()) == -1)
+    return;
----------------
NagyDonat wrote:


But why do the SEI-CERT best practices mandate that "this should not be 
recognized as an error"? Could you briefly explain this in a comment? (E.g. 
"Special case: calling `setgid(getgid())` after an earlier `setgid(getgid()); 
setuid(getuid())` combination is legitimate, because it... <why is this good>")

https://github.com/llvm/llvm-project/pull/91445
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

Reply via email to