rutabaga: do not rely on seals to detect read-only shm fds

valpackett · slp · commit 1e1bc7671d1f · 2026-03-11T17:52:22.000+01:00
Some compositors send read-only but not sealed memfds (at least wlroots
does so for dmabuf feedback), so seal-based permission detection would
result in mapping RO memory as RW and the guest application crashing.
Fix by properly checking the access mode. Keep seal detection because
e.g. Smithay based compositors do send O_RDWR but write-sealed memfds.

Upstream rutabaga does not do any detection yet, but defaults to RO
for all shm/memfd (!!) and RW for dmabuf.

Signed-off-by: Val Packett &lt;val@invisiblethingslab.com&gt;
diff --git a/src/rutabaga_gfx/src/cross_domain/mod.rs b/src/rutabaga_gfx/src/cross_domain/mod.rs
@@ -1122,15 +1122,27 @@ impl RutabagaContext for CrossDomainContext {
             .remove(&item_id)
             .ok_or(RutabagaError::InvalidCrossDomainItemId)?;
 
+        fn access_mode(descriptor: &SafeDescriptor) -> RutabagaResult<u32> {
+            Ok(
+                match fcntl(descriptor.as_fd(), FcntlArg::F_GETFL)? & libc::O_ACCMODE {
+                    libc::O_RDWR => RUTABAGA_MAP_ACCESS_RW,
+                    libc::O_WRONLY => RUTABAGA_MAP_ACCESS_WRITE,
+                    _ => RUTABAGA_MAP_ACCESS_READ,
+                    // (there is a "secret fourth option" O_WRONLY|O_RDWR meaning "no access", very unlikely we'd see it)
+                },
+            )
+        }
+
         // Items that are removed from the table after one usage.
         match item {
             CrossDomainItem::ShmBlob(descriptor) => {
                 #[allow(unused_mut)]
-                let mut access = RUTABAGA_MAP_ACCESS_RW;
+                let mut access = access_mode(&descriptor)?;
+                // Some compositors actually do send descriptors that are O_RDWR but write-sealed (!)
                 #[cfg(target_os = "linux")]
                 if fcntl(&descriptor, FcntlArg::F_GET_SEALS)? & libc::F_SEAL_WRITE != 0 {
                     access &= !RUTABAGA_MAP_ACCESS_WRITE;
-                };
+                }
 
                 let hnd = RutabagaHandle {
                     os_handle: descriptor,
@@ -1156,10 +1168,7 @@ impl RutabagaContext for CrossDomainContext {
                 })
             }
             CrossDomainItem::DmaBuf(descriptor) => {
-                let mut access = RUTABAGA_MAP_ACCESS_READ;
-                if fcntl(descriptor.as_fd(), FcntlArg::F_GETFL)? & libc::O_WRONLY != 0 {
-                    access |= RUTABAGA_MAP_ACCESS_WRITE;
-                }
+                let access = access_mode(&descriptor)?;
 
                 let hnd = RutabagaHandle {
                     os_handle: descriptor,
