From dfe190ee023df378de5b2a3854dfdaaffce93fa1 Mon Sep 17 00:00:00 2001
From: ibondarenko1 <sactransport2000@gmail.com>
Date: Tue, 12 May 2026 12:40:51 -0700
Subject: [PATCH] lisafs: enforce c.readonly in BindAtHandler

The other 13 write-class handlers in pkg/lisafs/handlers.go (SetStat,
OpenCreateAt, MkdirAt, MknodAt, SymlinkAt, LinkAt, FAllocate, UnlinkAt,
RenameAt, RenameAt2, FSetXattr, FRemoveXattr, plus PWrite) reject with
EROFS when the lisafs connection has c.readonly set. BindAtHandler
creates a host-filesystem object (unix domain socket file) via
dir.impl.BindAt(...) but does not check c.readonly.

This makes the lisafs-level readonly intent inconsistent: a sandbox
configured with --host-uds=create plus a readonly-marked lisafs mount
can still create unix domain socket files on the host filesystem
through that mount, while the same connection cannot create any other
filesystem object.

Add the c.readonly check at the top of BindAtHandler, matching the
pattern used by the 13 sibling write-class handlers.

No behavior change on RW connections.
---
 pkg/lisafs/handlers.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/lisafs/handlers.go b/pkg/lisafs/handlers.go
index 9e22a6cb0b..aa1b1facda 100644
--- a/pkg/lisafs/handlers.go
+++ b/pkg/lisafs/handlers.go
@@ -1108,6 +1108,9 @@ func ConnectWithCredsHandler(c *Connection, comm Communicator, payloadLen uint32
 
 // BindAtHandler handles the BindAt RPC.
 func BindAtHandler(c *Connection, comm Communicator, payloadLen uint32) (uint32, error) {
+	if c.readonly {
+		return 0, unix.EROFS
+	}
 	var req BindAtReq
 	if _, ok := req.CheckedUnmarshal(comm.PayloadBuf(payloadLen)); !ok {
 		return 0, unix.EIO