From 15a0b58ca43ccbae26d1a1e7718d7d8bd2c2add2 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Sun, 8 Nov 2020 21:45:40 -0500
Subject: [PATCH 3/5] swtpm: Do not follow symlinks when opening lockfile
 (CVE-2020-28407)

This patch addresses CVE-2020-28407.

Prevent us from following symliks when we open the lockfile
for writing.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/swtpm/swtpm_nvfile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c
index 3b928d0..8a6621b 100644
--- a/src/swtpm/swtpm_nvfile.c
+++ b/src/swtpm/swtpm_nvfile.c
@@ -210,7 +210,7 @@ static TPM_RESULT SWTPM_NVRAM_Lock_Lockfile(const char *directory,
         return TPM_FAIL;
     }
 
-    *fd = open(lockfile, O_WRONLY|O_CREAT|O_TRUNC, 0660);
+    *fd = open(lockfile, O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0660);
     if (*fd < 0) {
         logprintf(STDERR_FILENO,
                   "SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: %s\n",
-- 
2.27.0