enhance safe_fd function so it can digest arbitrary pathnames

author: smitsohu <smitsohu@gmail.com> 2018-08-01 15:23:26 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-08-01 15:23:26 +0200
commit: a1b84d1552655be4d981352ec6d04fe1a1d1cb13 (patch)
tree: 1859e2bae6088b3fd2863e5b6e0a40fc57614090 /src/firejail/util.c
parent: Merges (diff)
download: firejail-a1b84d1552655be4d981352ec6d04fe1a1d1cb13.tar.gz
firejail-a1b84d1552655be4d981352ec6d04fe1a1d1cb13.tar.zst
firejail-a1b84d1552655be4d981352ec6d04fe1a1d1cb13.zip
1 files changed, 35 insertions, 18 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c
index fa32ffcc8..18f837d7e 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1059,54 +1059,71 @@ void disable_file_path(const char *path, const char *file) {
 // user controlled paths. Passed flags are ignored if path is a top level directory.
 int safe_fd(const char *path, int flags) {
        assert(path);
-        int fd = -1;
+        // reject empty string, relative path
+        if (*path != '/')
+                goto errexit;
+        // reject ".."
+        if (strstr(path, ".."))
+                goto errexit;
        // work with a copy of path
        char *dup = strdup(path);
        if (dup == NULL)
                errExit("strdup");
-        // reject relative path and empty string
-        if (*dup != '/') {
-                fprintf(stderr, "Error: invalid pathname: %s\n", path);
-                exit(1);
-        }
        char *p = strrchr(dup, '/');
        if (p == NULL)
                errExit("strrchr");
-        // reject trailing slash and root dir
+        // reject trailing slash, root directory
-        if (*(p + 1) == '\0') {
+        if (*(p + 1) == '\0')
-                fprintf(stderr, "Error: invalid pathname: %s\n", path);
+                goto errexit;
-                exit(1);
+        // reject trailing dot
-        }
+        if (*(p + 1) == '.' && *(p + 2) == '\0')
+                goto errexit;
+        // if there is more than one path segment, keep the last one for later
+        if (p != dup)
+                *p = '\0';
        int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC);
        if (parentfd == -1)
                errExit("open");
-        // if there is more than one path segment, keep the last one for later
+        // traverse the path and return -1 if a symlink is encountered
-        if (p != dup)
+        int entered = 0;
-                *p = '\0';
+        int fd = -1;
-        // traverse the path, return -1 if a symlink is encountered
        char *tok = strtok(dup, "/");
-        if (tok == NULL)
-                errExit("strtok");
        while (tok) {
+                // skip all "/./"
+                if (strcmp(tok, ".") == 0) {
+                        tok = strtok(NULL, "/");
+                        continue;
+                }
+                entered = 1;
+                // open the directory
                fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                close(parentfd);
                if (fd == -1) {
                        free(dup);
                        return -1;
                }
                parentfd = fd;
                tok = strtok(NULL, "/");
        }
        if (p != dup) {
+                // consistent flags for top level directories (////foo, /.///foo)
+                if (!entered)
+                        flags = O_PATH|O_DIRECTORY|O_CLOEXEC;
                // open last path segment
                fd = openat(parentfd, p + 1, flags|O_NOFOLLOW);
                close(parentfd);
        }
        free(dup);
        return fd; // -1 if open failed
+errexit:
+        fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path);
+        exit(1);
 }
author	smitsohu <smitsohu@gmail.com>	2018-08-01 15:23:26 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-08-01 15:23:26 +0200
commit	a1b84d1552655be4d981352ec6d04fe1a1d1cb13 (patch)
tree	1859e2bae6088b3fd2863e5b6e0a40fc57614090 /src/firejail/util.c
parent	Merges (diff)
download	firejail-a1b84d1552655be4d981352ec6d04fe1a1d1cb13.tar.gz firejail-a1b84d1552655be4d981352ec6d04fe1a1d1cb13.tar.zst firejail-a1b84d1552655be4d981352ec6d04fe1a1d1cb13.zip

diff --git a/src/firejail/util.c b/src/firejail/util.c index fa32ffcc8..18f837d7e 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -1059,54 +1059,71 @@ void disable_file_path(const char path, const char file) {
1059	// user controlled paths. Passed flags are ignored if path is a top level directory.	1059	// user controlled paths. Passed flags are ignored if path is a top level directory.
1060	int safe_fd(const char *path, int flags) {	1060	int safe_fd(const char *path, int flags) {
1061	assert(path);	1061	assert(path);
1062	int fd = -1;	1062
		1063	// reject empty string, relative path
		1064	if (*path != '/')
		1065	goto errexit;
		1066	// reject ".."
		1067	if (strstr(path, ".."))
		1068	goto errexit;
1063		1069
1064	// work with a copy of path	1070	// work with a copy of path
1065	char *dup = strdup(path);	1071	char *dup = strdup(path);
1066	if (dup == NULL)	1072	if (dup == NULL)
1067	errExit("strdup");	1073	errExit("strdup");
1068	// reject relative path and empty string
1069	if (*dup != '/') {
1070	fprintf(stderr, "Error: invalid pathname: %s\n", path);
1071	exit(1);
1072	}
1073		1074
1074	char *p = strrchr(dup, '/');	1075	char *p = strrchr(dup, '/');
1075	if (p == NULL)	1076	if (p == NULL)
1076	errExit("strrchr");	1077	errExit("strrchr");
1077	// reject trailing slash and root dir	1078	// reject trailing slash, root directory
1078	if (*(p + 1) == '\0') {	1079	if (*(p + 1) == '\0')
1079	fprintf(stderr, "Error: invalid pathname: %s\n", path);	1080	goto errexit;
1080	exit(1);	1081	// reject trailing dot
1081	}	1082	if ((p + 1) == '.' && (p + 2) == '\0')
		1083	goto errexit;
		1084	// if there is more than one path segment, keep the last one for later
		1085	if (p != dup)
		1086	*p = '\0';
1082		1087
1083	int parentfd = open("/", O_PATH\|O_DIRECTORY\|O_CLOEXEC);	1088	int parentfd = open("/", O_PATH\|O_DIRECTORY\|O_CLOEXEC);
1084	if (parentfd == -1)	1089	if (parentfd == -1)
1085	errExit("open");	1090	errExit("open");
1086		1091
1087	// if there is more than one path segment, keep the last one for later	1092	// traverse the path and return -1 if a symlink is encountered
1088	if (p != dup)	1093	int entered = 0;
1089	*p = '\0';	1094	int fd = -1;
1090
1091	// traverse the path, return -1 if a symlink is encountered
1092	char *tok = strtok(dup, "/");	1095	char *tok = strtok(dup, "/");
1093	if (tok == NULL)
1094	errExit("strtok");
1095	while (tok) {	1096	while (tok) {
		1097	// skip all "/./"
		1098	if (strcmp(tok, ".") == 0) {
		1099	tok = strtok(NULL, "/");
		1100	continue;
		1101	}
		1102	entered = 1;
		1103
		1104	// open the directory
1096	fd = openat(parentfd, tok, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);	1105	fd = openat(parentfd, tok, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);
1097	close(parentfd);	1106	close(parentfd);
1098	if (fd == -1) {	1107	if (fd == -1) {
1099	free(dup);	1108	free(dup);
1100	return -1;	1109	return -1;
1101	}	1110	}
		1111
1102	parentfd = fd;	1112	parentfd = fd;
1103	tok = strtok(NULL, "/");	1113	tok = strtok(NULL, "/");
1104	}	1114	}
1105	if (p != dup) {	1115	if (p != dup) {
		1116	// consistent flags for top level directories (////foo, /.///foo)
		1117	if (!entered)
		1118	flags = O_PATH\|O_DIRECTORY\|O_CLOEXEC;
1106	// open last path segment	1119	// open last path segment
1107	fd = openat(parentfd, p + 1, flags\|O_NOFOLLOW);	1120	fd = openat(parentfd, p + 1, flags\|O_NOFOLLOW);
1108	close(parentfd);	1121	close(parentfd);
1109	}	1122	}
1110	free(dup);	1123	free(dup);
1111	return fd; // -1 if open failed	1124	return fd; // -1 if open failed
		1125
		1126	errexit:
		1127	fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path);
		1128	exit(1);
1112	}	1129	}