Chromium Code Reviews Chromium Code Reviews
Issue 1211173002:
add restricted filesystem access to sel_ldr
Base URL: https://chromium.googlesource.com/native_client/src/native_client.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (c) 2013 The Native Client Authors. All rights reserved. | 2 * Copyright (c) 2013 The Native Client Authors. All rights reserved. |
| 3 * Use of this source code is governed by a BSD-style license that can be | 3 * Use of this source code is governed by a BSD-style license that can be |
| 4 * found in the LICENSE file. | 4 * found in the LICENSE file. |
| 5 */ | 5 */ |
| 6 | 6 |
| 7 #include "native_client/src/trusted/service_runtime/sys_fdio.h" | 7 #include "native_client/src/trusted/service_runtime/sys_fdio.h" |
| 8 | 8 |
| 9 #include <string.h> | 9 #include <string.h> |
| 10 | 10 |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 128 ssize_t getdents_ret; | 128 ssize_t getdents_ret; |
| 129 uintptr_t sysaddr; | 129 uintptr_t sysaddr; |
| 130 struct NaClDesc *ndp; | 130 struct NaClDesc *ndp; |
| 131 | 131 |
| 132 NaClLog(3, | 132 NaClLog(3, |
| 133 ("Entered NaClSysGetdents(0x%08"NACL_PRIxPTR", " | 133 ("Entered NaClSysGetdents(0x%08"NACL_PRIxPTR", " |
| 134 "%d, 0x%08"NACL_PRIx32", " | 134 "%d, 0x%08"NACL_PRIx32", " |
| 135 "%"NACL_PRIuS"[0x%"NACL_PRIxS"])\n"), | 135 "%"NACL_PRIuS"[0x%"NACL_PRIxS"])\n"), |
| 136 (uintptr_t) natp, d, dirp, count, count); | 136 (uintptr_t) natp, d, dirp, count, count); |
| 137 | 137 |
| 138 if (!NaClAclBypassChecks) { | 138 if (!NaClAclBypassChecks && NaClRootFolder == NULL) { |
|
jtolds
2015/06/25 23:05:05
definitely worried the most about Getdents here. D
Mark Seaborn
2015/06/25 23:55:09
The ".." entries reported by getdents() don't conv
| |
| 139 /* | 139 /* |
| 140 * Filesystem access is disabled, so disable the getdents() syscall. | 140 * Filesystem access is disabled, so disable the getdents() syscall. |
| 141 * We do this for security hardening, though it should be redundant, | 141 * We do this for security hardening, though it should be redundant, |
| 142 * because untrusted code should not be able to open any directory | 142 * because untrusted code should not be able to open any directory |
| 143 * descriptors (i.e. descriptors with a non-trivial Getdents() | 143 * descriptors (i.e. descriptors with a non-trivial Getdents() |
| 144 * implementation). | 144 * implementation). |
| 145 */ | 145 */ |
| 146 return -NACL_ABI_EACCES; | 146 return -NACL_ABI_EACCES; |
| 147 } | 147 } |
| 148 | 148 |
| (...skipping 260 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 409 ndp = NaClAppGetDesc(nap, d); | 409 ndp = NaClAppGetDesc(nap, d); |
| 410 if (NULL == ndp) { | 410 if (NULL == ndp) { |
| 411 NaClLog(4, "bad desc\n"); | 411 NaClLog(4, "bad desc\n"); |
| 412 retval = -NACL_ABI_EBADF; | 412 retval = -NACL_ABI_EBADF; |
| 413 goto cleanup; | 413 goto cleanup; |
| 414 } | 414 } |
| 415 | 415 |
| 416 retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)-> | 416 retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)-> |
| 417 Fstat)(ndp, &result); | 417 Fstat)(ndp, &result); |
| 418 if (0 == retval) { | 418 if (0 == retval) { |
| 419 if (!NaClAclBypassChecks) { | 419 if (!NaClAclBypassChecks && NaClRootFolder == NULL) { |
| 420 result.nacl_abi_st_ino = NACL_FAKE_INODE_NUM; | 420 result.nacl_abi_st_ino = NACL_FAKE_INODE_NUM; |
| 421 } | 421 } |
| 422 if (!NaClCopyOutToUser(nap, nasp, &result, sizeof result)) { | 422 if (!NaClCopyOutToUser(nap, nasp, &result, sizeof result)) { |
| 423 retval = -NACL_ABI_EFAULT; | 423 retval = -NACL_ABI_EFAULT; |
| 424 } | 424 } |
| 425 } | 425 } |
| 426 | 426 |
| 427 NaClDescUnref(ndp); | 427 NaClDescUnref(ndp); |
| 428 cleanup: | 428 cleanup: |
| 429 return retval; | 429 return retval; |
| 430 } | 430 } |
| OLD | NEW |
