add restricted filesystem access to sel_ldr

src/trusted/service_runtime/nacl_syscall_common.c

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 /*
  * NaCl service run-time, non-platform specific system call helper routines.
  */
 #include <sys/types.h>
 #include <sys/stat.h>
 
 #include <errno.h>
 #include <stdio.h>
+#include <string.h>
 
 #include "native_client/src/include/build_config.h"
 
 #if NACL_WINDOWS
 #include <windows.h>
 #endif
 
 #include "native_client/src/trusted/service_runtime/nacl_syscall_common.h"
 
 #include "native_client/src/include/nacl_macros.h"
@@ skipping 59 matching lines @@
   return 0;
 }
 
 int NaClAclBypassChecks = 0;
 
 void NaClInsecurelyBypassAllAclChecks(void) {
   NaClLog(LOG_WARNING, "BYPASSING ALL ACL CHECKS\n");
   NaClAclBypassChecks = 1;
 }
 
+char *NaClRootDir = NULL;
+size_t NaClRootDirLen = 0;
+
+#if NACL_WINDOWS
+int NaClMountRootDir(char *root) {
+  return 0;
+}
+
+int NaClSanitizePathLexically(char *path) {
+  /*
+   * TODO(jtolds): this could totally be made to work with Windows, but I'm
+   *  unclear what the path separator and drive letter requirements are at this
+   *  level.
+   */
+  return 0;
+}
+#elif NACL_LINUX || NACL_OSX
+int NaClMountRootDir(char *root) {
+  NaClRootDir = strdup(root);
+  if (!NaClSanitizePathLexically(NaClRootDir)) {
+    goto fail;
+  }
+  NaClRootDirLen = strlen(NaClRootDir);
+  if (NaClRootDirLen <= 0) {
+    goto fail;
+  }
+  while (NaClRootDirLen > 0 && NaClRootDir[NaClRootDirLen-1] == '/') {
+    NaClRootDir[--NaClRootDirLen] = '\0';
+  }
+  return 1;
+fail:
+  free(NaClRootDir);
+  NaClRootDir = NULL;
+  return 0;
+}
+
+int NaClSanitizePathLexically(char *path) {
+  size_t last_path_sep = 0, prev_sep = 0, next_char = 0;
+  size_t path_len = strlen(path);
+
+  /*
+   * Overall strategy:
+   * We're going to keep track of the last path separator we saw. Each time
+   * we see a new path separator, we'll mark off the last path element, then
+   * decide what to do with it. We'll either:
+   *  * decide the path element was empty (a double slash) and slide everything
+   *    back a byte.
+   *  * decide the path element was '.' and slide everything back two bytes.
+   *  * decide the path element is '..' and it's immediately after the root, so
+   *    we'll slide everything back three bytes
+   *  * decide the path element is '..' and it's not after the root, so we'll
+   *    go find the previous path separator and slide everything back to it.
+   *  * decide the path element is fine and continue with the new path
+   *    separator.
+   *
+   * This strategy avoids mallocs.
+   */
+
+  /*
+   * This algorithm assumes that there is always at least space for
+   * "/\0", and the path is absolute, so make sure strlen(path) >= 1 and the
+   * path starts with '/'.
+   */
+  if (path_len <= 0 || path[0] != '/') {
+    return 0;
+  }
+
+  /*
+   * For the purposes of this algorithm, '/' and '\0' are both path separators.
+   * last_path_sep refers to the index of the last path separator (either one
+   * of the above two bytes) that we've seen so far.
+   *
+   * We'll loop as long as the last path separator isn't the null byte and do
+   * some cleanup after.
+   */
+  while (path[last_path_sep] != '\0') {
+
+    /*
+     * Let's find the full next path element.
+     */
+    next_char = last_path_sep + 1;
+    while (path[next_char] != '/' && path[next_char] != '\0') {
+      next_char++;
+    }
+
+    /* Check if the path element was empty (double-separator case) */
+    if (next_char == last_path_sep + 1) {
+      if (path[next_char] == '\0') {
+        /*
+         * Special '/\0' end case, allow a double separator when the second one
+         * is a null byte. This allows us to sanitize paths with or without
+         * trailing slashes.
+         */
+        last_path_sep = next_char;
+        continue;
+      }
+      /* Normal double-separator case. Just slide everything back one. */
+      memmove(path + last_path_sep, path + last_path_sep + 1,
+              (path_len + 1) - (last_path_sep + 1));
+      path_len -= 1;
+      continue;
+    }
+
+    /* Check if the last path element was "." */
+    if (next_char == last_path_sep + 2 && path[last_path_sep + 1] == '.') {
+      /* Slide everything back two */
+      memmove(path + last_path_sep, path + last_path_sep + 2,
+              (path_len + 1) - (last_path_sep + 2));
+      path_len -= 2;
+      continue;
+    }
+
+    /* Check if the last path element was ".." */
+    if (next_char == last_path_sep + 3 && path[last_path_sep + 1] == '.' &&
+        path[last_path_sep + 2] == '.') {
+      if (last_path_sep == 0) {
+        /* '..' after root case, just slide everything back three. */
+        memmove(path + last_path_sep, path + last_path_sep + 3,
+                (path_len + 1) - (last_path_sep + 3));
+        path_len -= 3;
+        continue;
+      }
+      /*
+       * Normal '..' case. Go find the previous path separator and then slide
+       * everything back to it.
+       */
+      prev_sep = last_path_sep - 1;
+      while (path[prev_sep] != '/') {
+        prev_sep--;
+      }
+      memmove(path + prev_sep, path + last_path_sep + 3,
+              (path_len + 1) - (last_path_sep + 3));
+      path_len -= (last_path_sep + 3 - prev_sep);
+      last_path_sep = prev_sep;
+      continue;
+    }
+
+    /* Default path element case. */
+    last_path_sep = next_char;
+  }
+
+  /*
+   * Cleanup scenario: whenever we slide something back, we overwrite the
+   * last path separator. For example, in the "/a/.\0" case, we slide
+   * everything starting at byte 4 back over byte 3, so the result is "/a\0".
+   * In the case of a full path "/.\0", the end result ends up being "\0", so
+   * we need to fix up root paths like this specially.
+   * N.B.: we know we have enough space in the buffer for this.
+   */
+  if (last_path_sep == 0) {
+    path[0] = '/';
+    path[1] = '\0';
+  }
+
+  return 1;
+}
+
+#else
+#error Unsupported platform
+#endif
+
+int NaClFileAccessEnabled(void) {
+  return NaClAclBypassChecks || (NaClRootDir != NULL);
+}
+
 int NaClHighResolutionTimerEnabled(void) {
   return NaClAclBypassChecks;
 }
 
 int32_t NaClSysGetpid(struct NaClAppThread *natp) {
   int32_t pid;
   UNREFERENCED_PARAMETER(natp);
 
   if (NaClAclBypassChecks) {
     pid = GETPID();
@@ skipping 594 matching lines @@
 #else
 #error Unsupported platform
 #endif
       break;
     }
     case NACL_ABI__SC_PAGESIZE: {
       result_value = 1 << 16;  /* always 64k pages */
       break;
     }
     case NACL_ABI__SC_NACL_FILE_ACCESS_ENABLED: {
-      result_value = NaClAclBypassChecks;
+      result_value = NaClFileAccessEnabled();
       break;
     }
     case NACL_ABI__SC_NACL_LIST_MAPPINGS_ENABLED: {
       result_value = nap->enable_list_mappings;
       break;
     }
     case NACL_ABI__SC_NACL_PNACL_MODE: {
       result_value = nap->pnacl_mode;
       break;
     }
@@ skipping 288 matching lines @@
   return NaClSysClockGetCommon(natp, clk_id, (uintptr_t) tsp,
                                NaClClockGetRes, 1);
 }
 
 int32_t NaClSysClockGetTime(struct NaClAppThread  *natp,
                             int                   clk_id,
                             uint32_t              tsp) {
   return NaClSysClockGetCommon(natp, clk_id, (uintptr_t) tsp,
                                NaClClockGetTime, 0);
 }