add restricted filesystem access to sel_ldr

src/trusted/service_runtime/sel_main.c

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 /*
  * NaCl Simple/secure ELF loader (NaCl SEL).
  */
 #include "native_client/src/include/build_config.h"
@@ skipping 109 matching lines @@
   /* NOTREACHED */
 }
 
 static void PrintUsage(void) {
   /* NOTE: this is broken up into multiple statements to work around
            the constant string size limit */
   fprintf(stderr,
           "Usage: sel_ldr [-h d:D] [-r d:D] [-w d:D] [-i d:D]\n"
           "               [-f nacl_file]\n"
           "               [-l log_file]\n"
+          "               [-m fs_root]\n"
           "               [-X d] [-acFglQRsSQv]\n"
           "               -- [nacl_file] [args]\n"
           "\n");
   fprintf(stderr,
           " -h\n"
           " -r\n"
           " -w associate a host POSIX descriptor D with app desc d\n"
           "    that was opened in O_RDWR, O_RDONLY, and O_WRONLY modes\n"
           "    respectively\n"
           " -i associates an IMC handle D with app desc d\n"
           " -f file to load; if omitted, 1st arg after \"--\" is loaded\n"
           " -B additional ELF file to load as a blob library\n"
           " -v increases verbosity\n"
           " -e enable hardware exception handling\n"
           " -X create a bound socket and export the address via an\n"
           "    IMC message to a corresponding inherited IMC app descriptor\n"
           "    (use -1 to create the bound socket / address descriptor\n"
           "    pair, but that no export via IMC should occur)\n"
           " -E <name=value>|<name> set an environment variable\n"
           " -p pass through all environment variables\n");
   fprintf(stderr,
           " -R an RPC supplies the NaCl module.\n"
           "    No nacl_file argument is expected, and the -f flag cannot be\n"
           "    used with this flag.\n"
+          " -m directory to mount as root.\n"
+          "    If not provided (and -a is also missing), no filesystem access\n"
+          "    of any kind is allowed. If provided, safely allows read/write\n"
+          "    access to just the provided folder as if it were the FS root.\n"
+          "    If read-only access is desired, setting appropriate "
+          "    filesystem-level permissions for the user sel_ldr runs as\n"
+          "    should be adequate. If both -m and -a are passed, -m behavior\n"
+          "    supersedes -a for filesystem operations.\n"
           "\n"
           " (testing flags)\n"
           " -a allow file access plus some other syscalls! dangerous!\n"
           " -c ignore validator! dangerous! Repeating this option twice skips\n"
           "    validation completely.\n"
           " -F fuzz testing; quit after loading NaCl app\n"
           " -g enable gdb debug stub.  Not secure on x86-64 Windows.\n"
           " -l <file>  write log output to the given file\n"
           " -q quiet; suppress diagnostic/warning messages at startup\n"
           " -Q disable platform qualification (dangerous!)\n"
@@ skipping 15 matching lines @@
 static int my_getopt(int argc, char *const *argv, const char *shortopts) {
   return getopt_long(argc, argv, shortopts, longopts, NULL);
 }
 #else
 #define my_getopt getopt
 #endif
 
 struct SelLdrOptions {
   char *nacl_file;
   char *blob_library_file;
+  char *root_mount;
   int app_argc;
   char **app_argv;
 
   int quiet;
   int verbosity;
   int fuzzing_quit_after_load;
   int skip_qualification;
   int handle_signals;
   int enable_env_passthrough;
   int enable_exception_handling;
   int enable_debug_stub;
   int rpc_supplies_nexe;
   int export_addr_to;
   int debug_mode_bypass_acl_checks;
   int debug_mode_ignore_validator;
   int debug_mode_startup_signal;
   struct redir *redir_queue;
   struct redir **redir_qend;
 };
 
 static void SelLdrOptionsCtor(struct SelLdrOptions *options) {
   /* Just to be safe. */
   memset(options, 0, sizeof(*options));
 
   options->nacl_file = NULL;
   options->blob_library_file = NULL;
+  options->root_mount = NULL;
   options->app_argc = 0;
   options->app_argv = NULL;
 
   options->quiet = 0;
   options->verbosity = 0;
   options->fuzzing_quit_after_load = 0;
   options->skip_qualification = 0;
   options->handle_signals = 0;
   options->enable_env_passthrough = 0;
   options->enable_exception_handling = 0;
@@ skipping 27 matching lines @@
    *   sel_ldr foo.nexe -vvv
    *
    * the -vvv flags are made available to the nexe, rather than being
    * consumed by getopt.  This makes the behavior of the Linux build
    * of sel_ldr consistent with the Windows and OSX builds.
    */
   while ((opt = my_getopt(argc, argv,
 #if NACL_LINUX
                        "+D:z:"
 #endif
-                       "aB:cdeE:f:Fgh:i:l:pqQr:RsSvw:X:Z")) != -1) {
+                       "aB:cdeE:f:Fgh:i:l:m:pqQr:RsSvw:X:Z")) != -1) {
     switch (opt) {
       case 'a':
         if (!options->quiet)
           fprintf(stderr, "DEBUG MODE ENABLED (bypass acl)\n");
         options->debug_mode_bypass_acl_checks = 1;
         break;
       case 'B':
         options->blob_library_file = optarg;
         break;
       case 'c':
@@ skipping 72 matching lines @@
         if (NULL != optarg) {
           /*
            * change stdout/stderr to log file now, so that subsequent error
            * messages will go there.  unfortunately, error messages that
            * result from getopt processing -- usually out-of-memory, which
            * shouldn't happen -- won't show up.
            */
           NaClLogSetFile(optarg);
         }
         break;
+      case 'm':
+        options->root_mount = optarg;
+        break;
       case 'p':
         options->enable_env_passthrough = 1;
         break;
       case 'q':
         options->quiet = 1;
         break;
       case 'Q':
         if (!options->quiet)
           fprintf(stderr, "PLATFORM QUALIFICATION DISABLED BY -Q - "
                   "Native Client's sandbox will be unreliable!\n");
@@ skipping 229 matching lines @@
      */
     NaClLog(LOG_ERROR, "DEBUG taking startup signal (SIGCONT) now\n");
     raise(SIGCONT);
 #endif
   }
 
   if (options->debug_mode_bypass_acl_checks) {
     NaClInsecurelyBypassAllAclChecks();
   }
 
+  if (options->root_mount != NULL) {
+    if (!NaClMountRootDir(options->root_mount)) {
+      NaClLog(LOG_ERROR, "Failed to mount root dir "
+              "(not supported on Windows)\n");
+      return -1;
+    }
+  }
+
   nap->ignore_validator_result = (options->debug_mode_ignore_validator > 0);
   nap->skip_validator = (options->debug_mode_ignore_validator > 1);
   nap->enable_exception_handling = options->enable_exception_handling;
 
   /*
    * TODO(mseaborn): Always enable the Mach exception handler on Mac
    * OS X, and remove handle_signals and sel_ldr's "-S" option.
    */
   if (nap->enable_exception_handling || options->enable_debug_stub ||
       (options->handle_signals && NACL_OSX)) {
@@ skipping 161 matching lines @@
    * possible.
    *
    * This must come after NaClWaitForLoadModuleCommand(), which waits
    * for another thread to have called NaClAppLoadFile().
    * NaClAppLoadFile() does not work inside the Mac outer sandbox in
    * standalone sel_ldr when using a dynamic code area because it uses
    * NaClCreateMemoryObject() which opens a file in /tmp.
    *
    * We cannot enable the sandbox if file access is enabled.
    */
-  if (!NaClAclBypassChecks && g_enable_outer_sandbox_func != NULL) {
+  if (!NaClFileAccessEnabled() && g_enable_outer_sandbox_func != NULL) {
     g_enable_outer_sandbox_func();
   }
 
   if (NULL != options->blob_library_file) {
     if (LOAD_OK == errcode) {
       errcode = NaClMainLoadIrt(nap, blob_file, NULL);
       if (LOAD_OK != errcode) {
         NaClLog(LOG_ERROR, "Error while loading \"%s\": %s\n",
                 options->blob_library_file,
                 NaClErrorString(errcode));
@@ skipping 107 matching lines @@
 #if NACL_LINUX
   NaClSignalHandlerFini();
 #endif
   NaClAllModulesFini();
 
   NaClExit(ret_code);
 
   /* Unreachable, but having the return prevents a compiler error. */
   return ret_code;
 }