add restricted filesystem access to sel_ldr

src/trusted/service_runtime/sel_main.c

Index: src/trusted/service_runtime/sel_main.c
diff --git a/src/trusted/service_runtime/sel_main.c b/src/trusted/service_runtime/sel_main.c
index 627771f13092d28a3651020c35c2e7d2b96d62e5..bbbea4fde11367c4b133766007718c71b06231e8 100644
--- a/src/trusted/service_runtime/sel_main.c
+++ b/src/trusted/service_runtime/sel_main.c
@@ -127,6 +127,7 @@ static void PrintUsage(void) {
           "Usage: sel_ldr [-h d:D] [-r d:D] [-w d:D] [-i d:D]\n"
           "               [-f nacl_file]\n"
           "               [-l log_file]\n"
+          "               [-m fs_root]\n"
           "               [-X d] [-acFglQRsSQv]\n"
           "               -- [nacl_file] [args]\n"
           "\n");
@@ -151,6 +152,14 @@ static void PrintUsage(void) {
           " -R an RPC supplies the NaCl module.\n"
           "    No nacl_file argument is expected, and the -f flag cannot be\n"
           "    used with this flag.\n"
+          " -m directory to mount as root.\n"
+          "    If not provided (and -a is also missing), no filesystem access\n"
+          "    of any kind is allowed. If provided, safely allows read/write\n"
+          "    access to just the provided folder as if it were the FS root.\n"
+          "    If read-only access is desired, setting appropriate "
+          "    filesystem-level permissions for the user sel_ldr runs as\n"
+          "    should be adequate. If both -m and -a are passed, -m behavior\n"
+          "    supersedes -a for filesystem operations.\n"
           "\n"
           " (testing flags)\n"
           " -a allow file access plus some other syscalls! dangerous!\n"
@@ -186,6 +195,7 @@ static int my_getopt(int argc, char *const *argv, const char *shortopts) {
 struct SelLdrOptions {
   char *nacl_file;
   char *blob_library_file;
+  char *root_mount;
   int app_argc;
   char **app_argv;
 
@@ -212,6 +222,7 @@ static void SelLdrOptionsCtor(struct SelLdrOptions *options) {
 
   options->nacl_file = NULL;
   options->blob_library_file = NULL;
+  options->root_mount = NULL;
   options->app_argc = 0;
   options->app_argv = NULL;
 
@@ -259,7 +270,7 @@ static void NaClSelLdrParseArgs(int argc, char **argv,
 #if NACL_LINUX
                        "+D:z:"
 #endif
-                       "aB:cdeE:f:Fgh:i:l:pqQr:RsSvw:X:Z")) != -1) {
+                       "aB:cdeE:f:Fgh:i:l:m:pqQr:RsSvw:X:Z")) != -1) {
     switch (opt) {
       case 'a':
         if (!options->quiet)
@@ -352,6 +363,9 @@ static void NaClSelLdrParseArgs(int argc, char **argv,
           NaClLogSetFile(optarg);
         }
         break;
+      case 'm':
+        options->root_mount = optarg;
+        break;
       case 'p':
         options->enable_env_passthrough = 1;
         break;
@@ -601,6 +615,10 @@ int NaClSelLdrMain(int argc, char **argv) {
     NaClInsecurelyBypassAllAclChecks();
   }
 
+  if (options->root_mount != NULL) {
+    NaClMountRootFolder(options->root_mount);

[jtolds, 2015/06/25 23:05:05]

super open to other names for all these things. it's not really a mount at all.
i would have called it a "prefix", but -p was taken (and seemed kind of
insecure, so I wasn't super thrilled to use -P, to try and avoid people mixing
them up), and "-m" was available.

+  }
+
   nap->ignore_validator_result = (options->debug_mode_ignore_validator > 0);
   nap->skip_validator = (options->debug_mode_ignore_validator > 1);
   nap->enable_exception_handling = options->enable_exception_handling;
@@ -782,7 +800,7 @@ int NaClSelLdrMain(int argc, char **argv) {
    *
    * We cannot enable the sandbox if file access is enabled.
    */
-  if (!NaClAclBypassChecks && g_enable_outer_sandbox_func != NULL) {
+  if (!NaClFileAccessEnabled() && g_enable_outer_sandbox_func != NULL) {
     g_enable_outer_sandbox_func();
   }