add restricted filesystem access to sel_ldr

src/trusted/service_runtime/sys_fdio.c

Index: src/trusted/service_runtime/sys_fdio.c
diff --git a/src/trusted/service_runtime/sys_fdio.c b/src/trusted/service_runtime/sys_fdio.c
index dfa5c5b30584d292298546200a93549d90ca0076..7de268cf86d5e974d4897595e249c0c466d07598 100644
--- a/src/trusted/service_runtime/sys_fdio.c
+++ b/src/trusted/service_runtime/sys_fdio.c
@@ -135,7 +135,7 @@ int32_t NaClSysGetdents(struct NaClAppThread *natp,
            "%"NACL_PRIuS"[0x%"NACL_PRIxS"])\n"),
           (uintptr_t) natp, d, dirp, count, count);
 
-  if (!NaClAclBypassChecks) {
+  if (!NaClAclBypassChecks && NaClRootFolder == NULL) {

[jtolds, 2015/06/25 23:05:05]

definitely worried the most about Getdents here. Do I need to look for ".." dir
entries or anything and remap them if it's the untrusted root?

[Mark Seaborn, 2015/06/25 23:55:09]

The ".." entries reported by getdents() don't convey any authority, they just
reveal inode numbers.  So for security it's not essential to hide or remap them.

Programs might get confused if inode numbers are reported inconsistently, though
maybe that's not very likely.  Hiding/remapping inode numbers would just be
useful optional functionality to avoid that sort of problem.

     /*
      * Filesystem access is disabled, so disable the getdents() syscall.
      * We do this for security hardening, though it should be redundant,
@@ -416,7 +416,7 @@ int32_t NaClSysFstat(struct NaClAppThread *natp,
   retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
             Fstat)(ndp, &result);
   if (0 == retval) {
-    if (!NaClAclBypassChecks) {
+    if (!NaClAclBypassChecks && NaClRootFolder == NULL) {
       result.nacl_abi_st_ino = NACL_FAKE_INODE_NUM;
     }
     if (!NaClCopyOutToUser(nap, nasp, &result, sizeof result)) {