Extended restricted filesystem to support relative paths.

src/trusted/service_runtime/sel_ldr_filename.c

 /*
  * Copyright (c) 2016 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "native_client/src/trusted/service_runtime/sel_ldr_filename.h"
 
 #include <errno.h>
 #include <string.h>
@@ skipping 23 matching lines @@
     return 0;
   /* If the root is "/foo", then "/foobar" should be marked as invalid. */
   if (path_len > NaClRootDirLen && path[NaClRootDirLen] != '/')
     return 0;
   return 1;
 }
 
 #if !NACL_WINDOWS
 /*
  * Given a |virtual_path| (a path supplied by the user with no knowledge of
- * the mounted directory) transform it into an |absolute_path|, which is an
- * absolute path prefixed by the root mount directory.
- *
- * TODO(smklein): The virtual_path is assumed to be absolute. Change this.
+ * the mounted directory) transform it into an |real_path|, which is either
+ * an absolute path prefixed by the root mount directory, or a relative path.
  *
  * @param[in] virtual_path Virtual path supplied by user.
- * @param[out] absolute_path The absolute path referenced by the |virtual_path|.
- * @param[in] absolute_path_size The size of the |absolute_path| buffer.
+ * @param[out] real_path The real path referenced by the |virtual_path|.
+ * @param[in] real_path_size The size of the |real_path| buffer.
  * @return 0 on success, else a negated NaCl errno.
  */
-static uint32_t VirtualToAbsolutePath(const char *virtual_path,
-                                      char       *absolute_path,
-                                      size_t     absolute_path_max_size) {
+static uint32_t VirtualToRealPath(const char *virtual_path,
+                                  char       *real_path,
+                                  size_t     real_path_max_size) {
   size_t virtual_path_len = strlen(virtual_path);
-  /* Check that we have enough room to prepend the prefix (absolute case). */
-  if (virtual_path_len + NaClRootDirLen + 1 > absolute_path_max_size) {
-    NaClLog(LOG_ERROR, "Pathname too long: %s\n", virtual_path);
-    return -NACL_ABI_ENAMETOOLONG;
+  real_path[0] = '\0'; /* Required to strcat from start of path. */

[Mark Seaborn, 2016/02/24 21:19:19]

Why not just use strcpy() instead of the first calls to strcat()?

[Sean Klein, 2016/02/24 23:40:43]

Done.

+  if (virtual_path[0] == '/') {
+    /* Absolute Path = Prefix + Absolute Virtual Path + '\0' */
+    if (virtual_path_len + NaClRootDirLen + 1 > real_path_max_size) {
+      NaClLog(LOG_ERROR, "Pathname too long: %s\n", virtual_path);
+      return -NACL_ABI_ENAMETOOLONG;
+    }
+    /* Prefix */
+    strcat(real_path, NaClRootDir);
+    /* Prefix + Virtual Path */
+    strcat(real_path, virtual_path);
+  } else {
+    /* Relative Path = Relative Virtual Path + '\0' */
+    if (virtual_path_len + 1 > real_path_max_size) {
+      NaClLog(LOG_ERROR, "Pathname too long: %s\n", virtual_path);
+      return -NACL_ABI_ENAMETOOLONG;
+    }
+    strcat(real_path, virtual_path);
   }
 
-  /* Prefix */
-  memcpy(absolute_path, NaClRootDir, NaClRootDirLen);
-  /* Prefix + Virtual Path */
-  memcpy(absolute_path + NaClRootDirLen, virtual_path, virtual_path_len);
-  /* Prefix + Virtual Path + Terminator */
-  absolute_path[virtual_path_len + NaClRootDirLen] = '\0';
-
   return 0;
 }
 
 /*
  * Determine if |path| points to a symbolic link.
  *
  * @param[in] path Path of file to be checked.
  * @return Nonzero if path is symbolic link.
  */
 static int IsSymbolicLink(const char *path) {
   struct stat buf;
   int result = lstat(path, &buf);
   return result == 0 && S_ISLNK(buf.st_mode);
 }
 
 /*
- * Preconditions:
- *   The path is absolute (aka, it starts with "/").
- *
  * @param[in] path The path to be verified.
  * @return 0 if the path is valid, else a negated NaCl errno.
  */
-static uint32_t ValidateAbsolutePath(const char *path) {
+static uint32_t ValidatePath(const char *path) {
   if (strstr(path, "..")) {
     NaClLog(LOG_ERROR, "Pathname contains ..: %s\n", path);
     return -NACL_ABI_EACCES;
   }
 
-  CHECK(PathContainsRootPrefix(path, strlen(path)));
+  if (path[0] == '/')
+    CHECK(PathContainsRootPrefix(path, strlen(path)));
 
   /*
    * This is an informal check, and we still require the users of sel_ldr to
    * ensure that no symbolic links exist in the mounted directory.
    *
    * A race condition exists that can bypass this check:
    * 1) Open (or any file access function) called on a path to a regular
    *    file (PATH_REG). "IsSymbolicLink" returns zero, but the original file
    *    access function has not yet been called.
    * 2) Outside of sel_ldr, a symbolic link is moved into PATH_REG.
    * 3) The original file access function is called on a symbolic link.
    *
    * Thus, we still require the caller of sel_ldr to guarantee that no symbolic
    * links are inside the mounted directory.
    */
   if (IsSymbolicLink(path)) {
     return -NACL_ABI_EACCES;
   }
   return 0;
 }
 
 /*
- * Transforms a raw file path from the user into an absolute path
- * prefixed by the mounted file system root. Also validates the path to
- * ensure it does not access anything outside the mount point.
+ * Transforms a raw file path from the user into an absolute path prefixed by
+ * the mounted file system root (or leave it as a relative path). Also validates
+ * the path to ensure it does not access anything outside the mount point.
  *
  * @param[in/out] dest The raw file path from the user
  * @param[in] dest_max_size The size of the buffer holding dest.
  * @return 0 on success, else a NaCl errno.
  */
 static uint32_t CopyHostPathMounted(char *dest, size_t dest_max_size) {
   uint32_t retval;
   char     raw_path[NACL_CONFIG_PATH_MAX];
 
   if (dest_max_size <= 0 || dest[0] == '\0') {
     NaClLog(LOG_ERROR, "Dest cannot be empty path\n");
     return -NACL_ABI_ENOENT;
-  } else if (dest[0] != '/') {
-    /* TODO(smklein): Allow usage of relative paths. */
-    NaClLog(LOG_ERROR, "Pathname is not absolute: %s\n", dest);
-    return -NACL_ABI_EACCES;
   }
 
   CHECK(dest_max_size == NACL_CONFIG_PATH_MAX);
   CHECK(strlen(dest) < NACL_CONFIG_PATH_MAX);
   strcpy(raw_path, dest);
 
-  /* Transform the user's raw path into an absolute path. */
-  retval = VirtualToAbsolutePath(raw_path, dest, dest_max_size);
+  /*
+   * Transform the user's raw path into the actual path.
+   * The path will reference a file inside the mount directory once
+   * VirtualToRealPath returns successfully.
+   */
+  retval = VirtualToRealPath(raw_path, dest, dest_max_size);
   if (retval != 0)
     return retval;
 
   /* Verify that the path cannot escape root. */
-  return ValidateAbsolutePath(dest);
+  return ValidatePath(dest);
 }
 #endif /* !NACL_WINDOWS */
 
 uint32_t CopyHostPathInFromUser(struct NaClApp *nap,
                                 char           *dest,
                                 size_t         dest_max_size,
                                 uint32_t       src) {
   /*
    * NaClCopyInFromUserZStr may (try to) get bytes that is outside the
    * app's address space and generate a fault.
@@ skipping 54 matching lines @@
       return (uint32_t) -NACL_ABI_EFAULT;
     return 0;
   }
 
   /* Copy out everything after the root dir (including the slash). */
   if (!NaClCopyOutToUser(nap, dst_usr_addr, path + NaClRootDirLen,
                          path_len - NaClRootDirLen + 1))
     return (uint32_t) -NACL_ABI_EFAULT;
   return 0;
 }