Extended restricted filesystem to support relative paths.

tests/limited_file_access/limited_file_access.cc

 /*
  * Copyright 2016 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 

[Mark Seaborn, 2016/02/24 21:19:19]

If I comment out the call to NaClHostDescChdir() in sel_main.c, use of relative
paths becomes unsafe, but the test still passes.

Can you make sure the test checks that the initial cwd is safe?

[Sean Klein, 2016/02/24 23:40:43]

Updated the first test to verify the cwd before calling "chdir". This should
catch a missing NaClHostDescChdir.

[Mark Seaborn, 2016/02/25 01:18:09]

Can you also add a comment to that code in sel_main.c, e.g. "This is required
for safety, because we allow relative pathnames."

[Sean Klein, 2016/02/25 01:36:28]

Done.

 /*
  * NaCl tests for limited file access
  */
 
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ skipping 103 matching lines @@
   }
   ASSERT_EQ_MSG(closedir(d), 0, "closedir() failed");
 
   ASSERT(temp_file_seen);
   ASSERT(temp_symlink_seen);
   ASSERT(sub_temp_dir_seen);
   ASSERT(parent_directory_seen);
   ASSERT(current_directory_seen);
   ASSERT_EQ(count, 5);
 
+  // Chdir with relative path name
+  ASSERT_EQ_MSG(chdir(g_temp_sub_dir_name), 0, "chdir() failed");
+  ASSERT_NE_MSG(getcwd(dirname, PATH_MAX), NULL, "getcwd() failed");
+  ASSERT_EQ(strcmp(dirname, g_temp_sub_dir_path), 0);
+
+  // Chdir with absolute path name
   ASSERT_EQ_MSG(chdir(g_temp_sub_dir_path), 0, "chdir() failed");
   ASSERT_NE_MSG(getcwd(dirname, PATH_MAX), NULL, "getcwd() failed");
   ASSERT_EQ(strcmp(dirname, g_temp_sub_dir_path), 0);
+
   d = opendir(dirname);
   count = 0;
 
   /*
    * We expect to see:
    * temp_sub_file
    * ..
    * .
    */
 
@@ skipping 30 matching lines @@
 
 void test_new_directory_access() {
   // Create a new directory, removes that directory.
   mode_t mode = S_IRUSR | S_IWUSR | S_IXUSR;
   ASSERT_EQ(mkdir("/test_dir", mode), 0);
   ASSERT_EQ(rmdir("/test_dir"), 0);
 
   ASSERT_EQ(mkdir("/test_dir/", mode), 0);
   ASSERT_EQ(rmdir("/test_dir/"), 0);
 
-  // Cannot make directory using relative path.
-  ASSERT_EQ(mkdir("test_dir/", mode), -1);
-  ASSERT_EQ(errno, EACCES);
+  // Test that relative paths can also be used.
+  ASSERT_EQ(mkdir("test_dir", mode), 0);
+  ASSERT_EQ(rmdir("test_dir"), 0);
 
   char file_name[PATH_MAX];
   snprintf(file_name, PATH_MAX, "%s/test_dir", g_temp_sub_dir_path);
   ASSERT_EQ(mkdir(file_name, mode), 0);
   ASSERT_EQ(rmdir(file_name), 0);
 
   ASSERT_NE(mkdir("/this_dir_does_not_exist/sub_dir", mode), 0);
   passed("test_new_directory_access", "all");
 }
 
@@ skipping 95 matching lines @@
   // information leak could also lead to discovering directories and files
   // outside the mount point.
   char path[PATH_MAX];
   struct stat buf;
 
   // We should be able to access the root directory.
   ASSERT_EQ(stat("/", &buf), 0);
   ASSERT_EQ(stat("//", &buf), 0);
   ASSERT_EQ(stat("/./.", &buf), 0);
   ASSERT_EQ(stat("/./////.", &buf), 0);
-
-  // We should not be able to access relative paths.
-  ASSERT_EQ(stat(".", &buf), -1);
-  ASSERT_EQ(errno, EACCES);
+  ASSERT_EQ(stat(".", &buf), 0);
 
   // We should not be able to access paths containing "..".
   snprintf(path, PATH_MAX, "%s/..", g_temp_sub_dir_path);
   ASSERT_EQ(stat(path, &buf), -1);
   ASSERT_EQ(errno, EACCES);
 
   // We should not be able to access the parent of the root directory.
   ASSERT_EQ(stat("/..", &buf), -1);
   ASSERT_EQ(errno, EACCES);
 
   // We should not be able to identify our mount point this way.
   snprintf(path, PATH_MAX, "/../%s", g_temp_dir_name);
   ASSERT_EQ(stat(path, &buf), -1);
   ASSERT_EQ(errno, EACCES);
   snprintf(path, PATH_MAX, "//../%s", g_temp_dir_name);
   ASSERT_EQ(stat(path, &buf), -1);
   ASSERT_EQ(errno, EACCES);
   snprintf(path, PATH_MAX, "/.//..//%s", g_temp_dir_name);
   ASSERT_EQ(stat(path, &buf), -1);
   ASSERT_EQ(errno, EACCES);
 
   passed("test_information_leak", "all");
 }
 
 void test_valid_file_access() {
   // Show that reads and writes to valid files work.
   char file_name[PATH_MAX];
+  bool new_file = false;
 
+  // Absolute path
   snprintf(file_name, PATH_MAX, "%s", g_temp_file_path);
-  do_test_write_read_file(file_name, false);
+  do_test_write_read_file(file_name, new_file);
 
+  // Relative path
+  snprintf(file_name, PATH_MAX, "%s", g_temp_file_name);
+  do_test_write_read_file(file_name, new_file);
+
+  // Absolute path
   snprintf(file_name, PATH_MAX, "%s/%s", g_temp_sub_dir_path,
            g_temp_sub_file_name);
-  do_test_write_read_file(file_name, false);
+  do_test_write_read_file(file_name, new_file);
 
-  snprintf(file_name, PATH_MAX, "%s/%s", g_temp_sub_dir_path,
+  // Relative path
+  snprintf(file_name, PATH_MAX, "%s/%s", g_temp_sub_dir_name,
            g_temp_sub_file_name);
-  do_test_write_read_file(file_name, false);
+  do_test_write_read_file(file_name, new_file);
+
+  ASSERT_EQ_MSG(chdir(g_temp_sub_dir_name), 0, "chdir() failed");
+
+  // Relative path
+  snprintf(file_name, PATH_MAX, "%s", g_temp_sub_file_name);
+  do_test_write_read_file(file_name, new_file);
 
   passed("test_valid_file_access", "all");
 }
 
 void test_new_file_access() {
   // Create a new file, show that it is readable / writable.
   char file_name[PATH_MAX];
   do_test_write_read_file("/new_temp_file", true);
 
   snprintf(file_name, PATH_MAX, "%s/newer_temp_file", g_temp_sub_dir_path);
@@ skipping 50 matching lines @@
            g_temp_sub_dir_name, argv[5]);
 
   snprintf(g_temp_inaccessible_dir_name, PATH_MAX, "%s", argv[6]);
   snprintf(g_temp_inaccessible_file_name, PATH_MAX, "%s", argv[7]);
 
   // Run the full test suite.
   testSuite();
   printf("All tests PASSED\n");
   exit(0);
 }