Extended restricted filesystem to support relative paths.

src/trusted/service_runtime/sel_ldr_filename.c

Index: src/trusted/service_runtime/sel_ldr_filename.c
diff --git a/src/trusted/service_runtime/sel_ldr_filename.c b/src/trusted/service_runtime/sel_ldr_filename.c
index 97556b653420b7513dffa02a1c543b70ea1f68da..adfd66dab073915d10f210d4847d832e1065d938 100644
--- a/src/trusted/service_runtime/sel_ldr_filename.c
+++ b/src/trusted/service_runtime/sel_ldr_filename.c
@@ -44,8 +44,6 @@ static int PathContainsRootPrefix(const char *path, size_t path_len) {
  * the mounted directory) transform it into an |absolute_path|, which is an
  * absolute path prefixed by the root mount directory.
  *
- * TODO(smklein): The virtual_path is assumed to be absolute. Change this.
- *
  * @param[in] virtual_path Virtual path supplied by user.
  * @param[out] absolute_path The absolute path referenced by the |virtual_path|.
  * @param[in] absolute_path_size The size of the |absolute_path| buffer.
@@ -54,20 +52,54 @@ static int PathContainsRootPrefix(const char *path, size_t path_len) {
 static uint32_t VirtualToAbsolutePath(const char *virtual_path,
                                       char       *absolute_path,
                                       size_t     absolute_path_max_size) {
+  size_t cwd_path_len;
   size_t virtual_path_len = strlen(virtual_path);
-  /* Check that we have enough room to prepend the prefix (absolute case). */
-  if (virtual_path_len + NaClRootDirLen + 1 > absolute_path_max_size) {
-    NaClLog(LOG_ERROR, "Pathname too long: %s\n", virtual_path);
-    return -NACL_ABI_ENAMETOOLONG;
+  if (virtual_path[0] == '/') {
+    /* Absolute Path = Prefix + Absolute Virtual Path + '\0' */
+    if (virtual_path_len + NaClRootDirLen + 1 > absolute_path_max_size) {
+      NaClLog(LOG_ERROR, "Pathname too long: %s\n", virtual_path);
+      return -NACL_ABI_ENAMETOOLONG;
+    }
+    /* Prefix */
+    memcpy(absolute_path, NaClRootDir, NaClRootDirLen);
+    /* Prefix + Virtual Path */
+    memcpy(absolute_path + NaClRootDirLen, virtual_path, virtual_path_len);
+    /* Prefix + Virtual Path + Terminator */
+    absolute_path[virtual_path_len + NaClRootDirLen] = '\0';
+  } else {
+    /* Absolute Path = Cwd + '/' + Relative Virtual Path + '\0' */
+    if (NaClHostDescGetcwd(absolute_path, absolute_path_max_size) != 0) {
+      NaClLog(LOG_ERROR, "NaClHostDescGetcwd failed\n");
+      return -NaClXlateErrno(errno);

[Sam Clegg, 2016/02/11 22:45:26]

NaClHostDescGetcwd returns the translated errno already so I would simply return
whatever it returns.

[Sean Klein, 2016/02/11 23:00:52]

Done.

+    }
+    cwd_path_len = strlen(absolute_path);
+    /*
+     * The prefix cannot be mounted at the root, so we can safely assume that
+     * the Cwd consists of some path component after "/", such as "/foo". This
+     * means that before inserting the relative path, we must insert an
+     * additional "/" at the end of the Cwd.
+     */
+    CHECK(NaClRootDirLen > 1);
+    CHECK(strncmp(absolute_path, NaClRootDir, NaClRootDirLen) == 0);
+    /*
+     * While verifying that the Cwd is inside a root (such as "/root"), ensure
+     * that the Cwd is not only matching the prefix of the root (such as
+     * "/root_but_not_really").
+     */
+    CHECK((absolute_path[NaClRootDirLen] == '/') ||
+          (absolute_path[NaClRootDirLen] == '\0'));
+    if (cwd_path_len + 1 + virtual_path_len + 1 > absolute_path_max_size) {
+      NaClLog(LOG_ERROR, "Pathname too long: %s\n", virtual_path);
+      return -NACL_ABI_ENAMETOOLONG;
+    }
+    /* Cwd + '/' */
+    memcpy(absolute_path + cwd_path_len, "/", 1);
+    /* Cwd + '/' + Relative Path */
+    memcpy(absolute_path + cwd_path_len + 1, virtual_path, virtual_path_len);
+    /* Cwd + '/' + Relative Path + Terminator */
+    absolute_path[cwd_path_len + 1 + virtual_path_len] = '\0';

[Sam Clegg, 2016/02/11 22:45:26]

Is there some reason you are not using strcat here which would auto-terminate? 
All these stings are NULL terminated right? and we know we don't overflow
because of the check above, right?

[Sean Klein, 2016/02/11 23:00:52]

Well, strcat is slower, since it requires scanning the intermediate string
linearly to determine the length before concatenating.
The intermediate steps do not require that absolute_path is NULL-terminated. 

   }
 
-  /* Prefix */
-  memcpy(absolute_path, NaClRootDir, NaClRootDirLen);
-  /* Prefix + Virtual Path */
-  memcpy(absolute_path + NaClRootDirLen, virtual_path, virtual_path_len);
-  /* Prefix + Virtual Path + Terminator */
-  absolute_path[virtual_path_len + NaClRootDirLen] = '\0';
-
   return 0;
 }
 
@@ -134,17 +166,17 @@ static uint32_t CopyHostPathMounted(char *dest, size_t dest_max_size) {
   if (dest_max_size <= 0 || dest[0] == '\0') {
     NaClLog(LOG_ERROR, "Dest cannot be empty path\n");
     return -NACL_ABI_ENOENT;
-  } else if (dest[0] != '/') {
-    /* TODO(smklein): Allow usage of relative paths. */
-    NaClLog(LOG_ERROR, "Pathname is not absolute: %s\n", dest);
-    return -NACL_ABI_EACCES;
   }
 
   CHECK(dest_max_size == NACL_CONFIG_PATH_MAX);
   CHECK(strlen(dest) < NACL_CONFIG_PATH_MAX);
   strcpy(raw_path, dest);
 
-  /* Transform the user's raw path into an absolute path. */
+  /*
+   * Transform the user's raw path into an absolute path.
+   * The path may be either absolute or relative here -- but it will
+   * be absolute once VirtualToAbsolutePath returns successfully.
+   */
   retval = VirtualToAbsolutePath(raw_path, dest, dest_max_size);
   if (retval != 0)
     return retval;