Index: documentation/filesystem_access.txt |
diff --git a/documentation/filesystem_access.txt b/documentation/filesystem_access.txt |
index b7016de87c8c73dcaf0091c99b98bfb78d499a4b..972eb72f45331eeec01ddc4fa220ca5a8a96c23e 100644 |
--- a/documentation/filesystem_access.txt |
+++ b/documentation/filesystem_access.txt |
@@ -16,7 +16,6 @@ be guaranteed by the caller: |
* The mounted directory is assumed to not include any symlinks. |
These constraints will be enforced by sel_ldr: |
- * Pathnames must be absolute. Relative pathnames are explicitly disallowed. |
* Pathnames may not include the substring "..". |
* Access to filesystem within sel_ldr will behave as if as if the mounted |
directory is root. |
@@ -38,7 +37,8 @@ All of the given requirements can be satisfied by this `chroot`-style |
interface: |
* The only overhead for file I/O is in adding (and sanitizing) a path prefix |
- to absolute paths passed through to the host. |
+ to absolute paths passed through to the host, or the cwd to relative paths |
+ passed through to the host. |
* Read-only or read/write access can be controlled using normal filesystem |
permissions for the user running the `sel_ldr` process. |
* Using host-side filesystem primitives such as Linux bind mounts, users can |
@@ -71,6 +71,8 @@ Given that strategy, the following syscall changes were straightforward: |
Path sanitization happens through a three stage process: |
1) Ensure the user's path is absolute. |
+ If the user's path is relative, transform it to be absolute by prepending |
+ the cwd. This requires that the cwd is within the mounted directory. |
2) Prefix the path to the mounted directory. |
3) Ensure that the path does not contain "..". |