1. 28 2月, 2017 1 次提交
    • G
      9pfs: introduce relative_openat_nofollow() helper · 6482a961
      Greg Kurz 提交于
      When using the passthrough security mode, symbolic links created by the
      guest are actual symbolic links on the host file system.
      
      Since the resolution of symbolic links during path walk is supposed to
      occur on the client side. The server should hence never receive any path
      pointing to an actual symbolic link. This isn't guaranteed by the protocol
      though, and malicious code in the guest can trick the server to issue
      various syscalls on paths whose one or more elements are symbolic links.
      In the case of the "local" backend using the "passthrough" or "none"
      security modes, the guest can directly create symbolic links to arbitrary
      locations on the host (as per spec). The "mapped-xattr" and "mapped-file"
      security modes are also affected to a lesser extent as they require some
      help from an external entity to create actual symbolic links on the host,
      i.e. another guest using "passthrough" mode for example.
      
      The current code hence relies on O_NOFOLLOW and "l*()" variants of system
      calls. Unfortunately, this only applies to the rightmost path component.
      A guest could maliciously replace any component in a trusted path with a
      symbolic link. This could allow any guest to escape a virtfs shared folder.
      
      This patch introduces a variant of the openat() syscall that successively
      opens each path element with O_NOFOLLOW. When passing a file descriptor
      pointing to a trusted directory, one is guaranteed to be returned a
      file descriptor pointing to a path which is beneath the trusted directory.
      This will be used by subsequent patches to implement symlink-safe path walk
      for any access to the backend.
      
      Symbolic links aren't the only threats actually: a malicious guest could
      change a path element to point to other types of file with undesirable
      effects:
      - a named pipe or any other thing that would cause openat() to block
      - a terminal device which would become QEMU's controlling terminal
      
      These issues can be addressed with O_NONBLOCK and O_NOCTTY.
      
      Two helpers are introduced: one to open intermediate path elements and one
      to open the rightmost path element.
      Suggested-by: NJann Horn <jannh@google.com>
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      (renamed openat_nofollow() to relative_openat_nofollow(),
       assert path is relative and doesn't contain '//',
       fixed side-effect in assert, Greg Kurz)
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      6482a961