From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: aliguori@us.ibm.com, qemu-stable <qemu-stable@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH] hw/9pfs: use O_NOFOLLOW for mapped readlink operation
Date: Mon, 20 May 2013 23:12:27 +0530 [thread overview]
Message-ID: <87zjvp4kfw.fsf@linux.vnet.ibm.com> (raw)
In-Reply-To: <1369071269-25903-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com>
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> writes:
> From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
>
> With mapped security models like mapped-xattr and mapped-file, we save the
> symlink target as file contents. Now if we ever expose a normal directory
> with mapped security model and find real symlinks in export path, never
> follow them and return proper error.
>
> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
> ---
> hw/9pfs/virtio-9p-local.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c
> index 6ece6f7..87aa75d 100644
> --- a/hw/9pfs/virtio-9p-local.c
> +++ b/hw/9pfs/virtio-9p-local.c
> @@ -284,7 +284,7 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path,
> if ((fs_ctx->export_flags & V9FS_SM_MAPPED) ||
> (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) {
> int fd;
> - fd = open(rpath(fs_ctx, path, buffer), O_RDONLY);
> + fd = open(rpath(fs_ctx, path, buffer), O_RDONLY | O_NOFOLLOW);
> if (fd == -1) {
> return -1;
> }
We may want to apply this to stable, considering that the existing
code can be used to show contents of file outside export path. So if we
use the security model pass-through and create a symlink in guest
pointing to some file like /etc/file-not-allowed-to-read, with
pass-through, the /etc/file-not-allowed-to-read will resolve within
guest. Now if we expose the same export path via mapped-file security
model, we will consider the content of the link as link target. But
when we open link in mapped-file model, we didn't use O_NOFOLLOW, so
we will follow the link in the host and consider the content of
/etc/file-not-allowed-to-read as the link target, there by making the
content visible to guest.
I have another patch that add O_NOFOLLOW to all open(2) calls. But that
would require wider testing before posting.
-aneesh
next prev parent reply other threads:[~2013-05-20 17:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-20 17:34 [Qemu-devel] [PATCH] hw/9pfs: use O_NOFOLLOW for mapped readlink operation Aneesh Kumar K.V
2013-05-20 17:42 ` Aneesh Kumar K.V [this message]
2013-05-21 8:13 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zjvp4kfw.fsf@linux.vnet.ibm.com \
--to=aneesh.kumar@linux.vnet.ibm.com \
--cc=aliguori@us.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.