From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:53832) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UeU6Z-00015G-Dv for qemu-devel@nongnu.org; Mon, 20 May 2013 13:42:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UeU6U-0000YX-HO for qemu-devel@nongnu.org; Mon, 20 May 2013 13:42:39 -0400 Received: from e28smtp07.in.ibm.com ([122.248.162.7]:60551) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UeU6T-0000Y1-Sc for qemu-devel@nongnu.org; Mon, 20 May 2013 13:42:34 -0400 Received: from /spool/local by e28smtp07.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 May 2013 23:06:38 +0530 From: "Aneesh Kumar K.V" In-Reply-To: <1369071269-25903-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com> References: <1369071269-25903-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com> Date: Mon, 20 May 2013 23:12:27 +0530 Message-ID: <87zjvp4kfw.fsf@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain Subject: Re: [Qemu-devel] [PATCH] hw/9pfs: use O_NOFOLLOW for mapped readlink operation List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: aliguori@us.ibm.com, qemu-stable "Aneesh Kumar K.V" writes: > From: "Aneesh Kumar K.V" > > With mapped security models like mapped-xattr and mapped-file, we save the > symlink target as file contents. Now if we ever expose a normal directory > with mapped security model and find real symlinks in export path, never > follow them and return proper error. > > Signed-off-by: Aneesh Kumar K.V > --- > hw/9pfs/virtio-9p-local.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c > index 6ece6f7..87aa75d 100644 > --- a/hw/9pfs/virtio-9p-local.c > +++ b/hw/9pfs/virtio-9p-local.c > @@ -284,7 +284,7 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, > if ((fs_ctx->export_flags & V9FS_SM_MAPPED) || > (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { > int fd; > - fd = open(rpath(fs_ctx, path, buffer), O_RDONLY); > + fd = open(rpath(fs_ctx, path, buffer), O_RDONLY | O_NOFOLLOW); > if (fd == -1) { > return -1; > } We may want to apply this to stable, considering that the existing code can be used to show contents of file outside export path. So if we use the security model pass-through and create a symlink in guest pointing to some file like /etc/file-not-allowed-to-read, with pass-through, the /etc/file-not-allowed-to-read will resolve within guest. Now if we expose the same export path via mapped-file security model, we will consider the content of the link as link target. But when we open link in mapped-file model, we didn't use O_NOFOLLOW, so we will follow the link in the host and consider the content of /etc/file-not-allowed-to-read as the link target, there by making the content visible to guest. I have another patch that add O_NOFOLLOW to all open(2) calls. But that would require wider testing before posting. -aneesh