[PATCH] btrfs-progs: optionally enforce chroot for btrfs receive

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Lauri Võsandi" <lauri.vosandi@gmail.com>
To: linux-btrfs@vger.kernel.org
Cc: "Lauri Võsandi" <lauri.vosandi@gmail.com>
Subject: [PATCH] btrfs-progs: optionally enforce chroot for btrfs receive
Date: Sat, 18 Apr 2015 17:52:53 +0300	[thread overview]
Message-ID: <1429368773-4632-1-git-send-email-lauri.vosandi@gmail.com> (raw)
In-Reply-To: <1429365545-2419-1-git-send-email-lauri.vosandi@gmail.com>

This patch forces btrfs receive to issue chroot before
parsing the btrfs stream using command-line flag -C
to confine the process and minimize damage that could
be done via malicious btrfs stream.

Signed-off-by: Lauri Võsandi <lauri.vosandi@gmail.com>
---
 cmds-receive.c | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/cmds-receive.c b/cmds-receive.c
index a1c72f9..366a63a 100644
--- a/cmds-receive.c
+++ b/cmds-receive.c
@@ -61,6 +61,7 @@ struct btrfs_receive
 	char *root_path;
 	char *dest_dir_path; /* relative to root_path */
 	char *full_subvol_path;
+	int dest_dir_chroot;
 
 	struct subvol_info *cur_subvol;
 
@@ -858,14 +859,27 @@ static int do_receive(struct btrfs_receive *r, const char *tomnt, int r_fd,
 		goto out;
 	}
 
-	/*
-	 * find_mount_root returns a root_path that is a subpath of
-	 * dest_dir_full_path. Now get the other part of root_path,
-	 * which is the destination dir relative to root_path.
-	 */
-	r->dest_dir_path = dest_dir_full_path + strlen(r->root_path);
-	while (r->dest_dir_path[0] == '/')
-		r->dest_dir_path++;
+	if (r->dest_dir_chroot) {
+		if (chroot(dest_dir_full_path)) {
+			ret = -errno;
+			fprintf(stderr,
+				"ERROR: failed to chroot to %s, %s\n",
+				dest_dir_full_path,
+				strerror(-ret));
+			goto out;
+		}
+		if(chdir("/")) {
+			ret = -errno;
+			fprintf(stderr,
+				"ERROR: failed to chdir to /, %s\n",
+				strerror(-ret));
+		}
+		if (g_verbose >= 1) {
+			fprintf(stderr, "chrooted to %s\n",
+				dest_dir_full_path);
+		}
+		r->root_path = r->dest_dir_path = strdup("/");
+	}
 
 	ret = subvol_uuid_search_init(r->mnt_fd, &r->sus);
 	if (ret < 0)
@@ -930,6 +944,7 @@ int cmd_receive(int argc, char **argv)
 	r.mnt_fd = -1;
 	r.write_fd = -1;
 	r.dest_dir_fd = -1;
+	r.dest_dir_chroot = 0;
 
 	while (1) {
 		int c;
@@ -938,7 +953,7 @@ int cmd_receive(int argc, char **argv)
 			{ NULL, 0, NULL, 0 }
 		};
 
-		c = getopt_long(argc, argv, "evf:", long_opts, NULL);
+		c = getopt_long(argc, argv, "Cevf:", long_opts, NULL);
 		if (c < 0)
 			break;
 
@@ -952,6 +967,9 @@ int cmd_receive(int argc, char **argv)
 		case 'e':
 			r.honor_end_cmd = 1;
 			break;
+		case 'C':
+			r.dest_dir_chroot = 1;
+			break;
 		case 'E':
 			max_errors = arg_strtou64(optarg);
 			break;
@@ -1001,6 +1019,7 @@ const char * const cmd_receive_usage[] = {
 	"                 in the data stream. Without this option,",
 	"                 the receiver terminates only if an error",
 	"                 is recognized or on EOF.",
+	"-C               Confine the process to <mount> using chroot",
 	"--max-errors <N> Terminate as soon as N errors happened while",
 	"                 processing commands from the send stream.",
 	"                 Default value is 1. A value of 0 means no limit.",
-- 
1.9.1

next prev parent reply	other threads:[~2015-04-18 14:53 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-14 10:44 [PATCH] btrfs-progs: enforce chroot for btrfs receive Lauri Võsandi
2015-04-14 12:28 ` David Sterba
2015-04-14 13:19   ` Austin S Hemmelgarn
2015-04-17 17:34     ` David Sterba
2015-04-18 13:59 ` [PATCH] btrfs-progs: optionally " Lauri Võsandi
2015-04-18 14:52   ` Lauri Võsandi [this message]
2015-04-19  7:25   ` Mike Fleetwood
2015-04-19 11:46 ` Lauri Võsandi
2015-04-19 12:05   ` Roman Mamedov
2015-04-20 12:13     ` lauri
2015-04-22 17:27   ` David Sterba

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a1c72f9 dfblob:366a63a )
 OR (
bs:"[PATCH] btrfs-progs: optionally enforce chroot for btrfs receive" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1429368773-4632-1-git-send-email-lauri.vosandi@gmail.com \
    --to=lauri.vosandi@gmail.com \
    --cc=linux-btrfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).