- Make sure non root users cannot access system namespace attributes

- honour namespace specification when listing attributes - Also fix message memory leak introduced by previous commit
2014-08-10 03:22:33 +00:00 · 2014-08-10 03:22:33 +00:00 · ac7134332d
parent abe84671d3
commit ac7134332d
3 changed files with 73 additions and 25 deletions
--- a/lib/libperfuse/ops.c
+++ b/lib/libperfuse/ops.c
@ -1,4 +1,4 @@
-/*  $NetBSD: ops.c,v 1.65 2014/08/09 19:06:50 manu Exp $ */
+/*  $NetBSD: ops.c,v 1.66 2014/08/10 03:22:33 manu Exp $ */

 /*-
 *  Copyright (c) 2010-2011 Emmanuel Dreyfus. All rights reserved.
@ -3323,6 +3323,10 @@ perfuse_node_getextattr(struct puffs_usermount *pu, puffs_cookie_t opc,
 	char *np;
 	int error;

+	/* system namespace attrs are not accessible to non root users */
+	if (attrns == EXTATTR_NAMESPACE_SYSTEM && !puffs_cred_isjuggernaut(pcr))
+		return EPERM;
+
 	node_ref(opc);
 	ps = puffs_getspecific(pu);
 	attrname = perfuse_native_ns(attrns, attrname, fuse_attrname);
@ -3367,6 +3371,7 @@ perfuse_node_getextattr(struct puffs_usermount *pu, puffs_cookie_t opc,
 	if (resid != NULL) {
 		if (*resid < len) {
 			error = ERANGE;
+			ps->ps_destroy_msg(pm);
 			goto out;
 		}

@ -3396,6 +3401,10 @@ perfuse_node_setextattr(struct puffs_usermount *pu, puffs_cookie_t opc,
 	char *np;
 	int error;
 	
+	/* system namespace attrs are not accessible to non root users */
+	if (attrns == EXTATTR_NAMESPACE_SYSTEM && !puffs_cred_isjuggernaut(pcr))
+		return EPERM;
+
 	node_ref(opc);
 	ps = puffs_getspecific(pu);
 	attrname = perfuse_native_ns(attrns, attrname, fuse_attrname);
@ -3436,9 +3445,13 @@ perfuse_node_listextattr(struct puffs_usermount *pu, puffs_cookie_t opc,
 	struct fuse_getxattr_out *fgo;
 	struct fuse_out_header *foh;
 	char *np;
-	size_t len, puffs_len;
+	size_t len, puffs_len, i, attrlen, outlen;
 	int error;
 	
+	/* system namespace attrs are not accessible to non root users */
+	if (attrns == EXTATTR_NAMESPACE_SYSTEM && !puffs_cred_isjuggernaut(pcr))
+		return EPERM;
+
 	node_ref(opc);

 	ps = puffs_getspecific(pu);
@ -3478,29 +3491,45 @@ perfuse_node_listextattr(struct puffs_usermount *pu, puffs_cookie_t opc,
 	np = (char *)(void *)(foh + 1);
 	puffs_len = foh->len - sizeof(*foh);

-	if (attrs != NULL) {
-#ifdef PUFFS_EXTATTR_LIST_LENPREFIX
-		/* 
-		 * Convert the FUSE reply to length prefixed strings
-		 * if this is what the kernel wants.
-		 */
-		if (flag & PUFFS_EXTATTR_LIST_LENPREFIX) {
-			size_t i, attrlen;
-
-			for (i = 0; i < puffs_len; i += attrlen + 1) {
-				attrlen = strlen(np + i);
-				(void)memmove(np + i + 1, np + i, attrlen);
-				*(np + i) = (uint8_t)attrlen;
-			}	
-		}
-#endif /* PUFFS_EXTATTR_LIST_LENPREFIX */
-		(void)memcpy(attrs, np, puffs_len);
-		*resid -= puffs_len;
-	}
-
-	if (attrsize != NULL) 
+	if (attrsize != NULL)
 		*attrsize = puffs_len;

+	if (attrs != NULL) {
+		if (*resid < puffs_len) {
+			error = ERANGE;
+			ps->ps_destroy_msg(pm);
+			goto out;
+		}
+
+		outlen = 0;
+	
+		for (i = 0; i < puffs_len; i += attrlen + 1) {
+			attrlen = strlen(np + i);
+
+			/*
+			 * Filter attributes per namespace
+			 */
+			if (!perfuse_ns_match(attrns, np + i))
+				continue;
+
+#ifdef PUFFS_EXTATTR_LIST_LENPREFIX
+			/* 
+			 * Convert the FUSE reply to length prefixed strings
+			 * if this is what the kernel wants.
+			 */
+			if (flag & PUFFS_EXTATTR_LIST_LENPREFIX) {
+				(void)memcpy(attrs + outlen + 1,
+					     np + i, attrlen);
+				*(attrs + outlen) = (uint8_t)attrlen;
+			} else 
+#endif /* PUFFS_EXTATTR_LIST_LENPREFIX */
+			(void)memcpy(attrs + outlen, np + i, attrlen + 1);
+			outlen += attrlen + 1;
+		}	
+
+		*resid -= outlen;
+	}
+
 	ps->ps_destroy_msg(pm);
 	error = 0;

@ -3520,6 +3549,10 @@ perfuse_node_deleteextattr(struct puffs_usermount *pu, puffs_cookie_t opc,
 	char *np;
 	int error;
 	
+	/* system namespace attrs are not accessible to non root users */
+	if (attrns == EXTATTR_NAMESPACE_SYSTEM && !puffs_cred_isjuggernaut(pcr))
+		return EPERM;
+
 	node_ref(opc);

 	ps = puffs_getspecific(pu);
--- a/lib/libperfuse/perfuse_priv.h
+++ b/lib/libperfuse/perfuse_priv.h
@ -1,4 +1,4 @@
-/*  $NetBSD: perfuse_priv.h,v 1.31 2012/07/21 05:49:42 manu Exp $ */
+/*  $NetBSD: perfuse_priv.h,v 1.32 2014/08/10 03:22:33 manu Exp $ */

 /*-
 *  Copyright (c) 2010-2011 Emmanuel Dreyfus. All rights reserved.
@ -186,6 +186,7 @@ uint64_t perfuse_get_fh(puffs_cookie_t, int);
 uint64_t perfuse_next_unique(struct puffs_usermount *);
 char *perfuse_node_path(struct perfuse_state *, puffs_cookie_t);
 int perfuse_node_close_common(struct puffs_usermount *, puffs_cookie_t, int);
+int perfuse_ns_match(const int, const char *);
 const char *perfuse_native_ns(const int, const char *, char *);

 char *perfuse_fs_mount(int, ssize_t);
--- a/lib/libperfuse/subr.c
+++ b/lib/libperfuse/subr.c
@ -1,4 +1,4 @@
-/*  $NetBSD: subr.c,v 1.19 2012/07/21 05:49:42 manu Exp $ */
+/*  $NetBSD: subr.c,v 1.20 2014/08/10 03:22:33 manu Exp $ */

 /*-
 *  Copyright (c) 2010-2011 Emmanuel Dreyfus. All rights reserved.
@ -215,6 +215,20 @@ perfuse_node_path(struct perfuse_state *ps, puffs_cookie_t opc)
 	return buf;
 }

+int
+perfuse_ns_match(const int attrnamespace, const char *attrname)
+{
+	const char *system_ns[] = { "system.", "trusted.", "security", NULL };
+	int i;
+
+        for (i = 0; system_ns[i]; i++) {
+                if (strncmp(attrname, system_ns[i], strlen(system_ns[i])) == 0)
+			return (attrnamespace == EXTATTR_NAMESPACE_SYSTEM);
+        }
+
+	return (attrnamespace == EXTATTR_NAMESPACE_USER);
+}
+
 const char *
 perfuse_native_ns(const int attrnamespace, const char *attrname,
 	char *fuse_attrname)