Commit Graph

12 Commits

Author SHA1 Message Date
Greg Kurz
6482a96163 9pfs: introduce relative_openat_nofollow() helper
When using the passthrough security mode, symbolic links created by the
guest are actual symbolic links on the host file system.

Since the resolution of symbolic links during path walk is supposed to
occur on the client side. The server should hence never receive any path
pointing to an actual symbolic link. This isn't guaranteed by the protocol
though, and malicious code in the guest can trick the server to issue
various syscalls on paths whose one or more elements are symbolic links.
In the case of the "local" backend using the "passthrough" or "none"
security modes, the guest can directly create symbolic links to arbitrary
locations on the host (as per spec). The "mapped-xattr" and "mapped-file"
security modes are also affected to a lesser extent as they require some
help from an external entity to create actual symbolic links on the host,
i.e. another guest using "passthrough" mode for example.

The current code hence relies on O_NOFOLLOW and "l*()" variants of system
calls. Unfortunately, this only applies to the rightmost path component.
A guest could maliciously replace any component in a trusted path with a
symbolic link. This could allow any guest to escape a virtfs shared folder.

This patch introduces a variant of the openat() syscall that successively
opens each path element with O_NOFOLLOW. When passing a file descriptor
pointing to a trusted directory, one is guaranteed to be returned a
file descriptor pointing to a path which is beneath the trusted directory.
This will be used by subsequent patches to implement symlink-safe path walk
for any access to the backend.

Symbolic links aren't the only threats actually: a malicious guest could
change a path element to point to other types of file with undesirable
effects:
- a named pipe or any other thing that would cause openat() to block
- a terminal device which would become QEMU's controlling terminal

These issues can be addressed with O_NONBLOCK and O_NOCTTY.

Two helpers are introduced: one to open intermediate path elements and one
to open the rightmost path element.

Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(renamed openat_nofollow() to relative_openat_nofollow(),
 assert path is relative and doesn't contain '//',
 fixed side-effect in assert, Greg Kurz)
Signed-off-by: Greg Kurz <groug@kaod.org>
2017-02-28 11:21:15 +01:00
Wei Liu
60ce86c714 9pfs: rename virtio-9p.c to 9p.c
Now that file only contains generic code.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 15:32:13 +05:30
Wei Liu
267ae092e2 9pfs: rename virtio-9p-xattr{,-user}.{c,h} to 9p-xattr{,-user}.{c,h}
These three files are not virtio specific. Rename them to generic
names.

Fix comments and header inclusion in various files.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 12:47:35 +05:30
Wei Liu
364031f179 9pfs: rename virtio-9p-synth.{c,h} to 9p-synth.{c,h}
These two files are not virtio specific. Rename them to use generic
names.

Fix includes in various C files. Change define guards and comments
in header files.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 12:40:55 +05:30
Wei Liu
494a8ebe71 9pfs: rename virtio-9p-proxy.{c,h} to 9p-proxy.{c,h}
Those two files are not virtio specific. Rename them to use generic
names.

Fix includes in various C files. Change define guards and comments
in header files.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 12:38:15 +05:30
Wei Liu
d57b78002c 9pfs: rename virtio-9p-posix-acl.c to 9p-posix-acl.c
This file is not virtio specific. Rename it to use generic name.

Fix comment and remove unneeded inclusion of virtio.h.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 12:37:32 +05:30
Wei Liu
f00d4f596b 9pfs: rename virtio-9p-local.c to 9p-local.c
This file is not virtio specific. Rename it to use generic name.

Fix comment and remove unneeded inclusion of virtio.h.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 12:36:44 +05:30
Wei Liu
3b9ca04653 9pfs: rename virtio-9p-handle.c to 9p-handle.c
This file is not virtio specific. Rename it to use generic name.

Fix comment and remove unneeded inclusion of virtio.h.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 12:35:46 +05:30
Wei Liu
fe52840c87 9pfs: rename virtio-9p-coth.{c,h} to coth.{c,h}
Those two files are not virtio specific. Rename them to use generic
names.

Fix includes in various C files. Change define guards and comments in
header files.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-08 12:04:43 +05:30
Stefan Weil
c9159fe9aa Remove libhw
The entries for libhw* are no longer needed in .gitignore.

There is also no longer a difference between common-obj-y and
hw-obj-y, so one of those two macros is sufficient.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-10-05 16:07:49 -05:00
Paolo Bonzini
c353f26194 build: move per-target hw/ objects to nested Makefile.objs
This completes the move to nested Makefiles for virtio and a few
other files that were not part of obj-TARGET-y, but still were
compiled separately for each target.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-06-07 09:21:17 +02:00
Paolo Bonzini
be1029ec30 build: convert libhw to nested Makefile.objs
After this patch, the libhw* directories will have a hierarchy
that mimics the source tree.  This is useful because we do have
a couple of files there that are in the top source directory.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-06-07 09:21:17 +02:00