diff options
| author |   beck <beck@openbsd.org> | 2019-01-14 04:02:39 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2019-01-14 04:02:39 +0000 |
| commit | 6fd26cb2587540c52c0cbf15d7044d8d863a14dd (patch) | |
| tree | b95a7459a25a23a0c66526898fce42958377907b | |
| parent | regen (diff) | |
| download | wireguard-openbsd-6fd26cb2587540c52c0cbf15d7044d8d863a14dd.tar.xz wireguard-openbsd-6fd26cb2587540c52c0cbf15d7044d8d863a14dd.zip | |
Fix unveil issue noticed by kn@ where unveil does not notice covering
unveil matches when .. is used correctly. Also adds regress based
upon his test program for the same issue.
| -rw-r--r-- | regress/sys/kern/unveil/syscalls.c | 20 | ||||
| -rw-r--r-- | sys/kern/kern_unveil.c | 11 |
2 files changed, 26 insertions, 5 deletions
diff --git a/regress/sys/kern/unveil/syscalls.c b/regress/sys/kern/unveil/syscalls.c index 4410526553b..d08fd05dd4d 100644 --- a/regress/sys/kern/unveil/syscalls.c +++ b/regress/sys/kern/unveil/syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syscalls.c,v 1.18 2018/10/28 22:42:33 beck Exp $ */ +/* $OpenBSD: syscalls.c,v 1.19 2019/01/14 04:02:39 beck Exp $ */ /* * Copyright (c) 2017-2018 Bob Beck <beck@openbsd.org> @@ -835,6 +835,23 @@ test_dotdotup(int do_uv) return 0; } +static int +test_kn(int do_uv) +{ + if (do_uv) { + printf("testing read only with one writeable file\n"); + if (unveil("/", "r") == -1) + err(1, "%s:%d - unveil", __FILE__, __LINE__); + if (unveil("/dev/null", "rw") == -1) + err(1, "%s:%d - unveil", __FILE__, __LINE__); + } + UV_SHOULD_SUCCEED((open("/dev/null", O_RDWR) == -1), "open"); + UV_SHOULD_SUCCEED((open("/dev/zero", O_RDONLY) == -1), "open"); + UV_SHOULD_ENOENT((open("/dev/zero", O_RDWR) == -1), "open"); /* XXX */ + return 0; +} + + int main (int argc, char *argv[]) { @@ -880,5 +897,6 @@ main (int argc, char *argv[]) failures += runcompare(test_bypassunveil); failures += runcompare_internal(test_fork, 0); failures += runcompare(test_dotdotup); + failures += runcompare(test_kn); exit(failures); } diff --git a/sys/kern/kern_unveil.c b/sys/kern/kern_unveil.c index ce4f4a34ce7..d3e13116aae 100644 --- a/sys/kern/kern_unveil.c +++ b/sys/kern/kern_unveil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_unveil.c,v 1.19 2019/01/06 18:33:26 kettenis Exp $ */ +/* $OpenBSD: kern_unveil.c,v 1.20 2019/01/14 04:02:39 beck Exp $ */ /* * Copyright (c) 2017-2018 Bob Beck <beck@openbsd.org> @@ -740,8 +740,11 @@ unveil_check_component(struct proc *p, struct nameidata *ni, struct vnode *dp) /* * adjust unveil match as necessary */ - ni->ni_unveil_match = unveil_covered( - ni->ni_unveil_match, dp, p->p_p); + uv = unveil_covered(ni->ni_unveil_match, dp, + p->p_p); + /* clear the match when we DOTDOT above it */ + if (ni->ni_unveil_match->uv_vp == dp) + ni->ni_unveil_match = NULL; } else uv = unveil_lookup(dp, p, NULL); @@ -843,7 +846,7 @@ unveil_check_final(struct proc *p, struct nameidata *ni) if (uv->uv_flags & UNVEIL_USERSET) return EACCES; else - return ENOENT; + goto done; } /* directory flags match, update match */ if (uv->uv_flags & UNVEIL_USERSET) |