[gentoo-commits] proj/sandbox:master commit in: libsandbox/, tests/

["Michał Górny" <mgorny@gentoo.org>]

commit:     9ed52ff7daa39cdf4748f5b9c91358f421c8be7a
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Mon Sep 25 18:42:03 2017 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Oct  3 16:38:51 2017 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9ed52ff7

libsandbox: Fix path matching not to dumbly match prefixes

Fix the path matching code to match prefixes component-wide rather than
literally. This means that a path such as '/foo' will no longer match
'/foobar' but only '/foo' and its subdirectories (if it is a directory).

 libsandbox/libsandbox.c | 22 +++++++++++++++++++---
 tests/script-14.sh      | 20 ++++++++++++++++++++
 tests/script.at         |  1 +
 3 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index e164dcf..962690e 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -632,9 +632,25 @@ static int check_prefixes(char **prefixes, int num_prefixes, const char *path)
 		return 0;
 
 	size_t i;
-	for (i = 0; i < num_prefixes; ++i)
-		if (prefixes[i] && !strncmp(path, prefixes[i], strlen(prefixes[i])))
-			return 1;
+	for (i = 0; i < num_prefixes; ++i) {
+		if (unlikely(!prefixes[i]))
+			continue;
+
+		size_t prefix_len = strlen(prefixes[i]);
+		/* Start with a regular prefix match for speed */
+		if (strncmp(path, prefixes[i], prefix_len))
+			continue;
+
+		/* Now, if prefix did not end with a slash, we need to make sure
+		 * we are not matching in the middle of a filename. So check
+		 * whether the match is followed by a slash, or NUL.
+		 */
+		if (prefixes[i][prefix_len-1] != '/'
+				&& path[prefix_len] != '/' && path[prefix_len] != '\0')
+			continue;
+
+		return 1;
+	}
 
 	return 0;
 }

diff --git a/tests/script-14.sh b/tests/script-14.sh
new file mode 100644
index 0000000..6fa55a0
--- /dev/null
+++ b/tests/script-14.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# check that paths don't accidentally match other files by prefix
+[ "${at_xfail}" = "yes" ] && exit 77 # see script-0
+
+(
+# This clobbers all existing writable paths for this one write.
+SANDBOX_PREDICT=/dev/null
+SANDBOX_WRITE="${PWD}/foo"
+echo FAIL >foobar
+)
+# the write to 'logfoobar' should be rejected since only 'log'
+# is supposed to be writable
+if [ $? -eq 0 ] ; then
+	exit 1
+fi
+
+# and we should have gotten a sandbox violation
+test -s "${SANDBOX_LOG}"
+
+exit $?

diff --git a/tests/script.at b/tests/script.at
index 58a5077..9134ac1 100644
--- a/tests/script.at
+++ b/tests/script.at
@@ -11,3 +11,4 @@ SB_CHECK(10)
 SB_CHECK(11)
 SB_CHECK(12)
 SB_CHECK(13)
+SB_CHECK(14)