From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 15 Feb 2021 15:49:09 +0000 (+0100)
Subject: confile: forbid walking upwards for confile items that modify cgroup layout
X-Git-Tag: lxc-5.0.0~286^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a48ee66c6e982657584a7df7ddc621d1fed9487;p=thirdparty%2Flxc.git

confile: forbid walking upwards for confile items that modify cgroup layout

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 2176644c1..8153b72bb 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1815,7 +1815,6 @@ static int set_config_cgroup2_controller(const char *key, const char *value,
 					      CGROUP2_SUPER_MAGIC);
 }
 
-
 static int set_config_cgroup_dir(const char *key, const char *value,
 				 struct lxc_conf *lxc_conf, void *data)
 {
@@ -1825,6 +1824,9 @@ static int set_config_cgroup_dir(const char *key, const char *value,
 	if (lxc_config_value_empty(value))
 		return clr_config_cgroup_dir(key, lxc_conf, NULL);
 
+	if (dotdot(value))
+		return syserrno_set(-EINVAL, "%s paths may not walk upwards via \"../\"", key);
+
 	return set_config_path_item(&lxc_conf->cgroup_meta.dir, value);
 }
 
@@ -1834,6 +1836,9 @@ static int set_config_cgroup_monitor_dir(const char *key, const char *value,
 	if (lxc_config_value_empty(value))
 		return clr_config_cgroup_monitor_dir(key, lxc_conf, NULL);
 
+	if (dotdot(value))
+		return syserrno_set(-EINVAL, "%s paths may not walk upwards via \"../\"", key);
+
 	return set_config_path_item(&lxc_conf->cgroup_meta.monitor_dir, value);
 }
 
@@ -1843,6 +1848,9 @@ static int set_config_cgroup_monitor_pivot_dir(const char *key, const char *valu
 	if (lxc_config_value_empty(value))
 		return clr_config_cgroup_monitor_pivot_dir(key, lxc_conf, NULL);
 
+	if (dotdot(value))
+		return syserrno_set(-EINVAL, "%s paths may not walk upwards via \"../\"", key);
+
 	return set_config_path_item(&lxc_conf->cgroup_meta.monitor_pivot_dir, value);
 }
 
@@ -1853,6 +1861,9 @@ static int set_config_cgroup_container_dir(const char *key, const char *value,
 	if (lxc_config_value_empty(value))
 		return clr_config_cgroup_container_dir(key, lxc_conf, NULL);
 
+	if (dotdot(value))
+		return syserrno_set(-EINVAL, "%s paths may not walk upwards via \"../\"", key);
+
 	return set_config_path_item(&lxc_conf->cgroup_meta.container_dir, value);
 }
 
diff --git a/src/lxc/log.h b/src/lxc/log.h
index 6391b5488..1f7857582 100644
--- a/src/lxc/log.h
+++ b/src/lxc/log.h
@@ -501,6 +501,14 @@ __lxc_unused static inline void LXC_##LEVEL(struct lxc_log_locinfo* locinfo,	\
 		__internal_ret__;                             \
 	})
 
+#define syserrno_set(__ret__, format, ...)                    \
+	({                                                    \
+		typeof(__ret__) __internal_ret__ = (__ret__); \
+		errno = abs(__ret__);                         \
+		SYSERROR(format, ##__VA_ARGS__);              \
+		__internal_ret__;                             \
+	})
+
 #define log_error(__ret__, format, ...)                       \
 	({                                                    \
 		typeof(__ret__) __internal_ret__ = (__ret__); \
diff --git a/src/lxc/string_utils.h b/src/lxc/string_utils.h
index f12879254..f18f274d6 100644
--- a/src/lxc/string_utils.h
+++ b/src/lxc/string_utils.h
@@ -140,6 +140,11 @@ static inline bool strequal(const char *str, const char *eq)
 	return strcmp(str, eq) == 0;
 }
 
+static inline bool dotdot(const char *str)
+{
+	return !!strstr(str, "..");
+}
+
 #define strnprintf(buf, buf_size, ...)                                            \
 	({                                                                        \
 		int __ret_strnprintf;                                             \