umount: sanitize paths from non-root users

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/sys-utils/umount.c b/sys-utils/umount.c
index 1fbf281c8e58f9d9bbf7c5aff6cc346d931f96c8..28ced8fc059103cc05643b70516faf254ece1523 100644 (file)
--- a/sys-utils/umount.c
+++ b/sys-utils/umount.c
@@ -35,6 +35,7 @@
 #include "optutils.h"
 #include "exitcodes.h"
 #include "closestream.h"
+#include "canonicalize.h"
 
 static int table_parser_errcb(struct libmnt_table *tb __attribute__((__unused__)),
                        const char *filename, int line)
@@ -300,6 +301,24 @@ static int umount_one(struct libmnt_context *cxt, const char *spec)
        return rc;
 }
 
+/*
+ * Check path -- non-root user should not be able to resolve path which is
+ * unreadable for him.
+ */
+static char *sanitize_path(const char *path)
+{
+       char *p;
+
+       if (!path)
+               return NULL;
+
+       p = canonicalize_path_restricted(path);
+       if (!p)
+               err(MOUNT_EX_USAGE, "%s", path);
+
+       return p;
+}
+
 int main(int argc, char **argv)
 {
        int c, rc = 0, all = 0;
@@ -412,8 +431,19 @@ int main(int argc, char **argv)
        } else if (argc < 1) {
                usage(stderr);
 
-       } else while (argc--)
-               rc += umount_one(cxt, *argv++);
+       } else {
+               while (argc--) {
+                       char *path = *argv++;
+
+                       if (mnt_context_is_restricted(cxt))
+                               path = sanitize_path(path);
+
+                       rc += umount_one(cxt, path);
+
+                       if (mnt_context_is_restricted(cxt))
+                               free(path);
+               }
+       }
 
        mnt_free_context(cxt);
        return rc;