More correct pathname resolution.

scratchbox2/execs/sb_exec.c

@@ -1462,6 +1462,17 @@ static int prepare_exec(const char *exec_fn_name,
 		exec_policy_name = (mapping_result.mres_exec_policy_name ?
 			strdup(mapping_result.mres_exec_policy_name) : NULL);
 		STOP_AND_REPORT_PROCESSCLOCK(SB_LOGLEVEL_INFO, &clk3, mapped_file);
+
+		if (mapping_result.mres_errno) {
+			int saved_errno = mapping_result.mres_errno;
+			SB_LOG(SB_LOGLEVEL_DEBUG,
+				"Mapping failed (%s) => errno=%d",
+				my_file, mapping_result.mres_errno);
+			free_mapping_results(&mapping_result);
+			errno = saved_errno;
+			ret = -1;
+			goto out;
+		}
 
 		free_mapping_results(&mapping_result);
 
@@ -1664,8 +1675,10 @@ static int prepare_exec(const char *exec_fn_name,
 	*new_file = mapped_file;
 	*new_argv = my_argv;
 	*new_envp = my_envp;
+	err = errno;
 	STOP_AND_REPORT_PROCESSCLOCK(SB_LOGLEVEL_INFO, &clk1, orig_file);
 	if (info.pt_interp) free(info.pt_interp);
+	errno = err;
 	return(ret);
 }
 
@@ -1712,15 +1725,17 @@ int do_exec(int *result_errno_ptr,
 			&type, &new_file, &new_argv, &new_envp);
 
 		if (SB_LOG_IS_ACTIVE(SB_LOGLEVEL_DEBUG)) {
+			int saved_errno = errno;
 			/* find out and log if preprocessing did something */
 			compare_and_log_strvec_changes("argv", orig_argv, new_argv);
 			compare_and_log_strvec_changes("envp", my_envp_copy, new_envp);
+			errno = saved_errno;
 		}
 
 		if (r < 0) {
+			*result_errno_ptr = errno;
 			SB_LOG(SB_LOGLEVEL_DEBUG,
 				"EXEC denied by prepare_exec(), %s", orig_file);
-			*result_errno_ptr = errno;
 			STOP_AND_REPORT_PROCESSCLOCK(SB_LOGLEVEL_INFO, &clk1, "Exec denied");
 			return(r); /* exec denied */
 		}

scratchbox2/include/mapping.h

@@ -73,18 +73,22 @@ extern void free_mapping_results(mapping_results_t *res);
 
 extern void force_path_to_mapping_result(mapping_results_t *res, const char *path);
 
+#define SBOX_MAP_PATH_DONT_RESOLVE_FINAL_SYMLINK 0x01
+#define SBOX_MAP_PATH_ALLOW_NONEXISTENT          0x02
+
 extern void sbox_map_path(const char *func_name, const char *path,
-	int dont_resolve_final_symlink, mapping_results_t *res, uint32_t classmask);
+	uint32_t flags, mapping_results_t *res, uint32_t classmask);
 
 extern void sbox_map_path_at(const char *func_name, int dirfd,
-	const char *path, int dont_resolve_final_symlink,
+	const char *path, uint32_t flags,
 	mapping_results_t *res, uint32_t classmask);
 
 extern char *sbox_virtual_path_to_abs_virtual_path(
         const char *binary_name,
         const char *func_name,
         uint32_t fn_class,
-        const char *virtual_orig_path);
+        const char *virtual_orig_path,
+        int *res_errno);
 
 extern void sbox_map_path_for_sb2show(const char *binary_name,
 	const char *func_name, const char *path, mapping_results_t *res);
@@ -94,7 +98,7 @@ extern void sbox_map_path_for_exec(const char *func_name, const char *path,
 
 extern void custom_map_path(const char *binary_name,
 	const char *func_name, const char *virtual_path,
-	int dont_resolve_final_symlink, uint32_t fn_class,
+	uint32_t flags, uint32_t fn_class,
 	mapping_results_t *res, ruletree_object_offset_t rule_list_offset);
 
 extern char *custom_map_abstract_path(

scratchbox2/pathmapping/pathlistutils.c

@@ -188,23 +188,24 @@ struct path_entry *split_path_to_path_entries(
 	}
 
 	do {
+		int	len;
+
 		next_slash = strchr(start, '/');
+		if (next_slash) {
+			len = next_slash - start;
+		} else {
+			/* no more slashes */
+			len = strlen(start);
+		}
 
 		/* ignore empty strings resulting from // */
-		if (next_slash != start) {
+		if (len == 0) {
+			/* but notice if there is trailing slash */
+			if (!next_slash)
+				flags |= PATH_FLAGS_HAS_TRAILING_SLASH;
+		} else {
 			struct path_entry *new;
-			int	len;
-
-			if (next_slash) {
-				len = next_slash - start;
-				if (!next_slash[1]) {
-					flags |= PATH_FLAGS_HAS_TRAILING_SLASH;
-					next_slash = NULL;
-				}
-			} else {
-				/* no more slashes */
-				len = strlen(start);
-			}
+
 			new = malloc(sizeof(struct path_entry) + len);
 			if(!first) first = new;
 			if (!new) abort();
@@ -400,7 +401,12 @@ char *clean_and_log_fs_mapping_result(
 		 * recursive calls to sb_path_resolution.
 		*/
 		remove_dots_from_path_list(&list);
-		clean_dotdots_from_path(ctx, &list);
+		if (clean_dotdots_from_path(ctx, &list)) {
+			SB_LOG(result_log_level, "fail: %s '%s'",
+				ctx->pmc_func_name, abs_clean_virtual_path);
+			free_path_list(&list);
+			return(NULL);
+		}
 		break;
 	}
 	cleaned_host_path = path_list_to_string(&list);

scratchbox2/pathmapping/pathmapping.h

@@ -86,6 +86,9 @@ typedef struct path_mapping_context_s {
 	uint32_t		pmc_fn_class;
 	const char		*pmc_virtual_orig_path;
 	int			pmc_dont_resolve_final_symlink;
+	int			pmc_file_must_exist;
+	int			pmc_must_be_directory;
+	int			pmc_allow_nonexistent;
 	struct sb2context	*pmc_sb2ctx;
 
 	/* for paths_ruletree_mapping.c: */
@@ -151,7 +154,7 @@ extern ruletree_object_offset_t ruletree_get_mapping_requirements(
 extern void remove_dots_from_path_list(struct path_entry_list *listp);
 
 /* "complex" path cleaning (may call path resolution recursively): */
-extern void clean_dotdots_from_path(
+extern int clean_dotdots_from_path(
 	const path_mapping_context_t *ctx,
 	struct path_entry_list *abs_path);
 
@@ -160,7 +163,7 @@ extern void sbox_map_path_internal__lua_engine(
 	const char *binary_name,
 	const char *func_name,
 	const char *virtual_orig_path,
-	int dont_resolve_final_symlink,
+	uint32_t flags,
 	int process_path_for_exec,
 	uint32_t fn_class,
 	mapping_results_t *res);
@@ -170,7 +173,7 @@ extern void sbox_map_path_internal__c_engine(
 	const char *binary_name,
 	const char *func_name,
 	const char *virtual_orig_path,
-	int dont_resolve_final_symlink,
+	uint32_t flags,
 	int process_path_for_exec,
 	uint32_t fn_class,
 	mapping_results_t *res,

scratchbox2/pathmapping/pathmapping_interf.c

@@ -29,7 +29,7 @@ static void fwd_map_path(
 	const char *binary_name,
 	const char *func_name,
 	const char *virtual_path,
-	int dont_resolve_final_symlink,
+	uint32_t flags,
 	int exec_mode,
 	uint32_t fn_class,
 	mapping_results_t *res)
@@ -49,7 +49,7 @@ static void fwd_map_path(
 		START_PROCESSCLOCK(SB_LOGLEVEL_INFO, &clk1, "fwd_map_path");
 		sbox_map_path_internal__c_engine(sb2ctx, binary_name,
 			func_name, virtual_path,
-			dont_resolve_final_symlink, 0, fn_class, res, 0);
+			flags, 0, fn_class, res, 0);
 		if (res->mres_errormsg) {
 			SB_LOG(SB_LOGLEVEL_NOTICE,
 				"C path mapping engine failed (%s) (%s)",
@@ -70,7 +70,7 @@ void custom_map_path(
 	const char *binary_name,
 	const char *func_name,
 	const char *virtual_path,
-	int dont_resolve_final_symlink,
+	uint32_t flags,
 	uint32_t fn_class,
 	mapping_results_t *res,
 	ruletree_object_offset_t rule_list_offset)
@@ -91,7 +91,7 @@ void custom_map_path(
 
 		sbox_map_path_internal__c_engine(sb2ctx, binary_name,
 			func_name, virtual_path,
-			dont_resolve_final_symlink, 0, fn_class, res, rule_list_offset);
+			flags, 0, fn_class, res, rule_list_offset);
 
 		if (res->mres_fallback_to_lua_mapping_engine &&
 		    (res->mres_fallback_to_lua_mapping_engine[0] == '#')) {
@@ -217,28 +217,28 @@ void sbox_map_path_for_sb2show(
 	}
 
 	fwd_map_path(binary_name, func_name, virtual_path,
-		0/*dont_resolve_final_symlink*/, 0/*exec_mode*/, fn_class, res);
+		0/*flags*/, 0/*exec_mode*/, fn_class, res);
 }
 
 void sbox_map_path(
 	const char *func_name,
 	const char *virtual_path,
-	int dont_resolve_final_symlink,
+	uint32_t flags,
 	mapping_results_t *res,
 	uint32_t classmask)
 {
 	fwd_map_path(
 		(sbox_binary_name ? sbox_binary_name : "UNKNOWN"),
 		func_name, virtual_path,
-		dont_resolve_final_symlink, 0/*exec_mode*/, classmask, res);
+		flags, 0/*exec_mode*/, classmask, res);
 }
 
 
 void sbox_map_path_at(
 	const char *func_name,
 	int dirfd,
 	const char *virtual_path,
-	int dont_resolve_final_symlink,
+	uint32_t flags,
 	mapping_results_t *res,
 	uint32_t classmask)
 {
@@ -259,7 +259,7 @@ void sbox_map_path_at(
 		fwd_map_path(
 			(sbox_binary_name ? sbox_binary_name : "UNKNOWN"),
 			func_name, virtual_path,
-			dont_resolve_final_symlink, 0/*exec_mode*/, classmask, res);
+			flags, 0/*exec_mode*/, classmask, res);
 		return;
 	}
 
@@ -281,7 +281,7 @@ void sbox_map_path_at(
 		fwd_map_path(
 			(sbox_binary_name ? sbox_binary_name : "UNKNOWN"),
 			func_name,
-			virtual_abs_path_at_fd, dont_resolve_final_symlink, 0/*exec_mode*/, classmask, res);
+			virtual_abs_path_at_fd, flags, 0/*exec_mode*/, classmask, res);
 		free(virtual_abs_path_at_fd);
 
 		return;
@@ -307,7 +307,7 @@ void sbox_map_path_for_exec(
 	fwd_map_path(
 		(sbox_binary_name ? sbox_binary_name : "UNKNOWN"),
 		func_name,
-		virtual_path, 0/*dont_resolve_final_symlink*/, 1/*exec mode*/, 
+		virtual_path, 0/*flags*/, 1/*exec mode*/,
 		SB2_INTERFACE_CLASS_EXEC, res);
 }