mirror of
https://github.com/morgan9e/systemd
synced 2026-04-15 17:06:39 +09:00
0d1332841e
In various contexts it's a bit icky to allow paths below /proc/, /sys/, /dev/ i.e. file hierarchies where API VFS are placed. Let's add a new flag for path_simplify_and_warn() to check for this and refuse a path if in these paths. Enable this when parsing WorkingDirectory=. This is inspired by CVE-2024-21626, which uses trickery around the cwd and /proc/self/fd/. AFAICS we are not actually vulnerable to the same issue as explained in the CVE since we execute the WorkingDirectory= setting very late, i.e. long after we set up the new mount namespace. But let's filter out icky stuff better earlier than later, as extra safety precaution.
40 lines
1.2 KiB
C
40 lines
1.2 KiB
C
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
#pragma once
|
|
|
|
#include <stdint.h>
|
|
|
|
typedef enum PathSimplifyWarnFlags {
|
|
PATH_CHECK_FATAL = 1 << 0, /* If not set, then error message is appended with 'ignoring'. */
|
|
PATH_CHECK_ABSOLUTE = 1 << 1,
|
|
PATH_CHECK_RELATIVE = 1 << 2,
|
|
PATH_KEEP_TRAILING_SLASH = 1 << 3,
|
|
PATH_CHECK_NON_API_VFS = 1 << 4,
|
|
} PathSimplifyWarnFlags;
|
|
|
|
int path_simplify_and_warn(
|
|
char *path,
|
|
PathSimplifyWarnFlags flags,
|
|
const char *unit,
|
|
const char *filename,
|
|
unsigned line,
|
|
const char *lvalue);
|
|
|
|
int parse_socket_bind_item(
|
|
const char *str,
|
|
int *address_family,
|
|
int *ip_protocol,
|
|
uint16_t *nr_ports,
|
|
uint16_t *port_min);
|
|
|
|
int config_parse_path_or_ignore(
|
|
const char *unit,
|
|
const char *filename,
|
|
unsigned line,
|
|
const char *section,
|
|
unsigned section_line,
|
|
const char *lvalue,
|
|
int ltype,
|
|
const char *rvalue,
|
|
void *data,
|
|
void *userdata);
|