From aa15ecac3f6b7d995748fd668c39cf1c8c63e476 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 30 May 2018 18:21:58 +0200 Subject: [PATCH] smack: make mac_smack_fix() deal somewhat sensible with non-absolute paths This tries to improve the mac_smack_fix() logic a bit, by properly handling non-absolute paths. It's still pretty broken though, which is sad for security technology: non-normalized paths (for example "/usr/../dev/sda") will still not be treated correctly. I am not sure how to fix that properly though, and I don't understand SMACK well enough to do so. This fix hence just fixes to most obvious glaring issue. --- src/basic/smack-util.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/basic/smack-util.c b/src/basic/smack-util.c index d292b6afb..491b421ab 100644 --- a/src/basic/smack-util.c +++ b/src/basic/smack-util.c @@ -138,9 +138,22 @@ int mac_smack_fix(const char *path, LabelFixFlags flags) { if (!mac_smack_use()) return 0; - /* Path must be in /dev */ - if (!path_startswith(path, "/dev")) - return 0; + /* Path must be in /dev. Note that this check is pretty sloppy, as we might be called with non-normalized paths + * and hence not detect all cases of /dev. */ + + if (path_is_absolute(path)) { + if (!path_startswith(path, "/dev")) + return 0; + } else { + _cleanup_free_ char *cwd = NULL; + + r = safe_getcwd(&cwd); + if (r < 0) + return r; + + if (!path_startswith(cwd, "/dev")) + return 0; + } fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); if (fd < 0) { -- 2.30.2