From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id DD3718094; Wed, 29 Oct 2025 10:14:28 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 00D327FC9; Wed, 29 Oct 2025 10:14:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb134.google.com (mail-yx1-xb134.google.com [IPv6:2607:f8b0:4864:20::b134]) by atuin.qyliss.net (Postfix) with ESMTPS id 0D7097FB4 for ; Wed, 29 Oct 2025 10:14:24 +0000 (UTC) Received: by mail-yx1-xb134.google.com with SMTP id 956f58d0204a3-63d8788b18dso7646259d50.2 for ; Wed, 29 Oct 2025 03:14:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761732863; x=1762337663; darn=spectrum-os.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=bQGouPNvEBuvvkerZSAo+uHDbtKffarAc7X6pS5ABH0=; b=K500qiPuFfX5Lr3zSkPIUdFk8NBzxMv8nz38RAiaZCsXj0WTtBFxz36O8639GXPQRR HMq0ej6hwnlblhYHL/w2YMCVeEksAbWbI/qGxKjNSxHUa2CSJC/JnNJYm3K0EhJAjcmU UmCr6E/diNO8QhXM2zeyFlEAf7b9kFYKGruiAtpd+Pdl1TcIrDLXJqc8RHdrcuD8O1V/ MJt8eQxULMZ7T7b8fNtjdiNkSOc4cgFmcRRj1842rsm9dw/L6PtVZPbW1SFDusgkDEY1 RdAmQ8V7gGnLvCEZiM4lBxlD6GdHMcYQE7n8WB9dJ8+Ct5qXAygBKB44nDdsJV73jCX7 1N+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761732863; x=1762337663; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bQGouPNvEBuvvkerZSAo+uHDbtKffarAc7X6pS5ABH0=; b=TOwVT5AxNmIjyFTqr5GFaNxMRbK1HVD+R6w3miRd2CvYKrr5aiMZoy2qSZGlr83ngd 5zvxnwnPkvb1Ezszl4uiXQcko5tYZ+D0NrWLQVnq0Mj+GV0DlxlJt1JElvv2i2Oar9jb d6nMQ+B5oUkNcirLsRgTFqjQmNlaw/1BxKtd9nA5QxnwYKs/lWhGhEaXF/Mt1FyMpyOp bXVupdFTIkyrIYzBIV/yiHiwUkqvlE+iLB+/qH0/BAJYVSLcKUrvirT2cxU6m3iy9Bww Z7BlCnf7+HXjXvlPARZvK6BDVtIB/j1LIG9hF6fAfvwBAwb8gn/ah9TCW3wdoj4Y2mLv zM3w== X-Gm-Message-State: AOJu0YxMcteJPjWZ4LphqppCbpYPfzmy+yPxaCzhWPFxrl0gyh3RpDEl mTwhZOUKMtj5aetzRN37vJWwrIEkoNmNjrY7wBRXpZVB9cvNbW0rmhoo2JX1qg== X-Gm-Gg: ASbGnctsK48JOhVYWlhLV7yGKO9KpPWMjWh6YoZpV2CtgjjJRiwE3Z9AXFy3JBVM92g 133Mm+RF74MbWAu0bk0ayjp8yy6IsoIaN1mA8vWG5Rcu5oAd0jvVgfnbG52lnEw7QJkwDXamU3c XiXF2bi88skrpUwim+oEDkCvruGb14eiz4A+o6ZYIVoT85ENBQZ6zrPPi9I/Hj82qfB1iHyFbgq x9g3+cta7KLIcz272FwNXBneBje9QBqktJPBrEVGuW6mFt7LnowJ4H5t2EwGFGGaMjIq4cElRFx HIYT27bSuCcbtLoTh+rGly8p56QNrcSK6xGjQIy2/AnJ1y+jO+1Y+bvYXsg7wxvR87Ovwo4rkwN Q7x8pI2Gg+ceYCn3hd9wL5JPiv/Ts8O23cmJnAgnMjPL8KiSkd94ctEox/2zmuP8bzSfLnH9ofe 843VxBQNtfOjf+BhVeb5rnGrKvfIFA/pOJs8niwkcqqQ8C3n0tZaCEEkzbHqV+mTWBHlTap7ZeZ BlVMxyJimE6u0Z8IUyqe1aF X-Google-Smtp-Source: AGHT+IGCFhpSykkXNUykVE5tzdTlv9BA4BwDGEXlPrL545zEhsArMKSHmNogyOxgWzBK5sGYsROdww== X-Received: by 2002:a53:cec5:0:b0:63d:ceaa:2666 with SMTP id 956f58d0204a3-63f76e153d6mr1400660d50.63.1761732862589; Wed, 29 Oct 2025 03:14:22 -0700 (PDT) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-63f4c3bc3fdsm4095256d50.1.2025.10.29.03.14.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Oct 2025 03:14:22 -0700 (PDT) From: Demi Marie Obenour Date: Wed, 29 Oct 2025 06:12:42 -0400 Subject: [PATCH 3/7] tools: Add directory checker for updates MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20251029-updates-v1-3-401c1be2a11b@gmail.com> References: <20251029-updates-v1-0-401c1be2a11b@gmail.com> In-Reply-To: <20251029-updates-v1-0-401c1be2a11b@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1761732759; l=7137; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=G52mklAO2lsr/qocg0Vkc6bNgxvxldSaEhpAwVn7DXM=; b=IGcqR9BsFjWd4B2l8Q6O5VA2uvuLQmGqhNmIjCiU1X1kSKnyawp3jRnEjIJnLvI+3NoZe9Zdd AvJ+t0XVWBqBZ9aNDqfittANUTL264GYuNkLg+A2XEjfqDU0fg5tDFq X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: CL7PRMTLTPBGXDMVIEOERLFVT4QOL766 X-Message-ID-Hash: CL7PRMTLTPBGXDMVIEOERLFVT4QOL766 X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Spectrum OS's host has no network access. Updates must be downloaded by VMs. The downloads are placed into a bind-mounted directory. The VM can write whatever it wants into that directory. This includes symlinks that subsequent code might open, which would create a path traversal vulnerability. It also includes paths with names containing containing terminal escape sequences, newlines, or other nastiness. Furthermore, the directory should not have any subdirectories either. Add a simple C program that checks for such ugliness and indicates (via its exit code) if the VM misbehaved. It also ensures that both SHA256SUMS and SHA256SUMS.gpg are present. Signed-off-by: Demi Marie Obenour --- host/rootfs/Makefile | 6 +- lib/kcmdline-utils.mk | 6 ++ tools/default.nix | 1 + tools/meson.build | 1 + tools/updates-dir-check/meson.build | 4 ++ tools/updates-dir-check/updates-dir-check.c | 94 +++++++++++++++++++++++++++++ 6 files changed, 110 insertions(+), 2 deletions(-) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 00d125774bb7b98736d0928c69cb307740cee034..15752286f5924291768f0655a12b90c702730520 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -62,6 +62,9 @@ build/fifo: build/empty: mkdir -p $@ +build/etc: + mkdir -p $@ + # s6-rc-compile's input is a directory, but that doesn't play nice # with Make, because it won't know to update if some file in the # directory is changed, or a file is created or removed in a @@ -69,8 +72,7 @@ build/empty: # including files that aren't intended to be part of the input, like # temporary editor files or .license files. So for all these reasons, # only explicitly listed files are made available to s6-rc-compile. -build/etc/s6-rc: $(S6_RC_FILES) file-list.mk - mkdir -p $$(dirname $@) +build/etc/s6-rc: $(S6_RC_FILES) file-list.mk build/etc rm -rf $@ set -uo pipefail && dir=$$(mktemp -d) && \ { tar -c $(S6_RC_FILES) | tar -C $$dir -x --strip-components 3; } && \ diff --git a/lib/kcmdline-utils.mk b/lib/kcmdline-utils.mk new file mode 100644 index 0000000000000000000000000000000000000000..fa228552e583f15fc77a746985060ad5d04cdf2c --- /dev/null +++ b/lib/kcmdline-utils.mk @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: EUPL-1.2+ +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross +READ_ROOTHASH = { \ + set -eufo pipefail; \ + read -r version < ../../version; \ + LC_ALL=C expr "x$$version" : '^\(x0\|x[1-9][0-9]*\)\(\.\(0\|[1-9][0-9]*\)\)\{2\}$$' >/dev/null; } diff --git a/tools/default.nix b/tools/default.nix index ca165b5ec8ae1a63b75af4a34f33e320b262ba7b..e644f4e710e56f32de27ea10047cba3cffd0ecdf 100644 --- a/tools/default.nix +++ b/tools/default.nix @@ -78,6 +78,7 @@ stdenv.mkDerivation (finalAttrs: { ./start-vmm ./subprojects ./sd-notify-adapter + ./updates-dir-check ] ++ lib.optionals driverSupport [ ./xdp-forwarder ])); diff --git a/tools/meson.build b/tools/meson.build index 5d0ae81042fd3d77646594500f32cb1d48a6af0c..7da3bb451a5f1a797bc7e50a67c44dbd37ba60bf 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -28,6 +28,7 @@ if get_option('host') subdir('lsvm') subdir('start-vmm') subdir('sd-notify-adapter') + subdir('updates-dir-check') endif if get_option('app') diff --git a/tools/updates-dir-check/meson.build b/tools/updates-dir-check/meson.build new file mode 100644 index 0000000000000000000000000000000000000000..e19691d0e35f8a051e897990f0376384b3625c1a --- /dev/null +++ b/tools/updates-dir-check/meson.build @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: EUPL-1.2+ +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour + +executable('updates-dir-check', 'updates-dir-check.c', install: true, c_args: ['-D_GNU_SOURCE=1', '-UNDEBUG', '-Wno-error=pedantic']) diff --git a/tools/updates-dir-check/updates-dir-check.c b/tools/updates-dir-check/updates-dir-check.c new file mode 100644 index 0000000000000000000000000000000000000000..94c7d54bec38d6efbd5b8aca257f3ec4ad3fae35 --- /dev/null +++ b/tools/updates-dir-check/updates-dir-check.c @@ -0,0 +1,94 @@ +// SPDX-License-Identifier: EUPL-1.2+ +// SPDX-FileCopyrightText: 2025 Demi Marie Obenour +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include +#include + +#include + +static void checkdir(int fd) +{ + DIR *d = fdopendir(fd); + if (d == NULL) + err(1, "fdopendir"); + bool found_sha256sums = false; + bool found_sha256sums_gpg = false; + for (;;) { + errno = 0; + struct dirent *entry = readdir(d); + if (entry == NULL) { + if (errno) + err(1, "readdir"); + break; + } + assert(entry->d_reclen > offsetof(struct dirent, d_name)); + size_t len = strnlen(entry->d_name, entry->d_reclen - offsetof(struct dirent, d_name)); + assert(len < entry->d_reclen - offsetof(struct dirent, d_name)); + assert(len > 0); + if (entry->d_name[0] == '.') + if (len == 1 || (len == 2 && entry->d_name[1] == '.')) + continue; + if (strcmp(entry->d_name, "SHA256SUMS") == 0) { + found_sha256sums = true; + continue; + } + if (strcmp(entry->d_name, "SHA256SUMS.gpg") == 0) { + found_sha256sums_gpg = true; + continue; + } + unsigned char c = (unsigned char)entry->d_name[0]; + if (!((c >= 'A' && c <= 'Z') || + (c >= 'a' && c <= 'z'))) + errx(1, "Filename must begin with an ASCII letter"); + for (size_t i = 1; i < len; ++i) { + c = (unsigned char)entry->d_name[i]; + if (!((c >= 'A' && c <= 'Z') || + (c >= 'a' && c <= 'z') || + (c >= '0' && c <= '9') || + (c == '_') || + (c == '-') || + (c == '.'))) { + if (c >= 0x20 && c <= 0x7E) + errx(1, "Forbidden subsequent character in filename: '%c'", (int)c); + else + errx(1, "Forbidden subsequent character in filename: byte %d", (int)c); + } + } + if (entry->d_name[len - 1] == '.') + errx(1, "Filename must not end with a '.'"); + if (entry->d_type != DT_REG) + errx(1, "Entry contains non-regular file %s", entry->d_name); + } + if (!found_sha256sums) + errx(1, "SHA256SUMS not found"); + if (!found_sha256sums_gpg) + errx(1, "SHA256SUMS.gpg not found"); + closedir(d); +} + +int main(int argc, char **argv) +{ + for (int i = 1; i < argc; ++i) { + // Avoid symlink attacks. + struct open_how how = { + .flags = O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_NOFOLLOW, + .resolve = RESOLVE_NO_SYMLINKS|RESOLVE_NO_MAGICLINKS, + }; + int fd = (int)syscall((long)SYS_openat2, (long)AT_FDCWD, (long)argv[i], + (long)&how, (long)sizeof(how)); + if (fd < 0) + err(1, "open(%s)", argv[i]); + checkdir(fd); + } + return 0; +} -- 2.51.2