desktop/source/lib/init.cxx | 9 ++
include/osl/file.h | 48 +++++++++++++
include/osl/file.hxx | 52 ++++++++++++++
sal/osl/unx/file.cxx | 152 +++++++++++++++++++++++++++++++++++++++++++
sal/osl/unx/file_impl.hxx | 2
sal/osl/unx/file_misc.cxx | 34 +++++++++
sal/osl/unx/file_stat.cxx | 6 +
sal/osl/unx/file_volume.cxx | 4 +
sal/osl/unx/pipe.cxx | 4 +
sal/osl/unx/process.cxx | 5 +
sal/osl/unx/profile.cxx | 4 +
sal/qa/osl/file/osl_File.cxx | 143 ++++++++++++++++++++++++++++++++++++++++
sal/util/sal.map | 6 +
13 files changed, 468 insertions(+), 1 deletion(-)
New commits:
commit 148915ef6d4bfc38deb6d98fb14429d7e6e27129
Author: Szymon Kłos <szymon.k...@collabora.com>
AuthorDate: Wed Nov 29 14:00:32 2023 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Mon Feb 10 10:25:04 2025 +0000
sal: osl::File allow to create files in sandbox
"realpath" returns NULL for path which doesn't exist.
Allow usage of non-existing paths if parent is allowed.
This allows to successfully start the sandboxed kit.
osl_setAllowedPaths will allow now to use:
/foo/bar/nonexisting - previously it was ignored, is needed for LOK
but /foo/bar/nonexisting/newlevel - still cannot be used
isForbidden now checks parents of non-existing dir and assumes
the same permissions, if parent doesn't exist - it tries with
parent of parent, etc ...
Change-Id: I1052747ca284d2f81dfd5c5fbf893936e7426220
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/160111
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Michael Meeks <michael.me...@collabora.com>
(cherry picked from commit c3bdba781e8c9d61ca9e2a3d8d2eaca435b9aaad)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/162486
Tested-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
(cherry picked from commit b410c4f06b3a341081c1591ef22660fae27f017e)
diff --git a/sal/osl/unx/file.cxx b/sal/osl/unx/file.cxx
index 52c9c53c3273..e0ff6ea66942 100644
--- a/sal/osl/unx/file.cxx
+++ b/sal/osl/unx/file.cxx
@@ -830,6 +830,18 @@ static std::vector<OString> allowedPathsRead;
static std::vector<OString> allowedPathsReadWrite;
static std::vector<OString> allowedPathsExecute;
+static OString getParentFolder(const OString &rFilePath)
+{
+ sal_Int32 n = rFilePath.lastIndexOf('/');
+ OString folderPath;
+ if (n < 1)
+ folderPath = ".";
+ else
+ folderPath = rFilePath.copy(0, n);
+
+ return folderPath;
+}
+
SAL_DLLPUBLIC void osl_setAllowedPaths(
rtl_uString *pustrFilePaths
)
@@ -860,9 +872,25 @@ SAL_DLLPUBLIC void osl_setAllowedPaths(
}
char resolvedPath[PATH_MAX];
- if (realpath(aPath.getStr(), resolvedPath))
+ bool isResolved = !!realpath(aPath.getStr(), resolvedPath);
+ bool notExists = !isResolved && errno == ENOENT;
+
+ if (notExists)
{
- OString aPushPath = OString(resolvedPath, strlen(resolvedPath));
+ sal_Int32 n = aPath.lastIndexOf('/');
+ OString folderPath = getParentFolder(aPath);
+ isResolved = !!realpath(folderPath.getStr(), resolvedPath);
+ notExists = !isResolved && errno == ENOENT;
+
+ if (notExists || !isResolved || strlen(resolvedPath) +
aPath.getLength() - n + 1 >= PATH_MAX)
+ return; // too bad
+ else
+ strcat(resolvedPath, aPath.getStr() + n);
+ }
+
+ if (isResolved)
+ {
+ OString aPushPath(resolvedPath, strlen(resolvedPath));
if (eType == 'r')
allowedPathsRead.push_back(aPushPath);
else if (eType == 'w')
@@ -892,13 +920,13 @@ bool isForbidden(const OString &filePath, int nFlags)
// fail to resolve. Thankfully our I/O APIs don't allow
// symlink creation to race here.
sal_Int32 n = filePath.lastIndexOf('/');
- OString folderPath;
- if (n < 1)
- folderPath = ".";
- else
- folderPath = filePath.copy(0, n);
- if (!realpath(folderPath.getStr(), resolvedPath) ||
- strlen(resolvedPath) + filePath.getLength() - n + 1 >= PATH_MAX)
+ OString folderPath = getParentFolder(filePath);
+
+ bool isResolved = !!realpath(folderPath.getStr(), resolvedPath);
+ bool notExists = !isResolved && errno == ENOENT;
+ if (notExists) // folder doesn't exist, check parent, in the end of
chain checks "."
+ return isForbidden(folderPath, nFlags);
+ else if (!isResolved || strlen(resolvedPath) + filePath.getLength() -
n + 1 >= PATH_MAX)
return true; // too bad
else
strcat(resolvedPath, filePath.getStr() + n);
diff --git a/sal/qa/osl/file/osl_File.cxx b/sal/qa/osl/file/osl_File.cxx
index 12751af63934..cd4f65dde929 100644
--- a/sal/qa/osl/file/osl_File.cxx
+++ b/sal/qa/osl/file/osl_File.cxx
@@ -1348,6 +1348,19 @@ namespace osl_Forbidden
void forbidden()
{
File::setAllowedPaths(maScratchGood);
+
+ // check some corner cases first
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read bad should be forbidden",
+ true, File::isForbidden(".",
osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read bad should be forbidden",
+ true, File::isForbidden("",
osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read bad should be forbidden",
+ true, File::isForbidden("a",
osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read bad should be forbidden",
+ true, File::isForbidden("/",
osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read from non-existent should be
allowed",
+ false,
File::isForbidden(maScratchGood + "/notthere/file", osl_File_OpenFlag_Read));
+
CPPUNIT_ASSERT_EQUAL_MESSAGE("read bad should be forbidden",
true, File::isForbidden(maScratchBad,
osl_File_OpenFlag_Read));
CPPUNIT_ASSERT_EQUAL_MESSAGE("read from good should be allowed",
@@ -1372,6 +1385,18 @@ namespace osl_Forbidden
true,
File::isForbidden(maScratchGood, 0x80));
CPPUNIT_ASSERT_EQUAL_MESSAGE("exec from bad should be allowed",
false,
File::isForbidden(maScratchBad, 0x80));
+
+ File::setAllowedPaths(":r:" + maScratchBad);
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("write to non-existent should be
forbidden",
+ true, File::isForbidden(maScratchGood
+ "/notthere", osl_File_OpenFlag_Write));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("write to non-existent should be
forbidden 2",
+ true, File::isForbidden(maScratchGood
+ "/notthere/file", osl_File_OpenFlag_Write));
+
+ File::setAllowedPaths(":r:" + maScratchBad + ":w:" + maScratchGood
+ "/notthere");
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("write to non-existent should be
allowed",
+ false,
File::isForbidden(maScratchGood + "/notthere", osl_File_OpenFlag_Write));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("write to non-existent should be
allowed 2",
+ false,
File::isForbidden(maScratchGood + "/notthere/file", osl_File_OpenFlag_Write));
}
void open()
commit 55243a397add76fcff8c67284ba57205a1512ca5
Author: Michael Meeks <michael.me...@collabora.com>
AuthorDate: Sat Nov 25 21:24:49 2023 +0000
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Mon Feb 10 10:25:04 2025 +0000
lok: import allowed paths from the SAL_ALLOWED_PATHS.
Do this on second init, in order to be able to reset this for
each child kit process.
Change-Id: I6939ea3677ea2b84c8944b63a9a9120e880a6bfa
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159961
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Szymon Kłos <szymon.k...@collabora.com>
(cherry picked from commit 997899472d8644375285593d89ca0ab0bd56ec69)
diff --git a/desktop/source/lib/init.cxx b/desktop/source/lib/init.cxx
index 200bf411996c..f8f4e585bd06 100644
--- a/desktop/source/lib/init.cxx
+++ b/desktop/source/lib/init.cxx
@@ -8144,6 +8144,15 @@ static int lo_initialize(LibreOfficeKit* pThis, const
char* pAppPath, const char
}
}
+#ifdef LINUX
+ {
+ const char *pAllowedPaths = getenv("SAL_ALLOWED_PATHS");
+ if (pAllowedPaths)
+ osl_setAllowedPaths(
+ OUString(pAllowedPaths, strlen(pAllowedPaths),
RTL_TEXTENCODING_UTF8).pData);
+ }
+#endif
+
char* pAllowlist = ::getenv("LOK_HOST_ALLOWLIST");
if (pAllowlist)
{
commit 34f1a750a128e02aa3191e36a2c0b28371e96287
Author: Michael Meeks <michael.me...@collabora.com>
AuthorDate: Wed Nov 22 19:37:38 2023 +0000
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Mon Feb 10 10:25:04 2025 +0000
sal: initial osl::File sand-boxing commit for Unix.
Change-Id: If2c106fef9640499b82b5cf350cb5169beb219fb
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159838
Reviewed-by: Szymon Kłos <szymon.k...@collabora.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Michael Meeks <michael.me...@collabora.com>
(cherry picked from commit 5e66863ae42bf0e5b614a8f21dc44a15df727922)
diff --git a/include/osl/file.h b/include/osl/file.h
index 07d2beb2ae1f..98ad568550b9 100644
--- a/include/osl/file.h
+++ b/include/osl/file.h
@@ -960,6 +960,54 @@ SAL_DLLPUBLIC oslFileError SAL_CALL osl_readFile(
SAL_DLLPUBLIC oslFileError SAL_CALL osl_isEndOfFile(
oslFileHandle Handle, sal_Bool *pIsEOF );
+/** Resets the list of paths and associated permissions for osl
+
+ @param[in] pustrFileURLs
+ Contains a ':' delimited list of control strings and paths.
+ Control segments are a short path that refers to the following
+ segments and contain either:
+
+ r: read-only paths follow (the default)
+ w: read & write paths follow
+ x: executable paths follow
+
+ Any real paths (ie. having resolved all symlinks)
+ accessed outside of these paths will cause an
+ osl_File_E_ACCESS error in the relevant method calls.
+
+ This method is Unix specific.
+
+ @see osl_isForbiddenPath
+
+ @since LibreOffice 7.7
+*/
+SAL_DLLPUBLIC void SAL_CALL osl_setAllowedPaths(
+ rtl_uString *pustrFileURLs
+ );
+
+/**
+ Determine if the passed in path is not contained inside
+ the allowed paths, or if no allowed paths are set it
+ will not forbid any access.
+
+ @param[in] pustrFileURL
+ A URL (or path) that we want to check if it is forbidden
+ to access.
+
+ @param[in] nFlags
+ Flags to determine what type of access is requested,
+ osl_File_OpenFlag_Read | Write, or 0x80 for 'execute'.
+
+ This method is Unix specific.
+
+ @see osl_setAllowedPaths
+
+ @since LibreOffice 7.7
+ */
+SAL_DLLPUBLIC sal_Bool SAL_CALL osl_isForbiddenPath(
+ rtl_uString *pustrFileURL, int nFlags
+ );
+
/** Write a number of bytes to a file.
Writes a number of bytes to a file.
diff --git a/include/osl/file.hxx b/include/osl/file.hxx
index 1f1121d547e2..1c3684f4a68d 100644
--- a/include/osl/file.hxx
+++ b/include/osl/file.hxx
@@ -312,6 +312,58 @@ public:
return static_cast< RC >( osl_createTempFile(pustr_dir_url, pHandle,
ppustr_tmp_file_url) );
}
+
+
+ /** Resets the list of paths and associated permissions for osl
+
+ @param[in] rPaths
+ Contains a ':' delimited list of control strings and paths.
+ Control segments are a short path that refers to the following
+ segments and contain either:
+
+ r: read-only paths follow (the default)
+ w: read & write paths follow
+ x: executable paths follow
+
+ Any real paths (ie. having resolved all symlinks)
+ accessed outside of these paths will cause an
+ osl_File_E_ACCESS error in the relevant method calls.
+
+ This method is Unix specific.
+
+ @see osl_isForbiddenPath
+
+ @since LibreOffice 7.7
+ */
+
+ static void setAllowedPaths(const OUString &rPaths)
+ {
+ osl_setAllowedPaths(rPaths.pData);
+ }
+
+ /**
+ Determine if the passed in path is not contained inside
+ the allowed paths, or if no allowed paths are set it
+ will not forbid any access.
+
+ @param[in] pustrFileURL
+ A URL (or path) that we want to check if it is forbidden
+ to access.
+
+ @param[in] nFlags
+ Flags to determine what type of access is requested,
+ osl_File_OpenFlag_Read | Write, or 0x80 for 'execute'.
+
+ This method is Unix specific.
+
+ @see osl_setAllowedPaths
+
+ @since LibreOffice 7.7
+ */
+ static bool isForbidden(const OUString &rPath, int nFlags)
+ {
+ return osl_isForbiddenPath(rPath.pData, nFlags);
+ }
};
diff --git a/sal/osl/unx/file.cxx b/sal/osl/unx/file.cxx
index ae1e4cdd876e..52c9c53c3273 100644
--- a/sal/osl/unx/file.cxx
+++ b/sal/osl/unx/file.cxx
@@ -825,6 +825,125 @@ static bool osl_file_queryLocking(sal_uInt32 uFlags)
return false;
}
+static bool abortOnForbidden = false;
+static std::vector<OString> allowedPathsRead;
+static std::vector<OString> allowedPathsReadWrite;
+static std::vector<OString> allowedPathsExecute;
+
+SAL_DLLPUBLIC void osl_setAllowedPaths(
+ rtl_uString *pustrFilePaths
+ )
+{
+ allowedPathsRead.clear();
+ allowedPathsReadWrite.clear();
+ allowedPathsExecute.clear();
+
+ if (!pustrFilePaths)
+ return;
+
+ char eType = 'r';
+ sal_Int32 nIndex = 0;
+ OUString aPaths(pustrFilePaths);
+ do
+ {
+ OString aPath = rtl::OUStringToOString(
+ aPaths.getToken(0, ':', nIndex),
+ RTL_TEXTENCODING_UTF8);
+
+ if (aPath.getLength() == 0)
+ continue;
+
+ if (aPath.getLength() == 1)
+ {
+ eType = aPath[0];
+ continue;
+ }
+
+ char resolvedPath[PATH_MAX];
+ if (realpath(aPath.getStr(), resolvedPath))
+ {
+ OString aPushPath = OString(resolvedPath, strlen(resolvedPath));
+ if (eType == 'r')
+ allowedPathsRead.push_back(aPushPath);
+ else if (eType == 'w')
+ {
+ allowedPathsRead.push_back(aPushPath);
+ allowedPathsReadWrite.push_back(aPushPath);
+ }
+ else if (eType == 'x')
+ allowedPathsExecute.push_back(aPushPath);
+ }
+ }
+ while (nIndex != -1);
+
+ abortOnForbidden = !!getenv("SAL_ABORT_ON_FORBIDDEN");
+}
+
+bool isForbidden(const OString &filePath, int nFlags)
+{
+ // avoid realpath cost unless configured
+ if (allowedPathsRead.size() == 0)
+ return false;
+
+ char resolvedPath[PATH_MAX];
+ if (!realpath(filePath.getStr(), resolvedPath))
+ {
+ // write calls path a non-existent path that realpath will
+ // fail to resolve. Thankfully our I/O APIs don't allow
+ // symlink creation to race here.
+ sal_Int32 n = filePath.lastIndexOf('/');
+ OString folderPath;
+ if (n < 1)
+ folderPath = ".";
+ else
+ folderPath = filePath.copy(0, n);
+ if (!realpath(folderPath.getStr(), resolvedPath) ||
+ strlen(resolvedPath) + filePath.getLength() - n + 1 >= PATH_MAX)
+ return true; // too bad
+ else
+ strcat(resolvedPath, filePath.getStr() + n);
+ }
+
+ const std::vector<OString> *pCheckPaths = &allowedPathsRead;
+ if (nFlags & osl_File_OpenFlag_Write ||
+ nFlags & osl_File_OpenFlag_Create)
+ pCheckPaths = &allowedPathsReadWrite;
+ else if (nFlags & 0x80)
+ pCheckPaths = &allowedPathsExecute;
+
+ bool allowed = false;
+ for (const auto &it : *pCheckPaths) {
+ if (!strncmp(resolvedPath, it.getStr(), it.getLength()))
+ {
+ allowed = true;
+ break;
+ }
+ }
+
+ if (!allowed)
+ SAL_WARN("sal.osl", "access outside sandbox to " <<
+ ((nFlags & osl_File_OpenFlag_Write ||
+ nFlags & osl_File_OpenFlag_Create) ? "w" :
+ (nFlags & 0x80) ? "x" : "r") << ":" <<
+ filePath << " which is really " << resolvedPath <<
+ (allowed ? " allowed " : " forbidden") <<
+ " check list: " << pCheckPaths->size());
+
+ if (abortOnForbidden && !allowed)
+ abort(); // a bit abrupt - but don't try to escape.
+
+ return !allowed;
+}
+
+SAL_DLLPUBLIC sal_Bool SAL_CALL osl_isForbiddenPath(
+ rtl_uString *pustrFileURL, int nFlags
+ )
+{
+ return isForbidden(
+ rtl::OUStringToOString(OUString(pustrFileURL),
+ RTL_TEXTENCODING_UTF8), nFlags);
+}
+
#ifdef HAVE_O_EXLOCK
#define OPEN_WRITE_FLAGS ( O_RDWR | O_EXLOCK | O_NONBLOCK )
#define OPEN_CREATE_FLAGS ( O_CREAT | O_RDWR | O_EXLOCK | O_NONBLOCK )
@@ -1032,6 +1151,10 @@ oslFileError openFilePath(const OString& filePath,
oslFileHandle* pHandle,
// set close-on-exec by default
flags |= O_CLOEXEC;
+ // Sandboxing hook
+ if (isForbidden( filePath, uFlags ))
+ return osl_File_E_ACCES;
+
/* open the file */
int fd = open_c( filePath, flags, mode );
if (fd == -1)
@@ -1650,4 +1773,5 @@ oslFileError SAL_CALL osl_setFileSize(oslFileHandle
Handle, sal_uInt64 uSize)
return pImpl->setSize(uSize);
}
+
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/sal/osl/unx/file_impl.hxx b/sal/osl/unx/file_impl.hxx
index 4a9a90d4160f..64504296955d 100644
--- a/sal/osl/unx/file_impl.hxx
+++ b/sal/osl/unx/file_impl.hxx
@@ -40,6 +40,8 @@ struct DirectoryItem_Impl
oslFileType getFileType() const;
};
+bool isForbidden(const OString &filePath, int nFlags);
+
oslFileError openFile(
rtl_uString * pustrFileURL, oslFileHandle * pHandle, sal_uInt32 uFlags,
mode_t mode);
diff --git a/sal/osl/unx/file_misc.cxx b/sal/osl/unx/file_misc.cxx
index 566f5c87a65f..ddaacc9d79fa 100644
--- a/sal/osl/unx/file_misc.cxx
+++ b/sal/osl/unx/file_misc.cxx
@@ -143,6 +143,9 @@ oslFileError SAL_CALL osl_openDirectory(rtl_uString*
ustrDirectoryURL, oslDirect
osl_systemPathRemoveSeparator(path.pData);
+ if (isForbidden(path.getStr(), osl_File_OpenFlag_Read))
+ return osl_File_E_ACCES;
+
#ifdef MACOSX
{
auto const n = std::max(int(path.getLength() + 1), int(PATH_MAX));
@@ -343,6 +346,9 @@ oslFileError SAL_CALL osl_getDirectoryItem(rtl_uString*
ustrFileURL, oslDirector
osl_systemPathRemoveSeparator(strSystemPath.pData);
+ if (isForbidden(strSystemPath, osl_File_OpenFlag_Read))
+ return osl_File_E_ACCES;
+
if (osl::access(strSystemPath, F_OK) == -1)
{
osl_error = oslTranslateFileError(errno);
@@ -426,6 +432,9 @@ oslFileError SAL_CALL osl_removeDirectory( rtl_uString*
ustrDirectoryURL )
oslFileError osl_psz_createDirectory(char const * pszPath, sal_uInt32 flags)
{
+ if (isForbidden(pszPath, osl_File_OpenFlag_Create))
+ return osl_File_E_ACCES;
+
int nRet=0;
int mode
= (((flags & osl_File_OpenFlag_Read) == 0
@@ -455,6 +464,9 @@ oslFileError osl_psz_createDirectory(char const * pszPath,
sal_uInt32 flags)
static oslFileError osl_psz_removeDirectory( const char* pszPath )
{
+ if (isForbidden(pszPath, osl_File_OpenFlag_Write))
+ return osl_File_E_ACCES;
+
int nRet = rmdir(pszPath);
if ( nRet < 0 )
@@ -547,6 +559,9 @@ oslFileError SAL_CALL osl_createDirectoryPath(
osl::systemPathRemoveSeparator(sys_path);
+ if (isForbidden(sys_path.getStr(), osl_File_OpenFlag_Create))
+ return osl_File_E_ACCES;
+
return create_dir_recursively_(sys_path.pData->buffer,
aDirectoryCreationCallbackFunc, pData);
}
@@ -579,6 +594,10 @@ oslFileError SAL_CALL osl_moveFile( rtl_uString*
ustrFileURL, rtl_uString* ustrD
if( eRet != osl_File_E_None )
return eRet;
+ if (isForbidden(srcPath, osl_File_OpenFlag_Read) ||
+ isForbidden(destPath, osl_File_OpenFlag_Create))
+ return osl_File_E_ACCES;
+
#ifdef MACOSX
if ( macxp_resolveAlias( srcPath, PATH_MAX ) != 0 || macxp_resolveAlias(
destPath, PATH_MAX ) != 0 )
return oslTranslateFileError( errno );
@@ -592,6 +611,10 @@ oslFileError SAL_CALL osl_replaceFile(rtl_uString*
ustrFileURL, rtl_uString* ust
int nGid = -1;
char destPath[PATH_MAX];
oslFileError eRet = FileURLToPath(destPath, PATH_MAX, ustrDestURL);
+
+ if (isForbidden(destPath, osl_File_OpenFlag_Create))
+ return osl_File_E_ACCES;
+
if (eRet == osl_File_E_None)
{
struct stat aFileStat;
@@ -668,6 +691,9 @@ oslFileError SAL_CALL osl_removeFile(rtl_uString*
ustrFileURL)
return oslTranslateFileError(errno);
#endif/* MACOSX */
+ if (isForbidden(path, osl_File_OpenFlag_Write))
+ return osl_File_E_ACCES;
+
return osl_unlinkFile(path);
}
@@ -723,6 +749,10 @@ static oslFileError osl_unlinkFile(const char* pszPath)
static oslFileError osl_psz_moveFile(const char* pszPath, const char*
pszDestPath)
{
+ if (isForbidden(pszPath, osl_File_OpenFlag_Read) ||
+ isForbidden(pszDestPath, osl_File_OpenFlag_Create))
+ return osl_File_E_ACCES;
+
int nRet = rename(pszPath,pszDestPath);
if (nRet < 0)
@@ -750,6 +780,10 @@ static oslFileError osl_psz_copyFile( const char* pszPath,
const char* pszDestPa
size_t nSourceSize=0;
bool DestFileExists=true;
+ if (isForbidden(pszPath, osl_File_OpenFlag_Read) ||
+ isForbidden(pszDestPath, osl_File_OpenFlag_Create))
+ return osl_File_E_ACCES;
+
/* mfe: does the source file really exists? */
nRet = lstat_c(pszPath,&aFileStat);
diff --git a/sal/osl/unx/file_stat.cxx b/sal/osl/unx/file_stat.cxx
index 5c165132e9f3..3d0754883a11 100644
--- a/sal/osl/unx/file_stat.cxx
+++ b/sal/osl/unx/file_stat.cxx
@@ -274,6 +274,9 @@ static oslFileError osl_psz_setFileAttributes( const char*
pszFilePath, sal_uInt
OSL_ENSURE(!(osl_File_Attribute_Hidden & uAttributes),
"osl_File_Attribute_Hidden doesn't work under Unix");
+ if (isForbidden(pszFilePath, osl_File_OpenFlag_Write))
+ return osl_File_E_ACCES;
+
if (uAttributes & osl_File_Attribute_OwnRead)
nNewMode |= S_IRUSR;
@@ -339,6 +342,9 @@ static oslFileError osl_psz_setFileTime (
struct tm* pTM=0;
#endif
+ if (isForbidden(pszFilePath, osl_File_OpenFlag_Write))
+ return osl_File_E_ACCES;
+
nRet = lstat_c(pszFilePath,&aFileStat);
if ( nRet < 0 )
diff --git a/sal/osl/unx/file_volume.cxx b/sal/osl/unx/file_volume.cxx
index e20b8a27d00e..0a6183292735 100644
--- a/sal/osl/unx/file_volume.cxx
+++ b/sal/osl/unx/file_volume.cxx
@@ -26,6 +26,7 @@
#include "file_error_transl.hxx"
#include "file_url.hxx"
+#include "file_impl.hxx"
#include "system.hxx"
#include <errno.h>
@@ -193,6 +194,9 @@ static oslFileError osl_psz_getVolumeInformation (
if (!pInfo)
return osl_File_E_INVAL;
+ if (isForbidden(pszDirectory, osl_File_OpenFlag_Read))
+ return osl_File_E_ACCES;
+
pInfo->uValidFields = 0;
pInfo->uAttributes = 0;
pInfo->uTotalSpace = 0;
diff --git a/sal/osl/unx/pipe.cxx b/sal/osl/unx/pipe.cxx
index c9c8cc31c705..ee6f852eef4a 100644
--- a/sal/osl/unx/pipe.cxx
+++ b/sal/osl/unx/pipe.cxx
@@ -29,6 +29,7 @@
#include "sockimpl.hxx"
#include "secimpl.hxx"
+#include "file_impl.hxx"
#include "unixerrnostring.hxx"
#include <cassert>
@@ -206,6 +207,9 @@ static oslPipe osl_psz_createPipe(const char *pszPipeName,
oslPipeOptions Option
SAL_INFO("sal.osl.pipe", "new pipe on fd " << pPipe->m_Socket << " '" <<
name << "'");
+ if (isForbidden(name.getStr(), osl_File_OpenFlag_Create))
+ return nullptr;
+
addr.sun_family = AF_UNIX;
// coverity[fixed_size_dest : FALSE] - safe, see check above
strcpy(addr.sun_path, name.getStr());
diff --git a/sal/osl/unx/process.cxx b/sal/osl/unx/process.cxx
index 13320263c65a..0398afc58e45 100644
--- a/sal/osl/unx/process.cxx
+++ b/sal/osl/unx/process.cxx
@@ -19,7 +19,7 @@
#include <sal/config.h>
#include <rtl/ustring.hxx>
-
+#include "file_impl.hxx"
#include <cassert>
#include <fcntl.h>
#include <limits.h>
@@ -598,6 +598,9 @@ oslProcessError osl_psz_executeProcess(char *pszImageName,
return osl_Process_E_NotFound;
}
+ if (isForbidden(pszImageName, 0x80 /* execute */))
+ return osl_Process_E_NoPermission;
+
Data.m_pszArgs[0] = strdup(pszImageName);
Data.m_pszArgs[1] = nullptr;
diff --git a/sal/osl/unx/profile.cxx b/sal/osl/unx/profile.cxx
index f756d55bec42..b769b0ae90b3 100644
--- a/sal/osl/unx/profile.cxx
+++ b/sal/osl/unx/profile.cxx
@@ -20,6 +20,7 @@
#include "system.hxx"
#include "readwrite_helper.hxx"
#include "file_url.hxx"
+#include "file_impl.hxx"
#include "unixerrnostring.hxx"
#include <osl/diagnose.h>
@@ -937,6 +938,9 @@ static osl_TFile* openFileImpl(const char* pszFilename,
oslProfileOption Profile
osl_TFile* pFile = static_cast<osl_TFile*>(calloc(1, sizeof(osl_TFile)));
bool bWriteable = false;
+ if ( isForbidden( pszFilename, osl_File_OpenFlag_Write ) )
+ return nullptr;
+
if ( ProfileFlags & ( osl_Profile_WRITELOCK | osl_Profile_FLUSHWRITE ) )
{
bWriteable = true;
diff --git a/sal/qa/osl/file/osl_File.cxx b/sal/qa/osl/file/osl_File.cxx
index 159f32ad7410..12751af63934 100644
--- a/sal/qa/osl/file/osl_File.cxx
+++ b/sal/qa/osl/file/osl_File.cxx
@@ -1313,6 +1313,124 @@ namespace osl_FileBase
CPPUNIT_REGISTRY_ADD_TO_DEFAULT("osl_osl::FileBase");
}
+#if (defined UNX)
+
+namespace osl_Forbidden
+{
+
+ class Forbidden : public CppUnit::TestFixture
+ {
+ OUString maScratchBad;
+ OUString maScratchGood;
+ public:
+ void setUp() override
+ {
+ // create a directory to play in
+ createTestDirectory(aTmpName3);
+ OUString aBadURL = aTmpName3 + "/bad";
+ OUString aGoodURL = aTmpName3 + "/good";
+ createTestDirectory(aBadURL);
+ createTestDirectory(aGoodURL);
+ File::getSystemPathFromFileURL(aBadURL, maScratchBad);
+ File::getSystemPathFromFileURL(aGoodURL, maScratchGood);
+ }
+
+ void tearDown() override
+ {
+ osl_setAllowedPaths(nullptr);
+ OUString aBadURL = aTmpName3 + "/bad";
+ OUString aGoodURL = aTmpName3 + "/good";
+ deleteTestDirectory(aBadURL);
+ deleteTestDirectory(aGoodURL);
+ deleteTestDirectory(aTmpName3);
+ }
+
+ void forbidden()
+ {
+ File::setAllowedPaths(maScratchGood);
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read bad should be forbidden",
+ true, File::isForbidden(maScratchBad,
osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read from good should be allowed",
+ false,
File::isForbidden(maScratchGood, osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("write to good should be forbidden",
+ true,
File::isForbidden(maScratchGood, osl_File_OpenFlag_Write));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("create in good should be forbidden",
+ true,
File::isForbidden(maScratchGood, osl_File_OpenFlag_Create));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("exec from good should be forbidden",
+ true,
File::isForbidden(maScratchGood, 0x80));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("write to non-existent should be
forbidden",
+ true, File::isForbidden(maScratchBad
+ "/notthere", osl_File_OpenFlag_Write));
+
+ File::setAllowedPaths("w:" + maScratchGood + ":x:" + maScratchBad);
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read bad should be forbidden",
+ true, File::isForbidden(maScratchBad,
osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("read from good should be allowed",
// w implies 'r'
+ false,
File::isForbidden(maScratchGood, osl_File_OpenFlag_Read));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("write to good should be allowed",
+ false,
File::isForbidden(maScratchGood, osl_File_OpenFlag_Write));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("exec from good should be forbidden",
+ true,
File::isForbidden(maScratchGood, 0x80));
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("exec from bad should be allowed",
+ false,
File::isForbidden(maScratchBad, 0x80));
+ }
+
+ void open()
+ {
+ File::setAllowedPaths(maScratchGood);
+ File testFile(maScratchBad + "/open");
+ auto nError1 = testFile.open(osl_File_OpenFlag_Read |
osl_File_OpenFlag_Write);
+ CPPUNIT_ASSERT_EQUAL_MESSAGE("disabled path allowed",
osl::FileBase::E_ACCES, nError1);
+ deleteTestFile(testFile.getURL());
+ }
+
+ void copy()
+ {
+ File::setAllowedPaths("w:" + maScratchGood);
+ File testGood(maScratchGood + "/good");
+ File testGoodTo(maScratchGood + "/good_to");
+ File testBad(maScratchBad + "/bad");
+
+ auto nError1 = testGood.open(osl_File_OpenFlag_Create);
+ CPPUNIT_ASSERT_EQUAL(osl::FileBase::E_None, nError1);
+
+ auto nErrorCopy = File::copy(maScratchGood + "/good",
maScratchGood + "/good_to");
+ CPPUNIT_ASSERT_EQUAL(osl::FileBase::E_None, nErrorCopy);
+
+ auto nErrorCopyBad = File::copy(maScratchGood + "/good_to",
maScratchBad + "/bad");
+ CPPUNIT_ASSERT_EQUAL(osl::FileBase::E_ACCES, nErrorCopyBad);
+
+ deleteTestFile(maScratchGood + "/good_to");
+ deleteTestFile(maScratchGood + "/good");
+ }
+
+ void nextTests()
+ {
+ // more entry points to test
+#if 0
+ auto nError1 = File::move(aTmpName4, aCanURL1);
+ auto nError2 = File::remove(aTmpName4);
+ auto nError3 = File::setAttributes(aTmpName6,
osl_File_Attribute_ReadOnly);
+ bool bOk = osl_getSystemTime(pTV_current);
+ CPPUNIT_ASSERT(bOk);
+ auto nError4 = File::setTime(aTmpName6, *pTV_current,
*pTV_current, *pTV_current);
+ CPPUNIT_ASSERT_EQUAL_MESSAGE(errorToStr(nError2).getStr(),
osl::FileBase::E_None, nError2);
+#endif
+ }
+
+ CPPUNIT_TEST_SUITE(Forbidden);
+ CPPUNIT_TEST(forbidden);
+// CPPUNIT_TEST(open);
+// CPPUNIT_TEST(copy);
+// CPPUNIT_TEST(nextTests);
+ CPPUNIT_TEST_SUITE_END();
+ };
+
+ CPPUNIT_TEST_SUITE_NAMED_REGISTRATION(osl_Forbidden::Forbidden,
"osl_Forbidden");
+
+ CPPUNIT_REGISTRY_ADD_TO_DEFAULT("osl_Forbidden");
+}
+#endif
+
namespace osl_FileStatus
{
// testing the method
diff --git a/sal/util/sal.map b/sal/util/sal.map
index c5c3e4d55641..586a41ee997d 100644
--- a/sal/util/sal.map
+++ b/sal/util/sal.map
@@ -761,6 +761,12 @@ PRIVATE_1.8 { # LibreOffice 7.3
rtl_uString_newReplaceStrAtUtf16L;
} PRIVATE_1.7;
+PRIVATE_1.9 { # LibreOffice 7.7
+ global:
+ osl_setAllowedPaths;
+ osl_isForbiddenPath;
+} PRIVATE_1.8;
+
PRIVATE_textenc.1 { # LibreOffice 3.6
global:
_ZN3sal6detail7textenc20convertCharToUnicode*;
