On Sun, Aug 23, 2015 at 03:29:46PM -0700, patrick keshishian wrote:
> On 8/23/15, Caspar Schutijser <cas...@schutijser.com> wrote:
> > Patch below.
> >
> > Thanks,
> > Caspar Schutijser
> >
> >
> > Index: sys/kern/kern_tame.c
> > ===================================================================
> > RCS file: /cvs/src/sys/kern/kern_tame.c,v
> > retrieving revision 1.25
> > diff -u -p -r1.25 kern_tame.c
> > --- sys/kern/kern_tame.c 23 Aug 2015 19:32:20 -0000 1.25
> > +++ sys/kern/kern_tame.c 23 Aug 2015 21:22:38 -0000
> > @@ -423,7 +423,7 @@ tame_namei(struct proc *p, char *origpat
> > */
> > if ((p->p_p->ps_tame & _TM_TMPPATH) &&
> > (p->p_tame_syscall == SYS_unlink) &&
> > - strncmp(path, "/tmp/", sizeof("/tmp") - 1) == 0) {
> > + strncmp(path, "/tmp/", sizeof("/tmp/") - 1) == 0) {
>
> you are confusing sizeof() with strlen(). former counts the byte
> required for the terminating NUL.
I don't think the OP is. If you want to check that path starts with
"/tmp/", you need to check the first 5 characters. The original code
only checks the first 4. As such, it will also match /tmpfile.
Joerg
