CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	kib <kib@FreeBSD.org>
	Wed, 2 Nov 2016 12:43:15 +0000 (12:43 +0000)
committer	kib <kib@FreeBSD.org>
	Wed, 2 Nov 2016 12:43:15 +0000 (12:43 +0000)
commit	a41f4cc9a57cd74604ae7b051eec2f48865f18d6
tree	697a6bdeece77151a1589630d0c9076552076127	tree \| snapshot
parent	b9d3dfb1e0a131de3edd2163087b52023dc38345	commit \| diff

Allow some dotdot lookups in capability mode.

If dotdot lookup does not escape from the file descriptor passed as
the lookup root, we can allow the component traversal. Track the
directories traversed, and check the result of dotdot lookup against
the recorded list of the directory vnodes.

Dotdot lookups are enabled by sysctl vfs.lookup_cap_dotdot, currently
disabled by default until more verification of the approach is done.

Disallow non-local filesystems for dotdot, since remote server might
conspire with the local process to allow it to escape the namespace.
This might be too cautious, provide the knob
vfs.lookup_cap_dotdot_nonlocal to override as well.

Idea by: rwatson
Discussed with: emaste, jonathan, rwatson
Reviewed by: mjg (previous version)
Tested by: pho (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 2 week
Differential revision: https://reviews.freebsd.org/D8110

sys/fs/nfsserver/nfs_nfsdport.c		diff \| blob \| history
sys/kern/vfs_lookup.c		diff \| blob \| history
sys/kern/vfs_syscalls.c		diff \| blob \| history
sys/sys/namei.h		diff \| blob \| history