Google Git
Sign in
fuchsia / integration / eb6ffaed73b56da33c712d15df85c95388819d54
commiteb6ffaed73b56da33c712d15df85c95388819d54[log] [tgz]
authorJames Robinson <jamesr@fuchsia.infra.roller.google.com>Wed May 18 21:29:38 2022 +0000
committerCopybara-Service <copybara-worker@google.com>Wed May 18 14:31:26 2022 -0700
treecb3204707af0862a025b7a49b5eecb3a2cccaca6
parent2632359937dd012d9d0a130fb336986ab2e18eef [diff]
[roll] Roll fuchsia [appmgr] Reject v1 manifests with non-canonical paths in sandbox

The sandbox section of CFv1 component manifests contains many path
elements specifying capabilities and subdirectories within capabilities
to map into the component's namespace. Internally appmgr handles many of
these paths with string manipulations and then passes them into fdio
routines to construct the namespace. If provided a non-canonical path,
when combined with a base component the constructed paths could
canonicalize to a surprising meeting. For example a "pkgfs" entry with
the non-canonical path "../boot" would turn into "/pkgfs/../boot" which
canonicalize to "/boot".  Currently appmgr relies on fdio_open_fd() not
canonicalizing the constructed paths in order to avoid escalation which
is fragile as other very similar-looking entry points do canonicalize
paths.

To avoid this issue, this change updates the component manifest parsing
logic to require that all entries within a "sandbox" section be valid
canonical Fuchsia paths. The only non-canonical path in the wild today
is a test case constructed to ensure that appmgr does not expand
capabilities when given such a path. This changes updates the test to
verify that a component with a non-canonical path does not launch.

Original-Bug: 98543
Original-Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/678189
Original-Revision: 056f2f7f79d36c2aa7acb4932f127cdde700065d
GitOrigin-RevId: cdcc0c2bf5c2f568f4843d5ce26df83aeb832faf
Change-Id: I2b8bfffeb21e053ed71f7b9647740c2de501cf61
1 file changed
tree: cb3204707af0862a025b7a49b5eecb3a2cccaca6
  1. infra/
  2. third_party/
  3. cts
  4. firmware
  5. flower
  6. fortune-teller
  7. jiri.lock
  8. minimal
  9. prebuilts
  10. README.md
  11. stem
  12. test_durations
  13. toolchain
README.md

Integration

This repository contains Fuchsia's Global Integration manifest files.

Making changes

All changes should be made to the internal version of this repository. Our infrastructure automatically updates this version when the internal one changes.

Currently all changes must be made by a Google employee. Non-Google employees wishing to make a change can ask for assistance via the IRC channel #fuchsia on Freenode.

Obtaining the source

First install Jiri.

Next run:

$ jiri init
$ jiri import minimal https://fuchsia.googlesource.com/integration
$ jiri update

Third party

Third party projects should have their own subdirectory in ./third_party.