From nobody Mon Jan 15 23:11:52 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TDSZc2hKKz57mxg;
	Mon, 15 Jan 2024 23:11:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TDSZc1vM8z4F8p;
	Mon, 15 Jan 2024 23:11:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1705360312;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OaPRPP7T7f4jYcmnmjuIIrG44cQIgoWdhFFwF6Upows=;
	b=xXeyN54rEssCuJFRVeYQG22JEe7n7msUQUPxZyjasaZ2Kg3/qKGTuuvNrwY83MWkEjUxdt
	K9QDarJoK2Ju63kWsFmadJagPzzmwy+I54onJvIljTys5YAGOaCNOW8xF0F00/LadIVIaG
	pMWsgPTIJTn3K7pqpIGgJ7JChnL8GLpurTgWxK9VaUp34L7VGOKihwmoz3zWfiZQKrL755
	yGAMfiuE6emM0kQkR3gg8/eeK/u69+jjKtxgqT4YWZq4L/ZIwGZiqVrSydaJNegBORY7B5
	sDG3gi8KoLJa/JGY1eNF5zX2WUjKnPhxA4tM4tFdFDEVdOXy+Lvd8tr7GPGTqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1705360312;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OaPRPP7T7f4jYcmnmjuIIrG44cQIgoWdhFFwF6Upows=;
	b=CRY1d/sI8noC1QM5RRa0EVwwhyKkq/1ZtLNHV27JmqgE1zqFGMIK0q1GbqrQRZIBK4Uadt
	6kdVmDKempFY3eLwgp20FsdGOt55AA1NDfze2/pUcWjrWFGFIITgfQxw8ROy3TnXX1kr3J
	ZraPHLDwQUsZRIOHsUBKYq7A1zt3uWHooKA6kNd6+bhpBLzoqFbM8/gCLF8oEhpEShSZUi
	vazchczdFl/32GsdtFa+P3+TErjTvNcJKv7I70YpbBclm+TppJI/AyNY1revbYSmPLfl9y
	IgqkIreWGpBWDwCIOqGWGKvNuqEuNe354OnC8YYznSo/eei+1RiK619SAS/FPQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705360312; a=rsa-sha256; cv=none;
	b=tGVqi5oJIXHhcSyYR92QkTBlqVjKaR893f97efBwdrKfc1tlhZIVymbI5wx3Y+CfC3dxss
	mYVlQYHvewL4Ni3xPTqQXPKPiW0U5SvD3DhSvKAThGo20TBKr4Ro81/rLk4QM5zDjCHqUm
	YYO4tGWqZjhPhLwRS20RtV6P5ibj6iJ+AbevBaSEWhOCs4VL7kUPXwc40Ym+zTSMSaHJFq
	wUUeRJjbyaPnPuM3PGciKIW/GFyzvNhdPtfvu+DZ1elCrzNBr4HPzfwz3QmUW2InL2rgws
	z9nvyONGdcBxcfWSBK0zhjvDXfznwm7kGSyBL1TXhQxG5+sYgor87ZKW5BT30g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TDSZc0pwzzGGP;
	Mon, 15 Jan 2024 23:11:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40FNBqZT097947;
	Mon, 15 Jan 2024 23:11:52 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40FNBq46097944;
	Mon, 15 Jan 2024 23:11:52 GMT
	(envelope-from git)
Date: Mon, 15 Jan 2024 23:11:52 GMT
Message-Id: <202401152311.40FNBq46097944@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kyle Evans <kevans@FreeBSD.org>
Subject: git: 78345dbd7a00 - stable/13 - bhyveload: use a dirfd to
  support -h
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kevans
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 78345dbd7a004e0a6d1b717e7dbc758ae67ca293
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=78345dbd7a004e0a6d1b717e7dbc758ae67ca293

commit 78345dbd7a004e0a6d1b717e7dbc758ae67ca293
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2024-01-03 22:17:59 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2024-01-15 23:11:38 +0000

    bhyveload: use a dirfd to support -h
    
    Don't allow lookups from the loader scripts, which in rare cases may be
    in guest control depending on the setup, to leave the specified host
    root.  Open the root dir and strictly do RESOLVE_BENEATH lookups from
    there.
    
    cb_open() has been restructured a bit to work nicely with this, using
    fdopendir() in the directory case and just using the fd we already
    opened in the regular file case.
    
    hostbase_open() was split out to provide an obvious place to apply
    rights(4) if that's something we care to do.
    
    Reviewed by:    allanjude (earlier version), markj
    
    (cherry picked from commit 6779d44bd878e3cf4723f7386b11da6508ab5431)
---
 usr.sbin/bhyveload/bhyveload.c | 85 ++++++++++++++++++++++++++++--------------
 1 file changed, 58 insertions(+), 27 deletions(-)

diff --git a/usr.sbin/bhyveload/bhyveload.c b/usr.sbin/bhyveload/bhyveload.c
index d3095483b797..797f8b88dad2 100644
--- a/usr.sbin/bhyveload/bhyveload.c
+++ b/usr.sbin/bhyveload/bhyveload.c
@@ -61,6 +61,7 @@
 #include <machine/specialreg.h>
 #include <machine/vmm.h>
 
+#include <assert.h>
 #include <dirent.h>
 #include <dlfcn.h>
 #include <errno.h>
@@ -87,11 +88,11 @@
 
 #define	NDISKS	32
 
-static char *host_base;
 static struct termios term, oldterm;
 static int disk_fd[NDISKS];
 static int ndisks;
 static int consin_fd, consout_fd;
+static int hostbase_fd = -1;
 
 static int need_reinit;
 
@@ -157,42 +158,61 @@ static int
 cb_open(void *arg __unused, const char *filename, void **hp)
 {
 	struct cb_file *cf;
-	char path[PATH_MAX];
+	struct stat sb;
+	int fd, flags;
 
-	if (!host_base)
+	cf = NULL;
+	fd = -1;
+	flags = O_RDONLY | O_RESOLVE_BENEATH;
+	if (hostbase_fd == -1)
 		return (ENOENT);
 
-	strlcpy(path, host_base, PATH_MAX);
-	if (path[strlen(path) - 1] == '/')
-		path[strlen(path) - 1] = 0;
-	strlcat(path, filename, PATH_MAX);
-	cf = malloc(sizeof(struct cb_file));
-	if (stat(path, &cf->cf_stat) < 0) {
-		free(cf);
+	/* Absolute paths are relative to our hostbase, chop off leading /. */
+	if (filename[0] == '/')
+		filename++;
+
+	/* Lookup of /, use . instead. */
+	if (filename[0] == '\0')
+		filename = ".";
+
+	if (fstatat(hostbase_fd, filename, &sb, AT_RESOLVE_BENEATH) < 0)
 		return (errno);
+
+	if (!S_ISDIR(sb.st_mode) && !S_ISREG(sb.st_mode))
+		return (EINVAL);
+
+	if (S_ISDIR(sb.st_mode))
+		flags |= O_DIRECTORY;
+
+	/* May be opening the root dir */
+	fd = openat(hostbase_fd, filename, flags);
+	if (fd < 0)
+		return (errno);
+
+	cf = malloc(sizeof(struct cb_file));
+	if (cf == NULL) {
+		close(fd);
+		return (ENOMEM);
 	}
 
+	cf->cf_stat = sb;
 	cf->cf_size = cf->cf_stat.st_size;
+
 	if (S_ISDIR(cf->cf_stat.st_mode)) {
 		cf->cf_isdir = 1;
-		cf->cf_u.dir = opendir(path);
-		if (!cf->cf_u.dir)
-			goto out;
-		*hp = cf;
-		return (0);
-	}
-	if (S_ISREG(cf->cf_stat.st_mode)) {
+		cf->cf_u.dir = fdopendir(fd);
+		if (cf->cf_u.dir == NULL) {
+			close(fd);
+			free(cf);
+			return (ENOMEM);
+		}
+	} else {
+		assert(S_ISREG(cf->cf_stat.st_mode));
 		cf->cf_isdir = 0;
-		cf->cf_u.fd = open(path, O_RDONLY);
-		if (cf->cf_u.fd < 0)
-			goto out;
-		*hp = cf;
-		return (0);
+		cf->cf_u.fd = fd;
 	}
-
-out:
-	free(cf);
-	return (EINVAL);
+	*hp = cf;
+	return (0);
 }
 
 static int
@@ -710,6 +730,17 @@ usage(void)
 	exit(1);
 }
 
+static void
+hostbase_open(const char *base)
+{
+
+	if (hostbase_fd != -1)
+		close(hostbase_fd);
+	hostbase_fd = open(base, O_DIRECTORY | O_PATH);
+	if (hostbase_fd == -1)
+		err(EX_OSERR, "open");
+}
+
 int
 main(int argc, char** argv)
 {
@@ -744,7 +775,7 @@ main(int argc, char** argv)
 			break;
 
 		case 'h':
-			host_base = optarg;
+			hostbase_open(optarg);
 			break;
 
 		case 'l':