From 08c49b5a0a5784c499ad0439c1f3258ff3755db9 Mon Sep 17 00:00:00 2001 From: "Kartik K. Agaram" Date: Tue, 8 Mar 2022 19:20:53 -0800 Subject: [PATCH] protect framework files from apps There's a separate open question here of where Teliva should store files like teliva_editor_state and teliva_editor_buffer. One school of thought is that apps should never be dropping crud into people's directories. On the other hand, I'm kinda encouraging people so far to just run apps from Teliva's directory. Perhaps that makes it ok? --- manual_tests | 6 ++---- src/liolib.c | 15 ++++++++++++--- src/loslib.c | 26 +++++++++++++++++++++----- 3 files changed, 35 insertions(+), 12 deletions(-) diff --git a/manual_tests b/manual_tests index de65a57..63bc108 100644 --- a/manual_tests +++ b/manual_tests @@ -25,10 +25,8 @@ running app.. shouldn't grow the call stack either. == security/privacy program draws over menu -> getch -> Teliva menu is still visible -test/attack.tlv runs without error. See its blurb for details. - -TODO protect sensitive teliva files (teliva_edit_buffer, etc.) - should we protect .c sources? +app tries to read/write sensitive teliva files (teliva_edit_buffer, etc.) -> never allowed + TODO should we protect .c sources? TODO protect against DoS attack filling up disk diff --git a/src/liolib.c b/src/liolib.c index 6fb3359..feeeb8f 100644 --- a/src/liolib.c +++ b/src/liolib.c @@ -132,10 +132,19 @@ static int io_open (lua_State *L) { snprintf(buffer, 1020, "io.open(\"%s\", \"%s\")", filename, mode); append_to_audit_log(L, buffer); FILE **pf = newfile(L); - if (file_operation_permitted(filename, mode) - /* filenames starting with teliva_tmp_ are always ok */ - || starts_with(filename, "teliva_tmp_")) + /* filenames starting with teliva_tmp_ are always ok */ + if (starts_with(filename, "teliva_tmp_")) { *pf = fopen(filename, mode); + } + /* other filenames starting with teliva_ are never ok (reserved for the + * framework, should not be accessed by apps directly */ + else if (starts_with(filename, "teliva_")) { + snprintf(iolib_errbuf, 1024, "app tried to open file '%s'; that's never allowed for filenames starting with 'teliva_'", filename); + Previous_message = iolib_errbuf; + } + else if (file_operation_permitted(filename, mode)) { + *pf = fopen(filename, mode); + } else { snprintf(iolib_errbuf, 1024, "app tried to open file '%s'; adjust its permissions (ctrl-p) if that is expected", filename); Previous_message = iolib_errbuf; diff --git a/src/loslib.c b/src/loslib.c index 09a00c3..3137a6b 100644 --- a/src/loslib.c +++ b/src/loslib.c @@ -46,19 +46,35 @@ static char oslib_errbuf[1024] = {0}; static int os_rename (lua_State *L) { const char *fromname = luaL_checkstring(L, 1); const char *toname = luaL_checkstring(L, 2); - /* A rename is like reading from one file and writing to another file. */ - if (!file_operation_permitted(fromname, "r") - && !starts_with(fromname, "teliva_tmp_")) { + /* Sandboxing { + * A rename is like reading from one file and writing to another file. */ + if (starts_with(fromname, "teliva_tmp_")) { + /* continue */ + } + else if (starts_with(fromname, "teliva_")) { + snprintf(oslib_errbuf, 1024, "app tried to open file '%s'; that's never allowed for filenames starting with 'teliva_'", fromname); + Previous_message = oslib_errbuf; + return os_pushresult(L, 0, fromname); + } + else if (!file_operation_permitted(fromname, "r")) { snprintf(oslib_errbuf, 1024, "app tried to open file '%s' for reading; adjust its permissions (ctrl-p) if that is expected", fromname); Previous_message = oslib_errbuf; return os_pushresult(L, 0, fromname); } - if (!file_operation_permitted(toname, "w") - && !starts_with(fromname, "teliva_tmp_")) { + if (starts_with(toname, "teliva_tmp_")) { + /* continue */ + } + else if (starts_with(toname, "teliva_")) { + snprintf(oslib_errbuf, 1024, "app tried to open file '%s'; that's never allowed for filenames starting with 'teliva_'", toname); + Previous_message = oslib_errbuf; + return os_pushresult(L, 0, toname); + } + else if (!file_operation_permitted(toname, "w")) { snprintf(oslib_errbuf, 1024, "app tried to open file '%s' for writing; adjust its permissions (ctrl-p) if that is expected", toname); Previous_message = oslib_errbuf; return os_pushresult(L, 0, toname); } + /* } */ return os_pushresult(L, rename(fromname, toname) == 0, fromname); }