eal: forbid loading drivers from insecure paths

Any paths on the system which are world-writable are insecure and should
not be used for loading drivers. Therefore, whenever an absolute or
relative driver path is passed to EAL, check for world-writability and
don't load any drivers from that path if it is insecure. Drivers loaded
from system locations i.e. those passed without any path info and found
automatically by the loader, are excluded from these checks as system paths
are assumed to be secure.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>

diff --git a/lib/librte_eal/common/eal_common_options.c b/lib/librte_eal/common/eal_common_options.c
index 176a985..6c63b93 100644 (file)
--- a/lib/librte_eal/common/eal_common_options.c
+++ b/lib/librte_eal/common/eal_common_options.c
@@ -15,6 +15,7 @@
 #include <getopt.h>
 #ifndef RTE_EXEC_ENV_WINDOWS
 #include <dlfcn.h>
+#include <libgen.h>
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -358,7 +359,14 @@ eal_plugin_add(const char *path)
        return 0;
 }
 
-#ifndef RTE_EXEC_ENV_WINDOWS
+#ifdef RTE_EXEC_ENV_WINDOWS
+int
+eal_plugins_init(void)
+{
+       return 0;
+}
+#else
+
 static int
 eal_plugindir_init(const char *path)
 {
@@ -398,12 +406,75 @@ eal_plugindir_init(const char *path)
        /* XXX this ignores failures from readdir() itself */
        return (dent == NULL) ? 0 : -1;
 }
-#endif
+
+static int
+verify_perms(const char *dirpath)
+{
+       struct stat st;
+
+       /* if not root, check down one level first */
+       if (strcmp(dirpath, "/") != 0) {
+               char copy[PATH_MAX];
+
+               strlcpy(copy, dirpath, PATH_MAX);
+               if (verify_perms(dirname(copy)) != 0)
+                       return -1;
+       }
+
+       /* call stat to check for permissions and ensure not world writable */
+       if (stat(dirpath, &st) != 0) {
+               RTE_LOG(ERR, EAL, "Error with stat on %s, %s\n",
+                               dirpath, strerror(errno));
+               return -1;
+       }
+       if (st.st_mode & S_IWOTH) {
+               RTE_LOG(ERR, EAL,
+                               "Error, directory path %s is world-writable and insecure\n",
+                               dirpath);
+               return -1;
+       }
+
+       return 0;
+}
+
+static void *
+eal_dlopen(const char *pathname)
+{
+       void *retval = NULL;
+       char *realp = realpath(pathname, NULL);
+
+       if (realp == NULL && errno == ENOENT) {
+               /* not a full or relative path, try a load from system dirs */
+               retval = dlopen(pathname, RTLD_NOW);
+               if (retval == NULL)
+                       RTE_LOG(ERR, EAL, "%s\n", dlerror());
+               return retval;
+       }
+       if (realp == NULL) {
+               RTE_LOG(ERR, EAL, "Error with realpath for %s, %s\n",
+                               pathname, strerror(errno));
+               goto out;
+       }
+       if (strnlen(realp, PATH_MAX) == PATH_MAX) {
+               RTE_LOG(ERR, EAL, "Error, driver path greater than PATH_MAX\n");
+               goto out;
+       }
+
+       /* do permissions checks */
+       if (verify_perms(realp) != 0)
+               goto out;
+
+       retval = dlopen(realp, RTLD_NOW);
+       if (retval == NULL)
+               RTE_LOG(ERR, EAL, "%s\n", dlerror());
+out:
+       free(realp);
+       return retval;
+}
 
 int
 eal_plugins_init(void)
 {
-#ifndef RTE_EXEC_ENV_WINDOWS
        struct shared_driver *solib = NULL;
        struct stat sb;
 
@@ -423,17 +494,15 @@ eal_plugins_init(void)
                } else {
                        RTE_LOG(DEBUG, EAL, "open shared lib %s\n",
                                solib->name);
-                       solib->lib_handle = dlopen(solib->name, RTLD_NOW);
-                       if (solib->lib_handle == NULL) {
-                               RTE_LOG(ERR, EAL, "%s\n", dlerror());
+                       solib->lib_handle = eal_dlopen(solib->name);
+                       if (solib->lib_handle == NULL)
                                return -1;
-                       }
                }
 
        }
-#endif
        return 0;
 }
+#endif
 
 /*
  * Parse the coremask given as argument (hexadecimal string) and fill