syscall: remove unneeded path_has_dotdot_component checks

This code was added in commit 30656c5 ("syscall: add
symlink-race-safe do_*_at() wrappers and harden secure_relative_open")
but the justification given is really not particularly convincing.

The stated justification is that RESOLVE_BENEATH does not block some
".." escapes, which is categorically false (if it were true, that would
be a Linux kernel bug and the kernel actually has an extra safety check
at the end of lookup that would render this kind of breakout practically
impossible).

Reading the code, the actual reason appears to be to provide some
consistency between the RESOLVE_BENEATH and fallback per-component
O_NOFOLLOW lookups. However, the O_NOFOLLOW resolver can never have full
parity with the RESOLVE_BENEATH resolvers because RESOLVE_BENEATH permit
symlinks and symlinks can contain ".." components. It seems more prudent
to just allow ".." for modern systems and reject it for older ones. If
truly necessary, there are even ways to support ".." in a cross-platform
way so this could even be seen as a "not-implemented-yet" error rather
than a permanent API contract.

For the really-old systems case (with no O_NOFOLLOW or AT_DIRFD) then
just as we have to accept symlinks (which might contain "..") we might
as well accept bare ".." components. Rejecting ".." for that case is
just pure security theatre.

Fixes: 30656c5 ("syscall: add symlink-race-safe do_*_at() wrappers and harden secure_relative_open")
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>

Author: cyphar

syscall.c

@@ -1677,34 +1677,8 @@ int do_open_nofollow(const char *pathname, int flags)
                                flag name, picked up by the same #ifdef;
                                flag value differs from FreeBSD)
   Other systems fall back to the per-component O_NOFOLLOW walk below.
-
-  The relpath must also not contain any ../ elements in the path.
 */
 
-/* Returns 1 if path has any "/"-separated component that is exactly
- * "..", 0 otherwise. Used by secure_relative_open's front-door
- * validation to reject inputs that the per-component walk fallback
- * would otherwise resolve through ".." -- e.g. bare "..", "foo/..",
- * "subdir/.." -- which RESOLVE_BENEATH-equivalent kernels reject in
- * the kernel but the per-component fallback (NetBSD/OpenBSD/Solaris/
- * Cygwin/pre-5.6 Linux) does not. */
-static int path_has_dotdot_component(const char *path)
-{
-	const char *p = path;
-
-	while (*p) {
-		const char *q;
-		if (*p == '/') { p++; continue; }
-		q = p;
-		while (*q && *q != '/')
-			q++;
-		if (q - p == 2 && p[0] == '.' && p[1] == '.')
-			return 1;
-		p = q;
-	}
-	return 0;
-}
-
 #if defined(__linux__) && defined(HAVE_OPENAT2)
 static int secure_relative_open_linux(const char *basedir, const char *relpath, int flags, mode_t mode)
 {
@@ -1787,23 +1761,6 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
 		errno = EINVAL;
 		return -1;
 	}
-	/* Reject any path with a literal ".." component (bare "..",
-	 * "../foo", "foo/..", "foo/../bar", "subdir/.."). The previous
-	 * substring-based check caught only "../" prefix and "/../"
-	 * substring; bare ".." and trailing "/.." escape on the per-
-	 * component walk fallback used by NetBSD/OpenBSD/Solaris/Cygwin
-	 * and pre-5.6 Linux. RESOLVE_BENEATH on Linux/FreeBSD/macOS
-	 * catches some of these in-kernel with EXDEV, but the front
-	 * door must reject them consistently with EINVAL across all
-	 * platforms so callers can rely on the validation. */
-	if (path_has_dotdot_component(relpath)) {
-		errno = EINVAL;
-		return -1;
-	}
-	if (basedir && basedir[0] != '/' && path_has_dotdot_component(basedir)) {
-		errno = EINVAL;
-		return -1;
-	}
 
 #if defined(__linux__) && defined(HAVE_OPENAT2)
 	/* openat2(2) can fail with -EAGAIN if the path contains a ".." component
@@ -1833,56 +1790,61 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
 	pathjoin(fullpath, sizeof fullpath, basedir, relpath);
 	return open(fullpath, flags, mode);
 #else
-	int dirfd = AT_FDCWD;
+	int dirfd = AT_FDCWD, retfd = -1;
+	char *path_copy = NULL;
 	if (basedir != NULL) {
 		if (basedir[0] == '/') {
 			/* Absolute basedir: operator-trusted, plain openat. */
 			dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
-			if (dirfd == -1) {
+			if (dirfd == -1)
 				return -1;
-			}
 		} else {
-			/* Relative basedir: walk it component-by-component
-			 * with O_NOFOLLOW. This is the per-component
-			 * RESOLVE_BENEATH equivalent for platforms without
-			 * kernel-supported confinement, and matches the
-			 * relpath walk below. Symlinks in basedir are
-			 * rejected outright on this fallback path; the
-			 * Linux openat2 / O_RESOLVE_BENEATH paths above
-			 * still allow within-tree symlinks. */
+			/* Relative basedir: walk it component-by-component with
+			 * O_NOFOLLOW. This is the per-component RESOLVE_BENEATH equivalent
+			 * for platforms without kernel-supported confinement, and matches
+			 * the relpath walk below. Symlinks and ".." components in basedir
+			 * are rejected outright on this fallback path; the Linux openat2 /
+			 * O_RESOLVE_BENEATH paths above still allow them as long as they
+			 * stay within the tree.
+			 * */
 			char *bcopy = my_strdup(basedir, __FILE__, __LINE__);
 			if (!bcopy)
 				return -1;
 			for (const char *part = strtok(bcopy, "/");
 			     part != NULL;
 			     part = strtok(NULL, "/"))
 			{
+				if (!strcmp(part, "..")) {
+					free(bcopy);
+					errno = EXDEV; // emulate RESOLVE_BENEATH
+					goto cleanup;
+				}
 				int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
 				if (next_fd == -1) {
-					int save_errno = errno;
-					if (dirfd != AT_FDCWD) close(dirfd);
+					int save_errno = errno; // free only saves errno on glibc >= 2.33
 					free(bcopy);
 					errno = save_errno;
-					return -1;
+					goto cleanup;
 				}
 				if (dirfd != AT_FDCWD) close(dirfd);
 				dirfd = next_fd;
 			}
 			free(bcopy);
 		}
 	}
-	int retfd = -1;
 
-	char *path_copy = my_strdup(relpath, __FILE__, __LINE__);
-	if (!path_copy) {
-		if (dirfd != AT_FDCWD) close(dirfd);
-		return -1;
-	}
-	
+	path_copy = my_strdup(relpath, __FILE__, __LINE__);
+	if (!path_copy)
+		goto cleanup;
+
 	for (const char *part = strtok(path_copy, "/");
 	     part != NULL;
 	     part = strtok(NULL, "/"))
 	{
+		if (!strcmp(part, "..")) {
+			errno = EXDEV; // emulate RESOLVE_BENEATH
+			goto cleanup;
+		}
 		int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
 		if (next_fd == -1 && errno == ENOTDIR) {
 			if (strtok(NULL, "/") != NULL) {

t_secure_relpath.c

@@ -26,8 +26,14 @@
 
 #include "rsync.h"
 
+#include <stdbool.h>
 #include <sys/stat.h>
 
+#ifdef __linux__
+#include <sys/syscall.h>
+#include <linux/openat2.h>
+#endif
+
 int dry_run = 0;
 int am_root = 0;
 int am_sender = 0;
@@ -41,62 +47,80 @@ short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
 
 static int errs = 0;
 
-static void check_relpath(const char *relpath)
+/* Probe the running kernel for the RESOLVE_BENEATH-equivalent confinement
+ * that secure_relative_open() prefers over the per-component O_NOFOLLOW
+ * walk.  Returns 1 if either openat2(RESOLVE_BENEATH) on Linux 5.6+ or
+ * openat(O_RESOLVE_BENEATH) on FreeBSD 13+ / macOS 15+ is honoured by
+ * the running kernel, 0 otherwise.  The probe opens "." (a directory
+ * the helper has just chdir'd into) so it can't fail for any reason
+ * other than the kernel rejecting the requested confinement flag. */
+static int kernel_resolve_beneath_supported(void)
 {
 	int fd;
-	int saved_errno;
-
-	errno = 0;
-	fd = secure_relative_open(NULL, relpath, O_RDONLY | O_DIRECTORY, 0);
-	saved_errno = errno;
-
+#if defined __linux__
+	struct open_how how;
+	memset(&how, 0, sizeof how);
+	how.flags = O_RDONLY | O_DIRECTORY;
+	how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS;
+	fd = syscall(SYS_openat2, AT_FDCWD, ".", &how, sizeof how);
 	if (fd >= 0) {
-		fprintf(stderr,
-			"FAIL [relpath=%-12s]: returned valid fd %d (escape) -- expected -1 EINVAL\n",
-			relpath, fd);
 		close(fd);
-		errs++;
-		return;
+		return 1;
 	}
-
-	if (saved_errno != EINVAL) {
-		fprintf(stderr,
-			"FAIL [relpath=%-12s]: rejected but errno=%d (%s), expected EINVAL\n",
-			relpath, saved_errno, strerror(saved_errno));
-		errs++;
-		return;
+	/* O_RESOLVE_BENEATH is not defined on Linux, and even if it were, Linux's
+	 * openat(2) does not return -EINVAL for unknown flag bits and so if
+	 * O_RESOLVE_BENEATH happened to get defined somehow, the following
+	 * fallback would always return success. */
+#elif defined O_RESOLVE_BENEATH
+	fd = openat(AT_FDCWD, ".", O_RDONLY | O_DIRECTORY | O_RESOLVE_BENEATH);
+	if (fd >= 0) {
+		close(fd);
+		return 1;
 	}
+#endif
+	return 0;
+}
 
-	fprintf(stderr, "OK   [relpath=%-12s]: rejected with EINVAL\n", relpath);
+static void touch(const char *pathname, int mode)
+{
+	int fd = open(pathname, O_CREAT|O_RDWR, mode);
+	if (fd < 0) {
+		fprintf(stderr, "could not create file %s: %m\n", pathname);
+		abort();
+	}
+	close(fd);
 }
 
-static void check_basedir(const char *basedir)
+static void check_relative_open(const char *basedir, const char *relpath,
+								int want_errno)
 {
 	int fd;
 	int saved_errno;
 
 	errno = 0;
-	fd = secure_relative_open(basedir, "ok", O_RDONLY | O_DIRECTORY, 0);
+	fd = secure_relative_open(basedir, relpath, O_RDONLY | O_DIRECTORY, 0);
 	saved_errno = errno;
 
 	if (fd >= 0) {
-		fprintf(stderr,
-			"FAIL [basedir=%-12s]: returned valid fd %d -- expected -1 EINVAL\n",
-			basedir, fd);
 		close(fd);
-		errs++;
-		return;
-	}
-
-	if (saved_errno != EINVAL) {
+		if (want_errno != 0) {
+			fprintf(stderr,
+				"FAIL [basedir=%-12s relpath=%-12s]: returned valid fd %d (escape) -- expected -1 errno=%d (%s)\n",
+				basedir, relpath, fd, want_errno, strerror(want_errno));
+			errs++;
+			return;
+		}
+	} else if (saved_errno != want_errno) {
 		fprintf(stderr,
-			"FAIL [basedir=%-12s]: rejected but errno=%d (%s), expected EINVAL\n",
-			basedir, saved_errno, strerror(saved_errno));
+			"FAIL [basedir=%-12s relpath=%-12s]: rejected but errno=%d (%s), expected errno=%d (%s)\n",
+			basedir, relpath, saved_errno, strerror(saved_errno), want_errno, strerror(want_errno));
 		errs++;
 		return;
 	}
 
-	fprintf(stderr, "OK   [basedir=%-12s]: rejected with EINVAL\n", basedir);
+	fprintf(stderr,
+		"OK   [basedir=%-12s relpath=%-12s]: rejected with errno %d (%s)\n",
+		basedir, relpath, saved_errno, strerror(saved_errno));
 }
 
 int main(int argc, char **argv)
@@ -110,6 +134,11 @@ int main(int argc, char **argv)
 		return 2;
 	}
 
+	/* On systems with no RESOLVE_BENEATH, ".." at any point is an error. */
+	int contained_dotdot_errno = 0;
+	if (!kernel_resolve_beneath_supported())
+		contained_dotdot_errno = EXDEV;
+
 	/* secure_relative_open's daemon-only confinement protections only
 	 * fire when am_daemon && !am_chrooted (the threat model is the
 	 * daemon-no-chroot deployment), but the front-door input
@@ -119,31 +148,33 @@ int main(int argc, char **argv)
 	am_chrooted = 0;
 
 	mkdir("subdir", 0755);
-
-	/* Each of these relpaths must be rejected with EINVAL at the
-	 * secure_relative_open() front door. ".." is the actual one-level
-	 * escape; the others ("subdir/..", "subdir/../subdir") resolve
-	 * back to the start dir on systems that allow them, but we still
-	 * reject them as defence-in-depth: a path containing a ".." token
-	 * is suspicious and the caller should normalise before passing
-	 * it in. The "../foo" / "foo/../bar" / "/foo" / "/" cases are
-	 * regression checks for the existing checks. */
-	check_relpath("..");
-	check_relpath("../foo");
-	check_relpath("subdir/..");
-	check_relpath("subdir/../subdir");
-	check_relpath("foo/../bar");
-	check_relpath("/foo");
-	check_relpath("/");
+	touch("subdir/ok", 0644);
+	mkdir("foo", 0755);
+	touch("foo/ok", 0644);
+	mkdir("bar", 0755);
+	touch("bar/ok", 0644);
+
+	/* ".." that jumps outside of the root is rejected with EXDEV. */
+	check_relative_open(NULL, "..", EXDEV);
+	check_relative_open(NULL, "../foo", EXDEV);
+	/* Absolute paths for relpath are rejected with EINVAL. */
+	check_relative_open(NULL, "/foo", EINVAL);
+	check_relative_open(NULL, "/", EINVAL);
+	/* If RESOLVE_BENEATH is supported, ".." components that are contained
+	 * within the root are permitted. On older systems, they are rejected with
+	 * EXDEV. */
+	check_relative_open(NULL, "subdir/..", contained_dotdot_errno);
+	check_relative_open(NULL, "subdir/../subdir", contained_dotdot_errno);
+	check_relative_open(NULL, "foo/../bar", contained_dotdot_errno);
 
 	/* Same checks against basedir (which the codex Finding 2 fix
 	 * routes through the same RESOLVE_BENEATH-equivalent). Absolute
 	 * basedirs are operator-trusted and intentionally not validated
 	 * here. */
-	check_basedir("..");
-	check_basedir("../subdir");
-	check_basedir("subdir/..");
-	check_basedir("foo/../bar");
+	check_relative_open("..", ".", EXDEV);
+	check_relative_open("../subdir", ".", EXDEV);
+	check_relative_open("subdir/..", ".", contained_dotdot_errno);
+	check_relative_open("foo/../bar", ".", contained_dotdot_errno);
 
 	if (errs)
 		fprintf(stderr, "\n%d failure(s)\n", errs);