From 5d52fa8c3c903df4be0e4e954fbca9b3b15285c6 Mon Sep 17 00:00:00 2001
From: Klaus Wenninger <klaus.wenninger@aon.at>
Date: Fri, 14 Sep 2018 17:51:50 +0200
Subject: [PATCH] Fix: sbd-common: don't follow symlinks outside /dev for
 watchdog

This makes it easier to define a SELinux-policy that keeps
avc-log clean on /dev traversal triggered by query-watchdog.
---
 src/sbd-common.c | 42 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/src/sbd-common.c b/src/sbd-common.c
index 0ce6478..fcb7a31 100644
--- a/src/sbd-common.c
+++ b/src/sbd-common.c
@@ -251,7 +251,8 @@ watchdog_close(bool disarm)
 #define MAX_WATCHDOGS 64
 #define SYS_CLASS_WATCHDOG "/sys/class/watchdog"
 #define SYS_CHAR_DEV_DIR "/sys/dev/char"
-#define WATCHDOG_NODEDIR "/dev"
+#define WATCHDOG_NODEDIR "/dev/"
+#define WATCHDOG_NODEDIR_LEN 5
 
 struct watchdog_list_item {
 	dev_t dev;
@@ -273,7 +274,7 @@ watchdog_populate_list(void)
 	struct dirent *entry;
 	char entry_name[280];
 	DIR *dp;
-	char buf[256] = "";
+	char buf[280] = "";
 
 	if (watchdog_list != NULL) {
 		return;
@@ -313,7 +314,38 @@ watchdog_populate_list(void)
 				struct stat statbuf;
 
 				snprintf(entry_name, sizeof(entry_name),
-						WATCHDOG_NODEDIR "/%s", entry->d_name);
+						WATCHDOG_NODEDIR "%s", entry->d_name);
+				if (entry->d_type == DT_LNK) {
+					int len;
+
+					/* !realpath(entry_name, buf) unfortunately does a stat on
+					 * target so we can't really use it to check if links stay
+					 * within /dev without triggering e.g. AVC-logs (with
+					 * SELinux policy that just allows stat within /dev).
+					 * Without canonicalization that doesn't actually touch the
+					 * filesystem easily available introduce some limitations
+					 * for simplicity:
+					 * - just simple path without '..'
+					 * - just one level of symlinks (avoid e.g. loop-checking)
+					 */
+					len = readlink(entry_name, buf, sizeof(buf) - 1);
+					if ((len < 1) ||
+					    (len > sizeof(buf) - WATCHDOG_NODEDIR_LEN - 1)) {
+						continue;
+					}
+					buf[len] = '\0';
+					if (buf[0] != '/') {
+						memmove(&buf[WATCHDOG_NODEDIR_LEN], buf, len+1);
+						memcpy(buf, WATCHDOG_NODEDIR, WATCHDOG_NODEDIR_LEN);
+						len += WATCHDOG_NODEDIR_LEN;
+					}
+					if (strstr(buf, "/../") ||
+					    strncmp(WATCHDOG_NODEDIR, buf, WATCHDOG_NODEDIR_LEN) ||
+					    lstat(buf, &statbuf) ||
+					    !S_ISCHR(statbuf.st_mode)) {
+						continue;
+					}
+				}
 				if(!stat(entry_name, &statbuf) && S_ISCHR(statbuf.st_mode)) {
 					int i;
 
@@ -322,6 +354,7 @@ watchdog_populate_list(void)
 							int wdfd = watchdog_init_fd(entry_name, -1);
 							struct watchdog_list_item *wdg =
 									calloc(1, sizeof(struct watchdog_list_item));
+							int len;
 
 							wdg->dev = watchdogs[i];
 							wdg->dev_node = strdup(entry_name);
@@ -343,7 +376,8 @@ watchdog_populate_list(void)
 							snprintf(entry_name, sizeof(entry_name),
 								SYS_CHAR_DEV_DIR "/%d:%d/device/driver",
 								major(watchdogs[i]), minor(watchdogs[i]));
-							if (readlink(entry_name, buf, sizeof(buf)) > 0) {
+							if ((len = readlink(entry_name, buf, sizeof(buf) - 1)) > 0) {
+								buf[len] = '\0';
 								wdg->dev_driver = strdup(basename(buf));
 							} else if ((wdg->dev_ident) &&
 										(strcmp(wdg->dev_ident,
-- 
1.8.3.1