fusermount: refuse unknown options

Blacklists are notoriously fragile; especially if the kernel wishes to add some security-critical mount option at a later date, all existing systems with older versions of fusermount installed will suddenly have a security problem. Additionally, if the kernel's option parsing became a tiny bit laxer, the blacklist could probably be bypassed. Whitelist known-harmless flags instead, even if it's slightly more inconvenient.
author: Jann Horn <jannh@google.com> 2018-07-14 03:47:50 -0700
committer: Nikolaus Rath <Nikolaus@rath.org> 2018-07-21 12:17:49 +0100
commit: d50017e850d6123d3dc93c1b3eafef6f7bba09f2 (patch)
tree: 9374376d437c84bafad0a2de3ef970c78f38f8e6
parent: 7c49d3cb74b215fcd527dbd9e1884fcc5b0cd469 (diff)
download: fuse-d50017e850d6123d3dc93c1b3eafef6f7bba09f2.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/util/fusermount.c b/util/fusermount.c
index 012affb..552ac6c 100644
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -806,10 +806,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
 						flags |= flag;
 					else
 						flags  &= ~flag;
-				} else {
+				} else if (opt_eq(s, len, "default_permissions") ||
+					   opt_eq(s, len, "allow_other") ||
+					   begins_with(s, "max_read=") ||
+					   begins_with(s, "blksize=")) {
 					memcpy(d, s, len);
 					d += len;
 					*d++ = ',';
+				} else {
+					fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
+					exit(1);
 				}
 			}
 		}
author	Jann Horn <jannh@google.com>	2018-07-14 03:47:50 -0700
committer	Nikolaus Rath <Nikolaus@rath.org>	2018-07-21 12:17:49 +0100
commit	d50017e850d6123d3dc93c1b3eafef6f7bba09f2 (patch)
tree	9374376d437c84bafad0a2de3ef970c78f38f8e6
parent	7c49d3cb74b215fcd527dbd9e1884fcc5b0cd469 (diff)
download	fuse-d50017e850d6123d3dc93c1b3eafef6f7bba09f2.tar.gz