fusermount: refuse unknown options

Blacklists are notoriously fragile; especially if the kernel wishes to add some security-critical mount option at a later date, all existing systems with older versions of fusermount installed will suddenly have a security problem. Additionally, if the kernel's option parsing became a tiny bit laxer, the blacklist could probably be bypassed. Whitelist known-harmless flags instead, even if it's slightly more inconvenient.
author: Jann Horn <jannh@google.com> 2018-07-14 03:47:50 -0700
committer: Nikolaus Rath <Nikolaus@rath.org> 2018-07-18 20:32:28 +0100
commit: 5018a0c016495155ee598b7e0167b43d5d902414 (patch)
tree: 6a13fbb077868e91fa36b942a88105caa8093886
parent: cc315f5aa7fae04e16dda419859b2995992977cd (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/util/fusermount.c b/util/fusermount.c
index 4e0f51a..2792407 100644
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -819,10 +819,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
 						flags |= flag;
 					else
 						flags  &= ~flag;
-				} else {
+				} else if (opt_eq(s, len, "default_permissions") ||
+					   opt_eq(s, len, "allow_other") ||
+					   begins_with(s, "max_read=") ||
+					   begins_with(s, "blksize=")) {
 					memcpy(d, s, len);
 					d += len;
 					*d++ = ',';
+				} else {
+					fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
+					exit(1);
 				}
 			}
 		}
author	Jann Horn <jannh@google.com>	2018-07-14 03:47:50 -0700
committer	Nikolaus Rath <Nikolaus@rath.org>	2018-07-18 20:32:28 +0100
commit	5018a0c016495155ee598b7e0167b43d5d902414 (patch)
tree	6a13fbb077868e91fa36b942a88105caa8093886
parent	cc315f5aa7fae04e16dda419859b2995992977cd (diff)