config: restrict default allowed_tools to /usr

genodelabs#99
jschlatow · Oct 1, 2024 · 38084d6 · 38084d6
1 parent 595f5e0
commit 38084d6
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/share/goa/doc/config.txt b/share/goa/doc/config.txt
@@ -252,10 +252,9 @@ to make sure that untrusted configuration files cannot trick Goa into undesired
 file operations.
 
 Moreover, Goa checks the 'cross_dev_prefix' against a list of allowed tool paths.
-By default, Goa allows tools to reside in the directories defined by the PATH
-environment variable or in "/usr/local/genode". Similar to extending the
-'allowed_paths' variable, a user may extend this policy by adding a path to the
-list 'allowed_tools' list.
+By default, Goa allows tools to reside in any subdirectory of /usr/. Similar to
+extending the 'allowed_paths' variable, a user may extend this policy by adding
+a path to the list 'allowed_tools' list.
 
 SEE ALSO
 ########

diff --git a/share/goa/lib/config.tcl b/share/goa/lib/config.tcl
@@ -233,8 +233,7 @@ namespace eval ::config {
  set allowed_paths [list [file normalize $project_dir] [file normalize $original_dir]]
  set allowed_paths [lsort -unique $allowed_paths]
 
- set allowed_tools [split $::env(PATH) ":"]
- lappend allowed_tools "/usr/local/genode"
+ set allowed_tools [list /usr/]
  lappend allowed_tools $tool_dir
 
  interp create -safe safeinterp

diff --git a/share/goa/lib/util.tcl b/share/goa/lib/util.tcl
@@ -748,6 +748,8 @@ proc install_config { args } {
 # Return true if specified program is installed
 #
 proc have_installed { program } {
+ # Note: auto_execok calls 'config::_safe_file' via 'file executable',
+ # which validates the resulting path against the allowed_tools variable.
 
  if {[auto_execok "$program"] != ""} { return true; }
  return false;