Only run partitioning commands from trusted prefixes.

.reuse/dep5

@@ -17,3 +17,8 @@ Copyright: 2020 KDE translators
 Files: src/util/org.kde.kpmcore.helperinterface.conf
 License: MIT
 Copyright: 2018 Andrius Štikonas <andrius@stikonas.eu>
+
+# Just list of directories
+Files: src/util/trustedprefixes
+License: CC0-1.0
+Copyright: None

CMakeLists.txt

@@ -17,10 +17,13 @@ project(kpmcore VERSION ${RELEASE_SERVICE_VERSION})
 set(SOVERSION "12")
 add_definitions(-D'VERSION="${RELEASE_SERVICE_VERSION}"') #"
 
-
 set(CMAKE_USE_RELATIVE_PATHS OFF)
 set(CMAKE_BUILD_WITH_INSTALL_RPATH ON)
 
+# Note that KPMcore is restricted to only run binaries installed into trusted prefixes
+# See src/util/trustedprefixes
+# By default this is set to / and /usr which is good for majority of distros
+
 # Dependencies
 set(QT_MIN_VERSION "5.15.0")
 set(KF5_MIN_VERSION "5.90")

src/util/CMakeLists.txt

@@ -11,6 +11,16 @@
 
 set(helper_interface_xml org.kde.kpmcore.helperinterface.xml)
 
+FILE(READ "util/trustedprefixes" TRUSTED_PREFIXES)
+STRING(REGEX REPLACE ";" "\\\\;" TRUSTED_PREFIXES "${TRUSTED_PREFIXES}")
+STRING(REGEX REPLACE "\n" ";" TRUSTED_PREFIXES "${TRUSTED_PREFIXES}")
+foreach(TRUSTED_PREFIX ${TRUSTED_PREFIXES})
+    list(APPEND TRUSTED_PREFIXES_LIST "    QStringLiteral(\"${TRUSTED_PREFIX}\")")
+endforeach()
+string(REPLACE ";    QStringLiteral(" ",\n    QStringLiteral(" TRUSTED_PREFIXES_LIST "${TRUSTED_PREFIXES_LIST}")
+set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS util/trustedprefixes)
+configure_file(util/externalcommand_trustedprefixes.h.in util/externalcommand_trustedprefixes.h)
+
 qt_generate_dbus_interface(
     util/externalcommand.h
     ${application_interface_xml}

src/util/externalcommand_trustedprefixes.h.in

@@ -0,0 +1,8 @@
+/*
+    SPDX-FileCopyrightText: 2022 Andrius Štikonas <andrius@stikonas.eu>
+    SPDX-License-Identifier: GPL-3.0-or-later
+*/
+
+const std::unordered_set<QString> trustedPrefixes {
+@TRUSTED_PREFIXES_LIST@
+};

src/util/externalcommand_whitelist.h

@@ -9,6 +9,7 @@
 #define KPMCORE_EXTERNALCOMMAND_WHITELIST_H
 
 #include <unordered_set>
+#include "util/externalcommand_trustedprefixes.h"
 
 const std::unordered_set<QString> allowedCommands {
 // TODO no root needed

src/util/externalcommandhelper.cpp

@@ -19,8 +19,10 @@
 
 #include <QCoreApplication>
 #include <QDebug>
+#include <QDir>
 #include <QElapsedTimer>
 #include <QFile>
+#include <QFileInfo>
 #include <QString>
 #include <QVariant>
 
@@ -346,9 +348,23 @@ QVariantMap ExternalCommandHelper::RunCommand(const QString& command, const QStr
     }
 
     // Compare with command whitelist
-    QString basename = command.mid(command.lastIndexOf(QLatin1Char('/')) + 1);
+    QFileInfo fileInfo(command);
+    QString basename = fileInfo.fileName();
     if (allowedCommands.find(basename) == allowedCommands.end()) { // TODO: C++20: replace with contains
-        qInfo() << command <<" command is not one of the whitelisted command";
+        qInfo() << command << "command is not one of the whitelisted commands";
+        reply[QStringLiteral("success")] = false;
+        return reply;
+    }
+
+    // Make sure command is located in the trusted prefix
+    QDir prefix = fileInfo.absoluteDir();
+    QString dirname = prefix.dirName();
+    if (dirname == QStringLiteral("bin") || dirname == QStringLiteral("sbin")) {
+        prefix.cdUp();
+    }
+    if (trustedPrefixes.find(prefix.path()) == trustedPrefixes.end()) { // TODO: C++20: replace with contains
+        qInfo() << prefix.path() << "prefix is not one of the trusted command prefixes";
+        reply[QStringLiteral("success")] = false;
         return reply;
     }
 

src/util/trustedprefixes

@@ -0,0 +1,2 @@
+/
+/usr