Only run partitioning commands from trusted prefixes.

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

.reuse/dep5

@@ -17,3 +17,8 @@ Copyright: 2020 KDE translators
 Files: src/util/org.kde.kpmcore.helperinterface.conf
 License: MIT
 Copyright: 2018 Andrius Štikonas <andrius@stikonas.eu>
+
+# Just list of directories
+Files: src/util/trustedprefixes
+License: CC0-1.0
+Copyright: None

CMakeLists.txt

@@ -17,10 +17,13 @@ project(kpmcore VERSION ${RELEASE_SERVICE_VERSION})
 set(SOVERSION "12")
 add_definitions(-D'VERSION="${RELEASE_SERVICE_VERSION}"') #"
 
-
 set(CMAKE_USE_RELATIVE_PATHS OFF)
 set(CMAKE_BUILD_WITH_INSTALL_RPATH ON)
 
+# Note that KPMcore is restricted to only run binaries installed into trusted prefixes
+# See src/util/trustedprefixes
+# By default this is set to / and /usr which is good for majority of distros
+
 # Dependencies
 set(QT_MIN_VERSION "5.15.0")
 set(KF5_MIN_VERSION "5.90")

src/plugins/dummy/pmdummybackendplugin.json

@@ -40,7 +40,7 @@
         ],
         "Category": "BackendPlugin",
         "Description": "A KDE Partition Manager dummy backend for testing purposes.",
-        "Description[ca@valencia]": "Un dorsal fals per al gestor de particions del KDE amb la finalitat de fer proves.",
+        "Description[ca@valencia]": "Un dorsal fals per al gestor de particions de KDE amb la finalitat de fer proves.",
         "Description[ca]": "Un dorsal fals per al gestor de particions del KDE amb la finalitat de fer proves.",
         "Description[cs]": "Falešná podpůrná vrstva pro správce diskových oddílů KDE pro testovací účely.",
         "Description[da]": "En KDE-partitionshåndtering med attrap-backend til testformål.",
@@ -75,7 +75,7 @@
         "Id": "pmdummybackendplugin",
         "License": "GPL",
         "Name": "KDE Partition Manager Dummy Backend",
-        "Name[ca@valencia]": "Dorsal fals del gestor de particions del KDE",
+        "Name[ca@valencia]": "Dorsal fals del gestor de particions de KDE",
         "Name[ca]": "Dorsal fals del gestor de particions del KDE",
         "Name[cs]": "Podpůrná vrstva pro správce diskových oddílů pro KDE",
         "Name[da]": "KDE-partitionshåndtering med attrap-backend",

src/plugins/sfdisk/pmsfdiskbackendplugin.json

@@ -40,7 +40,7 @@
         ],
         "Category": "BackendPlugin",
         "Description": "A KDE Partition Manager sfdisk backend.",
-        "Description[ca@valencia]": "Un dorsal «sfdisk» del gestor de particions del KDE.",
+        "Description[ca@valencia]": "Un dorsal «sfdisk» del gestor de particions de KDE.",
         "Description[ca]": "Un dorsal «sfdisk» del gestor de particions del KDE.",
         "Description[cs]": "Podpůrná vrstva sfdisk pro správce diskových oddílů pro KDE.",
         "Description[da]": "En KDE-partitionshåndtering med sfdisk-backend.",
@@ -75,7 +75,7 @@
         "Id": "pmsfdiskbackendplugin",
         "License": "GPL",
         "Name": "KDE Partition Manager sfdisk Backend",
-        "Name[ca@valencia]": "Dorsal «sfdisk» del gestor de particions del KDE",
+        "Name[ca@valencia]": "Dorsal «sfdisk» del gestor de particions de KDE",
         "Name[ca]": "Dorsal «sfdisk» del gestor de particions del KDE",
         "Name[cs]": "Podpůrná vrstva sfdisk pro správce diskových oddílů pro KDE",
         "Name[da]": "KDE-partitionshåndtering med sfdisk-backend",

src/util/CMakeLists.txt

@@ -11,6 +11,16 @@
 
 set(helper_interface_xml org.kde.kpmcore.helperinterface.xml)
 
+FILE(READ "util/trustedprefixes" TRUSTED_PREFIXES)
+STRING(REGEX REPLACE ";" "\\\\;" TRUSTED_PREFIXES "${TRUSTED_PREFIXES}")
+STRING(REGEX REPLACE "\n" ";" TRUSTED_PREFIXES "${TRUSTED_PREFIXES}")
+foreach(TRUSTED_PREFIX ${TRUSTED_PREFIXES})
+    list(APPEND TRUSTED_PREFIXES_LIST "    QStringLiteral(\"${TRUSTED_PREFIX}\")")
+endforeach()
+string(REPLACE ";    QStringLiteral(" ",\n    QStringLiteral(" TRUSTED_PREFIXES_LIST "${TRUSTED_PREFIXES_LIST}")
+set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS util/trustedprefixes)
+configure_file(util/externalcommand_trustedprefixes.h.in util/externalcommand_trustedprefixes.h)
+
 qt_generate_dbus_interface(
     util/externalcommand.h
     ${application_interface_xml}

src/util/externalcommand_trustedprefixes.h.in

@@ -0,0 +1,8 @@
+/*
+    SPDX-FileCopyrightText: 2022 Andrius Štikonas <andrius@stikonas.eu>
+    SPDX-License-Identifier: GPL-3.0-or-later
+*/
+
+const std::unordered_set<QString> trustedPrefixes {
+@TRUSTED_PREFIXES_LIST@
+};

src/util/externalcommand_whitelist.h

@@ -9,6 +9,7 @@
 #define KPMCORE_EXTERNALCOMMAND_WHITELIST_H
 
 #include <unordered_set>
+#include "util/externalcommand_trustedprefixes.h"
 
 const std::unordered_set<QString> allowedCommands {
 // TODO no root needed

src/util/externalcommandhelper.cpp

@@ -19,8 +19,10 @@
 
 #include <QCoreApplication>
 #include <QDebug>
+#include <QDir>
 #include <QElapsedTimer>
 #include <QFile>
+#include <QFileInfo>
 #include <QString>
 #include <QVariant>
 
@@ -346,9 +348,23 @@ QVariantMap ExternalCommandHelper::RunCommand(const QString& command, const QStr
     }
 
     // Compare with command whitelist
-    QString basename = command.mid(command.lastIndexOf(QLatin1Char('/')) + 1);
+    QFileInfo fileInfo(command);
+    QString basename = fileInfo.fileName();
     if (allowedCommands.find(basename) == allowedCommands.end()) { // TODO: C++20: replace with contains
-        qInfo() << command <<" command is not one of the whitelisted command";
+        qInfo() << command << "command is not one of the whitelisted commands";
+        reply[QStringLiteral("success")] = false;
+        return reply;
+    }
+
+    // Make sure command is located in the trusted prefix
+    QDir prefix = fileInfo.absoluteDir();
+    QString dirname = prefix.dirName();
+    if (dirname == QStringLiteral("bin") || dirname == QStringLiteral("sbin")) {
+        prefix.cdUp();
+    }
+    if (trustedPrefixes.find(prefix.path()) == trustedPrefixes.end()) { // TODO: C++20: replace with contains
+        qInfo() << prefix.path() << "prefix is not one of the trusted command prefixes";
+        reply[QStringLiteral("success")] = false;
         return reply;
     }
 

src/util/org.kde.kpmcore.externalcommand.policy

@@ -11,6 +11,7 @@ SPDX-License-Identifier: CC0-1.0
    <action id="org.kde.kpmcore.externalcommand.init" >
       <description>Run privileged partition manager helper</description>
       <description xml:lang="ca">Executa l'ajudant del gestor de particions amb privilegis</description>
+      <description xml:lang="ca@valencia">Executa l'ajudant del gestor de particions amb privilegis</description>
       <description xml:lang="en_GB">Run privileged partition manager helper</description>
       <description xml:lang="es">Ejecutar la aplicación auxiliar de gestión de particiones con privilegios</description>
       <description xml:lang="fr">Lancer l'assistant de gestionnaire de partition en mode administrateur</description>

src/util/trustedprefixes

@@ -0,0 +1,2 @@
+/
+/usr