Changeset 105087 in vbox for trunk/src/VBox/HostServices

Timestamp:

Jul 1, 2024 11:27:59 PM (8 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

163708

Message:

doc/manual,include/VBox,Frontends/VBoxManage,HostServices/SharedFolders,
Main/{include,SharedFolder,Console,Machine,VirtualBox.xidl}: Add a
new attribute to ISharedFolder for specifying a symbolic link creation
policy to restrict the source pathname when creating symbolic links
within a guest. The symbolic link policies are represented by a new
enumeration of type SymlinkPolicy_T which includes values for no
restrictions ('any'), symlink sources only within the subtree of the
share ('subtree'), symlink sources as any relative path ('relative'),
and no symlinks allowed ('forbidden'). The symlink policy can only be
applied to permanent shared folders at this stage. bugref:10619

Location:

trunk/src/VBox/HostServices/SharedFolders

Files:

• Makefile.kmk (modified) (1 diff)
• VBoxSharedFoldersSvc.cpp (modified) (25 diffs)
• mappings.cpp (modified) (11 diffs)
• mappings.h (modified) (3 diffs)
• shfl.h (modified) (1 diff)
• testcase/Makefile.kmk (modified) (1 diff)
• testcase/tstSharedFolderService.cpp (modified) (6 diffs)
• testcase/tstSharedFolderService.h (modified) (1 diff)
• teststubs.h (modified) (1 diff)
• vbsf.cpp (modified) (3 diffs)
• vbsfpath.cpp (modified) (5 diffs)
• vbsfpath.h (modified) (1 diff)

trunk/src/VBox/HostServices/SharedFolders/Makefile.kmk

@@ -39 +39 @@
 VBoxSharedFolders_NAME.os2  = VBoxSFld
 VBoxSharedFolders_DEFS      = VBOX_WITH_HGCM RTSHFL
-VBoxSharedFolders_INCS.win  = \
-        $(VBOX_PATH_SDK)
+ifdef VBOX_WITH_XPCOM
+ VBoxSharedFolders_DEFS    += VBOX_WITH_XPCOM
+ VBoxSharedFolders_INCS    += $(VBOX_XPCOM_INCS)
+ ifdef VBOX_WITH_XPCOM_NAMESPACE_CLEANUP
+  VBoxSharedFolders_DEFS   += VBOX_WITH_XPCOM_NAMESPACE_CLEANUP
+ endif
+else # COM
+ VBoxSharedFolders_INCS    += \
+        $(VBOX_PATH_SDK) \
+        $(VBOX_PATH_SDK)/bindings/mscom/include
+endif
 
 VBoxSharedFolders_LDFLAGS.darwin = \

trunk/src/VBox/HostServices/SharedFolders/VBoxSharedFoldersSvc.cpp

@@ -164 +164 @@
 
 
-static DECLCALLBACK(int) svcUnload (void *)
+static DECLCALLBACK(int) svcUnload(void *)
 {
     int rc = VINF_SUCCESS;
@@ -176 +176 @@
 }
 
-static DECLCALLBACK(int) svcConnect (void *, uint32_t u32ClientID, void *pvClient, uint32_t fRequestor, bool fRestoring)
+static DECLCALLBACK(int) svcConnect(void *, uint32_t u32ClientID, void *pvClient, uint32_t fRequestor, bool fRestoring)
 {
     RT_NOREF(u32ClientID, fRequestor, fRestoring);
@@ -187 +187 @@
 }
 
-static DECLCALLBACK(int) svcDisconnect (void *, uint32_t u32ClientID, void *pvClient)
+static DECLCALLBACK(int) svcDisconnect(void *, uint32_t u32ClientID, void *pvClient)
 {
     RT_NOREF1(u32ClientID);
@@ -455 +455 @@
 }
 
-static DECLCALLBACK(void) svcCall (void *, VBOXHGCMCALLHANDLE callHandle, uint32_t u32ClientID, void *pvClient,
-                                   uint32_t u32Function, uint32_t cParms, VBOXHGCMSVCPARM paParms[], uint64_t tsArrival)
+static DECLCALLBACK(void) svcCall(void *, VBOXHGCMCALLHANDLE callHandle, uint32_t u32ClientID, void *pvClient,
+                                  uint32_t u32Function, uint32_t cParms, VBOXHGCMSVCPARM paParms[], uint64_t tsArrival)
 {
     RT_NOREF(u32ClientID, tsArrival);
@@ -618 +618 @@
                    )
                 {
-                    AssertMsgFailed (("Invalid parameters cbPath or cbParms (%x, %x - expected >=%x, %x)\n",
+                    AssertMsgFailed(("Invalid parameters cbPath or cbParms (%x, %x - expected >=%x, %x)\n",
                                       cbPath, cbParms, sizeof(SHFLSTRING), sizeof (SHFLCREATEPARMS)));
                     rc = VERR_INVALID_PARAMETER;
@@ -631 +631 @@
 
                     /* Execute the function. */
-                    rc = vbsfCreate (pClient, root, pPath, cbPath, pParms);
+                    rc = vbsfCreate(pClient, root, pPath, cbPath, pParms);
 
                     if (RT_SUCCESS(rc))
@@ -680 +680 @@
                 {
                     /* Execute the function. */
-                    rc = vbsfClose (pClient, root, Handle);
+                    rc = vbsfClose(pClient, root, Handle);
 
                     if (RT_SUCCESS(rc))
@@ -845 +845 @@
                      *       completed, the another thread must call
                      *
-                     *           g_pHelpers->pfnCallComplete (callHandle, rc);
+                     *           g_pHelpers->pfnCallComplete(callHandle, rc);
                      *
                      * The operation is async.
@@ -939 +939 @@
 
                     /* Execute the function. */
-                    rc = vbsfDirList (pClient, root, Handle, pPath, flags, &length, pBuffer, &resumePoint, &cFiles);
+                    rc = vbsfDirList(pClient, root, Handle, pPath, flags, &length, pBuffer, &resumePoint, &cFiles);
 
                     if (g_pStatusLed)
@@ -1002 +1002 @@
                 {
                     /* Execute the function. */
-                    rc = vbsfReadLink (pClient, root, pPath, cbPath, pBuffer, cbBuffer);
+                    rc = vbsfReadLink(pClient, root, pPath, cbPath, pBuffer, cbBuffer);
 
                     if (RT_SUCCESS(rc))
@@ -1048 +1048 @@
                 {
                     /* Execute the function. */
-                    rc = vbsfMapFolder (pClient, pszMapName, delimiter, false,  &root);
+                    rc = vbsfMapFolder(pClient, pszMapName, delimiter, false,  &root);
 
                     if (RT_SUCCESS(rc))
@@ -1118 +1118 @@
                 /* Execute the function. */
                 if (RT_SUCCESS(rc))
-                    rc = vbsfMapFolder (pClient, pszMapName, delimiter, fCaseSensitive, &root);
+                    rc = vbsfMapFolder(pClient, pszMapName, delimiter, fCaseSensitive, &root);
 
                 if (RT_SUCCESS(rc))
@@ -1156 +1156 @@
 
                 /* Execute the function. */
-                rc = vbsfUnmapFolder (pClient, root);
+                rc = vbsfUnmapFolder(pClient, root);
 
                 if (RT_SUCCESS(rc))
@@ -1208 +1208 @@
                     if (flags & SHFL_INFO_SET)
                     {
-                        rc = vbsfSetFSInfo (pClient, root, Handle, flags, &length, pBuffer);
+                        rc = vbsfSetFSInfo(pClient, root, Handle, flags, &length, pBuffer);
 
                         if (flags & SHFL_INFO_FILE)
@@ -1223 +1223 @@
                     else /* SHFL_INFO_GET */
                     {
-                        rc = vbsfQueryFSInfo (pClient, root, Handle, flags, &length, pBuffer);
+                        rc = vbsfQueryFSInfo(pClient, root, Handle, flags, &length, pBuffer);
 
                         if (flags & SHFL_INFO_FILE)
@@ -1339 +1339 @@
                 {
                     /* Execute the function. */
-                    rc = vbsfRename (pClient, root, pSrc, pDest, flags);
+                    rc = vbsfRename(pClient, root, pSrc, pDest, flags);
                     if (RT_SUCCESS(rc))
                     {
@@ -1389 +1389 @@
                     /* Execute the function. */
 
-                    rc = vbsfFlush (pClient, root, Handle);
+                    rc = vbsfFlush(pClient, root, Handle);
 
                     if (RT_SUCCESS(rc))
@@ -1447 +1447 @@
                 {
                     /* Execute the function. */
-                    rc = vbsfSymlink (pClient, root, pNewPath, pOldPath, pInfo);
+                    rc = vbsfSymlink(pClient, root, pNewPath, pOldPath, pInfo);
                     if (RT_SUCCESS(rc))
                     {
@@ -1646 +1646 @@
          * it was processed synchronously.
          */
-        g_pHelpers->pfnCallComplete (callHandle, rc);
+        g_pHelpers->pfnCallComplete(callHandle, rc);
     }
 
@@ -1668 +1668 @@
  * security reasons.
  */
-static DECLCALLBACK(int) svcHostCall (void *, uint32_t u32Function, uint32_t cParms, VBOXHGCMSVCPARM paParms[])
+static DECLCALLBACK(int) svcHostCall(void *, uint32_t u32Function, uint32_t cParms, VBOXHGCMSVCPARM paParms[])
 {
     int rc = VINF_SUCCESS;
@@ -1700 +1700 @@
                  || paParms[2].type != VBOX_HGCM_SVC_PARM_32BIT   /* fFlags */
                  || paParms[3].type != VBOX_HGCM_SVC_PARM_PTR     /* auto mount point */
+                 || paParms[4].type != VBOX_HGCM_SVC_PARM_32BIT   /* symlink policy */
                 )
         {
@@ -1711 +1712 @@
             uint32_t fFlags             = paParms[2].u.uint32;
             SHFLSTRING *pAutoMountPoint = (SHFLSTRING *)paParms[3].u.pointer.addr;
+            SymlinkPolicy_T enmSymlinkPolicy = (SymlinkPolicy_T)paParms[4].u.uint32;
 
             /* Verify parameters values. */
@@ -1741 +1743 @@
                                          RT_BOOL(fFlags & SHFL_ADD_MAPPING_F_CREATE_SYMLINKS),
                                          RT_BOOL(fFlags & SHFL_ADD_MAPPING_F_MISSING),
-                                         /* fPlaceholder = */ false);
+                                         /* fPlaceholder = */ false,
+                                         enmSymlinkPolicy);
                     if (RT_SUCCESS(rc))
                     {
@@ -1785 +1788 @@
             {
                 /* Execute the function. */
-                rc = vbsfMappingsRemove (pString);
+                rc = vbsfMappingsRemove(pString);
 
                 if (RT_SUCCESS(rc))
@@ -1844 +1847 @@
 }
 
-extern "C" DECLCALLBACK(DECLEXPORT(int)) VBoxHGCMSvcLoad (VBOXHGCMSVCFNTABLE *ptable)
+extern "C" DECLCALLBACK(DECLEXPORT(int)) VBoxHGCMSvcLoad(VBOXHGCMSVCFNTABLE *ptable)
 {
     int rc = VINF_SUCCESS;

trunk/src/VBox/HostServices/SharedFolders/mappings.cpp

@@ -186 +186 @@
     return vbsfMappingsAdd(pLoadedMapping->pszFolderName, pLoadedMapping->pMapName,
                            pLoadedMapping->fWritable, pLoadedMapping->fAutoMount, pLoadedMapping->pAutoMountPoint,
-                           pLoadedMapping->fSymlinksCreate, /* fMissing = */ true, /* fPlaceholder = */ true);
+                           pLoadedMapping->fSymlinksCreate, /* fMissing = */ true, /* fPlaceholder = */ true,
+                           pLoadedMapping->enmSymlinkPolicy);
 }
 
@@ -340 +341 @@
  */
 int vbsfMappingsAdd(const char *pszFolderName, PSHFLSTRING pMapName, bool fWritable,
-                    bool fAutoMount, PSHFLSTRING pAutoMountPoint, bool fSymlinksCreate, bool fMissing, bool fPlaceholder)
+                    bool fAutoMount, PSHFLSTRING pAutoMountPoint, bool fSymlinksCreate, bool fMissing, bool fPlaceholder,
+                    SymlinkPolicy_T enmSymlinkPolicy)
 {
     unsigned i;
@@ -369 +371 @@
     for (i = 0; i < SHFL_MAX_MAPPINGS; i++)
     {
-        if (g_FolderMapping[i].fValid == false)
+        if (!g_FolderMapping[i].fValid)
         {
             /* Make sure the folder name is an absolute path, otherwise we're
@@ -398 +400 @@
             g_FolderMapping[i].fPlaceholder    = fPlaceholder;
             g_FolderMapping[i].fLoadedRootId   = false;
+            g_FolderMapping[i].enmSymlinkPolicy = enmSymlinkPolicy;
 
             /* Check if the host file system is case sensitive */
@@ -446 +449 @@
     for (unsigned i = 0; i < SHFL_MAX_MAPPINGS; i++)
     {
-        if (g_FolderMapping[i].fValid == true)
+        if (g_FolderMapping[i].fValid)
         {
             if (!RTUtf16LocaleICmp(g_FolderMapping[i].pMapName->String.utf16, pMapName->String.utf16))
@@ -599 +602 @@
 int vbsfMappingsQueryName(PSHFLCLIENTDATA pClient, SHFLROOT root, SHFLSTRING *pString)
 {
-    LogFlow(("vbsfMappingsQuery: pClient = %p, root = %d, *pString = %p\n", pClient, root, pString));
+    LogFlow(("vbsfMappingsQueryName: pClient = %p, root = %d, *pString = %p\n", pClient, root, pString));
 
     int rc;
@@ -633 +636 @@
         rc = VERR_INVALID_PARAMETER;
 
-    LogFlow(("vbsfMappingsQuery:Name return rc = %Rrc\n", rc));
+    LogFlow(("vbsfMappingsQueryName returns rc = %Rrc\n", rc));
     return rc;
 }
@@ -655 +658 @@
         rc = VERR_FILE_NOT_FOUND;
 
-    LogFlow(("vbsfMappingsQuery:Writable return rc = %Rrc\n", rc));
+    LogFlow(("vbsfMappingsQueryWritable returns rc = %Rrc\n", rc));
 
     return rc;
@@ -670 +673 @@
     AssertReturn(pFolderMapping, VERR_INVALID_PARAMETER);
 
-    if (pFolderMapping->fValid == true)
+    if (pFolderMapping->fValid)
         *fAutoMount = pFolderMapping->fAutoMount;
     else
         rc = VERR_FILE_NOT_FOUND;
 
-    LogFlow(("vbsfMappingsQueryAutoMount:Writable return rc = %Rrc\n", rc));
+    LogFlow(("vbsfMappingsQueryAutoMount returns rc = %Rrc\n", rc));
 
     return rc;
@@ -685 +688 @@
     int rc = VINF_SUCCESS;
 
-    LogFlow(("vbsfMappingsQueryAutoMount: pClient = %p, root = %d\n", pClient, root));
+    LogFlow(("vbsfMappingsQuerySymlinksCreate: pClient = %p, root = %d\n", pClient, root));
 
     MAPPING *pFolderMapping = vbsfMappingGetByRoot(root);
     AssertReturn(pFolderMapping, VERR_INVALID_PARAMETER);
 
-    if (pFolderMapping->fValid == true)
+    if (pFolderMapping->fValid)
         *fSymlinksCreate = pFolderMapping->fSymlinksCreate;
     else
         rc = VERR_FILE_NOT_FOUND;
 
-    LogFlow(("vbsfMappingsQueryAutoMount:SymlinksCreate return rc = %Rrc\n", rc));
+    LogFlow(("vbsfMappingsQuerySymlinksCreate returns rc = %Rrc\n", rc));
+
+    return rc;
+}
+
+int vbsfMappingsQuerySymlinkPolicy(PSHFLCLIENTDATA pClient, SHFLROOT root, SymlinkPolicy_T *enmSymlinkPolicy)
+{
+    RT_NOREF1(pClient);
+    int rc = VINF_SUCCESS;
+
+    LogFlow(("vbsfMappingsQuerySymlinkPolicy: pClient = %p, root = %d\n", pClient, root));
+
+    MAPPING *pFolderMapping = vbsfMappingGetByRoot(root);
+    AssertReturn(pFolderMapping, VERR_INVALID_PARAMETER);
+
+    if (pFolderMapping->fValid)
+        *enmSymlinkPolicy = pFolderMapping->enmSymlinkPolicy;
+    else
+        rc = VERR_FILE_NOT_FOUND;
+
+    LogFlow(("vbsfMappingsQuerySymlinkPolicy returns rc = %Rrc\n", rc));
 
     return rc;
@@ -879 +902 @@
         return VERR_FILE_NOT_FOUND;
     }
-    Assert(pFolderMapping->fValid == true && pFolderMapping->cMappings > 0);
+    Assert(pFolderMapping->fValid && pFolderMapping->cMappings > 0);
 
     AssertLogRelReturn(root < RT_ELEMENTS(pClient->acMappings), VERR_INTERNAL_ERROR);

trunk/src/VBox/HostServices/SharedFolders/mappings.h

@@ -52 +52 @@
                                              still has. fMissing is always true for this mapping. */
     bool        fLoadedRootId;          /**< Set if vbsfMappingLoaded has found this mapping already. */
+    SymlinkPolicy_T enmSymlinkPolicy;   /**< Symbolic link creation policy within the guest. */
 } MAPPING;
 /** Pointer to a MAPPING structure. */
@@ -61 +62 @@
 
 int vbsfMappingsAdd(const char *pszFolderName, PSHFLSTRING pMapName, bool fWritable,
-                    bool fAutoMount, PSHFLSTRING pAutoMountPoint, bool fCreateSymlinks, bool fMissing, bool fPlaceholder);
+                    bool fAutoMount, PSHFLSTRING pAutoMountPoint, bool fCreateSymlinks, bool fMissing, bool fPlaceholder,
+                    SymlinkPolicy_T enmSymlinkPolicy);
 int vbsfMappingsRemove(PSHFLSTRING pMapName);
 
@@ -69 +71 @@
 int vbsfMappingsQueryAutoMount(PSHFLCLIENTDATA pClient, SHFLROOT root, bool *fAutoMount);
 int vbsfMappingsQuerySymlinksCreate(PSHFLCLIENTDATA pClient, SHFLROOT root, bool *fSymlinksCreate);
+int vbsfMappingsQuerySymlinkPolicy(PSHFLCLIENTDATA pClient, SHFLROOT root, SymlinkPolicy_T *enmSymlinkPolicy);
 int vbsfMappingsQueryInfo(PSHFLCLIENTDATA pClient, SHFLROOT root, PSHFLSTRING pNameBuf, PSHFLSTRING pMntPtBuf,
                           uint64_t *pfFlags, uint32_t *puVersion);

trunk/src/VBox/HostServices/SharedFolders/shfl.h

@@ -76 +76 @@
 typedef SHFLCLIENTDATA *PSHFLCLIENTDATA;
 
+/** This enum is included here to avoid a build dependency on the VirtualBox
+ * COM definitions pulled in by VBox/com/VirtualBox.h. */
+typedef enum SymlinkPolicy_T {
+    SymlinkPolicy_None,
+    SymlinkPolicy_Forbidden,
+    SymlinkPolicy_AllowedInShareSubtree,
+    SymlinkPolicy_AllowedToRelativeTargets,
+    SymlinkPolicy_AllowedToAnyTarget,
+#ifdef VBOX_WITH_XPCOM_CPP_ENUM_HACK
+    SymlinkPolicy_32BitHack = 0x7fffffff
+#endif /* VBOX_WITH_XPCOM_CPP_ENUM_HACK */
+} SymlinkPolicy_T;
 
 /** @def SHFL_CLIENT_NEED_WINDOWS_ERROR_STYLE_ADJUST_ON_POSIX

trunk/src/VBox/HostServices/SharedFolders/testcase/Makefile.kmk

@@ -69 +69 @@
  tstSharedFolderService_DEFS    = VBOX_WITH_HGCM UNITTEST
  tstSharedFolderService_INCS    = ..
+ ifneq ($(KBUILD_TARGET),win)
+  tstSharedFolderService_DEFS  += VBOX_WITH_XPCOM
+  tstSharedFolderService_INCS  += $(VBOX_XPCOM_INCS)
+ endif
+ tstSharedFolderService_INCS.win += $(VBOX_PATH_SDK)/bindings/mscom/include
  tstSharedFolderService_SOURCES = \
         tstSharedFolderService.cpp \

trunk/src/VBox/HostServices/SharedFolders/testcase/tstSharedFolderService.cpp

@@ -587 +587 @@
 }
 
+extern int testRTSymlinkCreate(const char *pszSymlink, const char *pszTarget, RTSYMLINKTYPE enmType, uint32_t fCreate)
+{
+    if (g_fFailIfNotLowercase && !RTStrIsLowerCased(strpbrk(pszSymlink, "/\\")))
+        return VERR_FILE_NOT_FOUND;
+    RT_NOREF4(pszSymlink, pszTarget, enmType, fCreate);
+    return 0;
+}
+
 
 /*********************************************************************************************************************************
@@ -678 +686 @@
 }
 
+static void fillTestShflStringUtf8(union TESTSHFLSTRING *pDest,
+                                   const char *pcszSource)
+{
+    const size_t cchSource = strlen(pcszSource);
+    AssertRelease(  cchSource * 2 + 2
+                  < sizeof(*pDest) - RT_UOFFSETOF(SHFLSTRING, String));
+    pDest->string.u16Length = (uint16_t)cchSource;
+    pDest->string.u16Size   = pDest->string.u16Length + 1;
+    memcpy(pDest->string.String.utf8, pcszSource, pDest->string.u16Size);
+}
+
 static SHFLROOT initWithWritableMapping(RTTEST hTest,
                                         VBOXHGCMSVCFNTABLE *psvcTable,
@@ -683 +702 @@
                                         const char *pcszFolderName,
                                         const char *pcszMapping,
-                                        bool fCaseSensitive = true)
+                                        bool fCaseSensitive = true,
+                                        SymlinkPolicy_T enmSymlinkPolicy = SymlinkPolicy_AllowedToAnyTarget)
 {
     VBOXHGCMSVCPARM aParms[RT_MAX(SHFL_CPARMS_ADD_MAPPING,
@@ -706 +726 @@
     HGCMSvcSetPv(&aParms[1], &Mapping,   RT_UOFFSETOF(SHFLSTRING, String)
                                    + Mapping.string.u16Size);
-    HGCMSvcSetU32(&aParms[2], 1);
+    HGCMSvcSetU32(&aParms[2], SHFL_ADD_MAPPING_F_WRITABLE | SHFL_ADD_MAPPING_F_CREATE_SYMLINKS);
     HGCMSvcSetPv(&aParms[3], &AutoMountPoint, SHFLSTRING_HEADER_SIZE + AutoMountPoint.string.u16Size);
+    HGCMSvcSetU32(&aParms[4], enmSymlinkPolicy);
     rc = psvcTable->pfnHostCall(psvcTable->pvService, SHFL_FN_ADD_MAPPING,
                                 SHFL_CPARMS_ADD_MAPPING, aParms);
@@ -774 +795 @@
         *pResult = CreateParms.Result;
     return VINF_SUCCESS;
+}
+
+static int createSymlink(VBOXHGCMSVCFNTABLE *psvcTable, SHFLROOT Root,
+                         const char *pcszSourcePath, const char *pcszSymlinkPath)
+{
+    VBOXHGCMSVCPARM aParms[SHFL_CPARMS_SYMLINK];
+    union TESTSHFLSTRING sourcePath;
+    union TESTSHFLSTRING symlinkPath;
+    SHFLFSOBJINFO ObjInfo;
+    VBOXHGCMCALLHANDLE_TYPEDEF callHandle = { VINF_SUCCESS };
+
+    /* vbsfSymlink() only supports UTF-8 */
+    fillTestShflStringUtf8(&sourcePath, pcszSourcePath);
+    fillTestShflStringUtf8(&symlinkPath, pcszSymlinkPath);
+    psvcTable->pfnCall(psvcTable->pvService, &callHandle, 0,
+                       psvcTable->pvService, SHFL_FN_SET_UTF8,
+                       RT_ELEMENTS(aParms), aParms, 0);
+
+    RT_ZERO(ObjInfo);
+    HGCMSvcSetU32(&aParms[0], Root);
+    HGCMSvcSetPv(&aParms[1], &symlinkPath,  RT_UOFFSETOF(SHFLSTRING, String)
+                                + symlinkPath.string.u16Size);
+    HGCMSvcSetPv(&aParms[2], &sourcePath,   RT_UOFFSETOF(SHFLSTRING, String)
+                                + sourcePath.string.u16Size);
+    HGCMSvcSetPv(&aParms[3], &ObjInfo, sizeof(ObjInfo));
+    psvcTable->pfnCall(psvcTable->pvService, &callHandle, 0,
+                       psvcTable->pvService, SHFL_FN_SYMLINK,
+                       RT_ELEMENTS(aParms), aParms, 0);
+    return callHandle.rc;
 }
 
@@ -1006 +1056 @@
 }
 
+static int testSymlinkCreationForSpecificPolicy(RTTEST hTest, SymlinkPolicy_T enmSymlinkPolicy)
+{
+    VBOXHGCMSVCFNTABLE  svcTable;
+    VBOXHGCMSVCHELPERS  svcHelpers;
+    SHFLROOT Root;
+    const RTFILE hFile = (RTFILE) 0x10000;
+    SHFLCREATERESULT Result;
+    int rc;
+
+    Root = initWithWritableMapping(hTest, &svcTable, &svcHelpers,
+                                   "/test/mapping", "testname",
+                                   true, enmSymlinkPolicy);
+    g_testRTFileOpen_hFile = hFile;
+    rc = createFile(&svcTable, Root, "file", SHFL_CF_ACCESS_READ, NULL, &Result);
+    RTTEST_CHECK_RC_OK(hTest, rc);
+    RTTEST_CHECK_MSG(hTest,
+                     !strcmp(&g_testRTFileOpen_szName[RTPATH_STYLE == RTPATH_STR_F_STYLE_DOS ? 2 : 0],
+                             "/test/mapping/file"),
+                     (hTest, "pszFilename=%s\n", &g_testRTFileOpen_szName[RTPATH_STYLE == RTPATH_STR_F_STYLE_DOS ? 2 : 0]));
+    RTTEST_CHECK_MSG(hTest, g_testRTFileOpen_fOpen == 0x181,
+                     (hTest, "fOpen=%llu\n", LLUIFY(g_testRTFileOpen_fOpen)));
+    RTTEST_CHECK_MSG(hTest, Result == SHFL_FILE_CREATED,
+                     (hTest, "Result=%d\n", (int)Result));
+
+    /* regular symlink creation should succeed unless no symlinks allowed */
+    rc = createSymlink(&svcTable, Root, "file", "symlink");
+    if (enmSymlinkPolicy == SymlinkPolicy_Forbidden)
+        RTTEST_CHECK_MSG(hTest, rc == VERR_WRITE_PROTECT,
+                         (hTest, "enmSymlinkPolicy=SymlinkPolicy_Forbidden 'ln -s file symlink' failed: rc=%Rrc\n", rc));
+    else
+        RTTEST_CHECK_RC_OK(hTest, rc);
+
+    /* absolute path to symlink sources only allowed for the 'any' policy */
+    rc = createSymlink(&svcTable, Root, "/path/to/file", "abs-symlink");
+    if (enmSymlinkPolicy == SymlinkPolicy_AllowedToAnyTarget)
+        RTTEST_CHECK_RC_OK(hTest, rc);
+    else
+        RTTEST_CHECK_MSG(hTest, rc == VERR_WRITE_PROTECT,
+                         (hTest, "enmSymlinkPolicy=%d 'ln -s file /absolute/path/symlink' failed: rc=%Rrc\n",
+                         enmSymlinkPolicy, rc));
+
+    /* relative path symlink sources with '..' components allowed only with 'relative' policy */
+    rc = createSymlink(&svcTable, Root, "./directory/../file", "rel-symlink");
+    if (   enmSymlinkPolicy == SymlinkPolicy_Forbidden
+        || enmSymlinkPolicy == SymlinkPolicy_AllowedInShareSubtree)
+        RTTEST_CHECK_MSG(hTest, rc == VERR_WRITE_PROTECT,
+                         (hTest, "enmSymlinkPolicy=%d 'ln -s ./path/../symlink' failed: rc=%Rrc\n",
+                         enmSymlinkPolicy, rc));
+    else
+        RTTEST_CHECK_RC_OK(hTest, rc);
+
+    /* relative path symlink source with no '..' components always OK */
+    rc = createSymlink(&svcTable, Root, "./directory/file", "dotslash-symlink");
+    if (enmSymlinkPolicy == SymlinkPolicy_Forbidden)
+        RTTEST_CHECK_MSG(hTest, rc == VERR_WRITE_PROTECT,
+                         (hTest, "enmSymlinkPolicy=%d 'ln -s ./path/../symlink' failed: rc=%Rrc\n",
+                         enmSymlinkPolicy, rc));
+    else
+        RTTEST_CHECK_RC_OK(hTest, rc);
+
+    unmapAndRemoveMapping(hTest, &svcTable, Root, "testname");
+    rc = svcTable.pfnDisconnect(NULL, 0, svcTable.pvService);
+    AssertReleaseRC(rc);
+    rc = svcTable.pfnUnload(NULL);
+    AssertReleaseRC(rc);
+    RTTestGuardedFree(hTest, svcTable.pvService);
+    RTTEST_CHECK_MSG(hTest, g_testRTFileClose_hFile == hFile,
+                     (hTest, "File=%u\n", (uintptr_t)g_testRTFileClose_hFile));
+
+    return rc;
+}
+
+void testSymlinkCreation(RTTEST hTest)
+{
+    SymlinkPolicy_T aEnmSymlinkPolicy[4] = {
+        SymlinkPolicy_AllowedToAnyTarget,
+        SymlinkPolicy_AllowedInShareSubtree,
+        SymlinkPolicy_AllowedToRelativeTargets,
+        SymlinkPolicy_Forbidden
+    };
+
+    RTTestSub(hTest, "Create variety of symlinks with different symlink policies");
+    for (size_t i = 0; i < RT_ELEMENTS(aEnmSymlinkPolicy); i++)
+        testSymlinkCreationForSpecificPolicy(hTest, aEnmSymlinkPolicy[i]);
+}
+
 void testReadFileSimple(RTTEST hTest)
 {

trunk/src/VBox/HostServices/SharedFolders/testcase/tstSharedFolderService.h

@@ -123 +123 @@
 /* Sub-tests for testSymlink(). */
 void testSymlinkBadParameters(RTTEST hTest);
+void testSymlinkCreation(RTTEST hTest);
 
 void testMappingsAdd(RTTEST hTest);

trunk/src/VBox/HostServices/SharedFolders/teststubs.h

@@ -101 +101 @@
 #define RTSymlinkRead        testRTSymlinkRead
 extern int testRTSymlinkRead(const char *pszSymlink, char *pszTarget, size_t cbTarget, uint32_t fRead);
+#define RTSymlinkCreate      testRTSymlinkCreate
+extern int testRTSymlinkCreate(const char *pszSymlink, const char *pszTarget, RTSYMLINKTYPE enmType, uint32_t fCreate);
 
 #endif /* !VBOX_INCLUDED_SRC_SharedFolders_teststubs_h */

trunk/src/VBox/HostServices/SharedFolders/vbsf.cpp

@@ -256 +256 @@
     uint32_t fu32PathFlags = 0;
     uint32_t fu32Options =   VBSF_O_PATH_CHECK_ROOT_ESCAPE
-                           | (fWildCard? VBSF_O_PATH_WILDCARD: 0)
-                           | (fPreserveLastComponent? VBSF_O_PATH_PRESERVE_LAST_COMPONENT: 0);
+                           | (fWildCard ? VBSF_O_PATH_WILDCARD : 0)
+                           | (fPreserveLastComponent ? VBSF_O_PATH_PRESERVE_LAST_COMPONENT : 0);
 
     int rc = vbsfPathGuestToHost(pClient, root, pPath, cbPath,
@@ -2598 +2598 @@
     testSymlinkBadParameters(hTest);
     /* Add tests as required... */
-}
-#endif
-int vbsfSymlink(SHFLCLIENTDATA *pClient, SHFLROOT root, SHFLSTRING *pNewPath, SHFLSTRING *pOldPath, SHFLFSOBJINFO *pInfo)
+    testSymlinkCreation(hTest);
+}
+#endif
+
+int vbsfSymlink(SHFLCLIENTDATA *pClient, SHFLROOT root, SHFLSTRING *pSymlinkPath, SHFLSTRING *pSourcePath, SHFLFSOBJINFO *pInfo)
 {
     int rc = VINF_SUCCESS;
 
-    char *pszFullNewPath = NULL;
-    char *pszFullOldPath = NULL;
+    char *pszFullSymlinkPath = NULL;
+    char *pszFullSourcePath = NULL;
 
     /* XXX: no support for UCS2 at the moment. */
@@ -2617 +2619 @@
         return VERR_WRITE_PROTECT; /* XXX or VERR_TOO_MANY_SYMLINKS? */
 
-    rc = vbsfBuildFullPath(pClient, root, pNewPath, pNewPath->u16Size + SHFLSTRING_HEADER_SIZE, &pszFullNewPath, NULL);
-    AssertRCReturn(rc, rc);
-
-    /* Verify that the link target can be a valid host path, i.e. does not contain invalid characters. */
+    rc = vbsfBuildFullPath(pClient, root, pSymlinkPath, pSymlinkPath->u16Size + SHFLSTRING_HEADER_SIZE, &pszFullSymlinkPath,
+                           NULL);
+    if (RT_FAILURE(rc))
+        return rc;
+
+    /*
+     * The symbolic link source path may be located outside of the shared folder so thus
+     * we don't call vbsfBuildFullPath() which includes VBSF_O_PATH_CHECK_ROOT_ESCAPE to
+     * verify that the pathname resides within the shared folder.  Instead we call the
+     * heart of vbsfBuildFullPath() which is vbsfPathGuestToHost() to perform a subset
+     * of its checks to verify that the symbolic link source is a valid path by checking
+     * for invalid characters, replacing path delimiters if the guest uses a different
+     * slash than the host, and evaluating the symbolic link policy if one has been set.
+     * We don't collapse path components of '..' for example or alter the path otherwise
+     * as this is the documented behavior of symbolic links: the source pathname can be
+     * any pathname and isn't required to exist.
+     */
     uint32_t fu32PathFlags = 0;
-    uint32_t fu32Options = 0;
-    rc = vbsfPathGuestToHost(pClient, root, pOldPath, pOldPath->u16Size + SHFLSTRING_HEADER_SIZE,
-                             &pszFullOldPath, NULL, fu32Options, &fu32PathFlags);
+    uint32_t fu32Options = VBSF_O_PATH_CHECK_SYMLINK_POLICY;
+    rc = vbsfPathGuestToHost(pClient, root, pSourcePath, pSourcePath->u16Size + SHFLSTRING_HEADER_SIZE,
+                             &pszFullSourcePath, NULL, fu32Options, &fu32PathFlags);
     if (RT_FAILURE(rc))
     {
-        vbsfFreeFullPath(pszFullNewPath);
+        vbsfFreeFullPath(pszFullSymlinkPath);
         return rc;
     }
 
-    /** @todo r=bird: We _must_ perform slash conversion on the target (what this
-     *        code calls 'pOldPath' for some peculiar reason)! */
-
-    rc = RTSymlinkCreate(pszFullNewPath, (const char *)pOldPath->String.utf8,
-                         RTSYMLINKTYPE_UNKNOWN, 0);
+    rc = RTSymlinkCreate(pszFullSymlinkPath, pszFullSourcePath, RTSYMLINKTYPE_UNKNOWN, 0);
     if (RT_SUCCESS(rc))
     {
         RTFSOBJINFO info;
-        rc = RTPathQueryInfoEx(pszFullNewPath, &info, RTFSOBJATTRADD_NOTHING, RTPATH_F_ON_LINK);
+        rc = RTPathQueryInfoEx(pszFullSymlinkPath, &info, RTFSOBJATTRADD_NOTHING, RTPATH_F_ON_LINK);
         if (RT_SUCCESS(rc))
             vbfsCopyFsObjInfoFromIprt(pInfo, &info);
     }
 
-    vbsfFreeFullPath(pszFullOldPath);
-    vbsfFreeFullPath(pszFullNewPath);
+    vbsfFreeFullPath(pszFullSourcePath);
+    vbsfFreeFullPath(pszFullSymlinkPath);
 
     return rc;

trunk/src/VBox/HostServices/SharedFolders/vbsfpath.cpp

@@ -54 +54 @@
 # include <Carbon/Carbon.h>
 #endif
+#include <VBox/com/defs.h> /* For S_OK. */
 
 #ifdef UNITTEST
@@ -438 +439 @@
 }
 
+/**
+ * Validate the symbolic link creation policy inside a guest operating in a shared folder.
+ *
+ * @returns S_OK or VERR_WRITE_PROTECT.
+ * @param pchSymlinkPath    The pathname of the symbolic link within the guest.
+ * @param enmSymlinkPolicy  The symbolic link creation policy being evaluated.
+ *
+ * The enmSymlinkPolicy symlink creation policies are:
+ *  - @a none:       no policy set
+ *  - @a any:        no restrictions
+ *  - @a forbidden:  no symlinks allowed
+ *  - @a relative:   relative paths only ('..' path components allowed)
+ *  - @a subtree:    relative paths only within the shared folder (no '..' path components allowed)
+ */
+static int vbsfPathEvalSymlinkPolicy(const char *pchSymlinkPath, SymlinkPolicy_T enmSymlinkPolicy)
+{
+    /* If no symlink policy has been set we continue the historical behaviour of applying no
+     * additional restrictions.  The "any" policy also has no symlink path limitations. */
+    if (   enmSymlinkPolicy == SymlinkPolicy_None
+        || enmSymlinkPolicy == SymlinkPolicy_AllowedToAnyTarget)
+        return S_OK;
+
+    /* No absolute paths allowed except for the "any" policy.  The symlink path can't
+     * contain '..' components if the "subtree" policy in effect. */
+    if (   RTPathStartsWithRoot(pchSymlinkPath)
+        || enmSymlinkPolicy == SymlinkPolicy_Forbidden
+        || (   enmSymlinkPolicy == SymlinkPolicy_AllowedInShareSubtree
+            && RTStrStr(pchSymlinkPath, "..")))
+        return VERR_WRITE_PROTECT;
+
+    return S_OK;
+}
+
 int vbsfPathGuestToHost(SHFLCLIENTDATA *pClient, SHFLROOT hRoot,
                         PCSHFLSTRING pGuestString, uint32_t cbGuestString,
@@ -565 +599 @@
                 const char *pchSrc = pchGuestPath;
 
-                /* Strip leading delimiters from the path the guest specified. */
-                while (   cbSrc > 0
-                       && *pchSrc == pClient->PathDelimiter)
-                {
-                    ++pchSrc;
-                    --cbSrc;
+                /* when validating source file pathnames for symbolic links we don't modify the path */
+                if (!(fu32Options & VBSF_O_PATH_CHECK_SYMLINK_POLICY))
+                {
+                    /* Strip leading delimiters from the path the guest specified. */
+                    while (   cbSrc > 0
+                           && *pchSrc == pClient->PathDelimiter)
+                    {
+                        ++pchSrc;
+                        --cbSrc;
+                    }
                 }
 
@@ -615 +653 @@
                     *pchDst++ = 0;
 
-                    /* Construct the full host path removing '.' and '..'. */
-                    rc = vbsfPathAbs(pszRoot, pchVerifiedPath, pszFullPath, cbFullPathAlloc);
+                    /* check if a symbolic link creation policy has been set */
+                    if (fu32Options & VBSF_O_PATH_CHECK_SYMLINK_POLICY)
+                    {
+                        /* copy the verified symlink source file path to be returned to the caller */
+                        rc = RTStrCopy(pszFullPath, cbFullPathAlloc, pchVerifiedPath);
+                        if (RT_SUCCESS(rc))
+                        {
+                            SymlinkPolicy_T enmSymlinkPolicy;
+                            rc = vbsfMappingsQuerySymlinkPolicy(pClient, hRoot, &enmSymlinkPolicy);
+                            if (RT_SUCCESS(rc))
+                                rc = vbsfPathEvalSymlinkPolicy(pchVerifiedPath, enmSymlinkPolicy);
+                        }
+                    }
+                    else
+                    {
+                        /* Construct the full host path removing '.' and '..'. */
+                        rc = vbsfPathAbs(pszRoot, pchVerifiedPath, pszFullPath, cbFullPathAlloc);
+                    }
                     if (RT_SUCCESS(rc))
                     {
@@ -667 +721 @@
                     else
                     {
-                        LogFunc(("vbsfPathAbs %Rrc\n", rc));
+                        if (fu32Options & VBSF_O_PATH_CHECK_SYMLINK_POLICY)
+                            LogFunc(("vbsfPathEvalSymlinkPolicy() returns rc=%Rrc\n", rc));
+                        else
+                            LogFunc(("vbsfPathAbs %Rrc\n", rc));
                     }
                 }

trunk/src/VBox/HostServices/SharedFolders/vbsfpath.h

@@ -38 +38 @@
 #define VBSF_O_PATH_PRESERVE_LAST_COMPONENT UINT32_C(0x00000002)
 #define VBSF_O_PATH_CHECK_ROOT_ESCAPE       UINT32_C(0x00000004)
+#define VBSF_O_PATH_CHECK_SYMLINK_POLICY    UINT32_C(0x00000008)
 
 #define VBSF_F_PATH_HAS_WILDCARD_IN_PREFIX UINT32_C(0x00000001) /* A component before the last one contains a wildcard. */