Ejudge kernel patch excerpt

1. /* From linux-4.1.32-cher1/fs/open.c: */
2.  
3. #include "internal.h"
4.  
5. static const char * const secure_paths[] =
6. {
7.     "/lib/", "/lib32/", "/lib64/",
8.     "/usr/lib/", "/usr/lib32/", "/usr/lib64/",
9.     "/usr/include/", "/usr/libexec/",
10.     "/usr/local/lib/", "/usr/local/lib32/", "/usr/local/lib64/",
11.     "/usr/local/include/", "/usr/local/libexec/",
12.     "/bin/", "/usr/bin/", "/usr/local/bin/",
13.     "/usr/share/", "/usr/local/share/", "/dev/urandom", "/dev/zero", "/dev/null",
14.     "/SANDBOX/",
15.     NULL
16. };
17.  
18. int cher_patch_is_secure_path(const char *path)
19. {
20.     const char *s;
21.     int i;
22.  
23.     if (strstr(path, ".."))
24.         return -1;
25.     for (i = 0; secure_paths[i] && strncmp(path, secure_paths[i], strlen(secure_paths[i])); ++i);
26.     if (secure_paths[i]) {
27.         return 0;
28.     }
29.  
30.     if (!strncmp(path, "/SANDBOX/", 9)) path += 9;
31.     s = path;
32.     while (s[0] == '.' && s[1] == '/') s += 2;
33.     for (; *s && *s != '/'; s++);
34.     if (*s == '/') return -1;
35.     return 0;
36. }
37.  
38. int cher_check_user_path(int dfd, const char __user **p_path)
39. {
40.     struct filename *tmp = NULL;
41.     if (dfd != AT_FDCWD) return -EPERM;
42.     tmp = getname(*p_path);
43.     if (IS_ERR(tmp)) return -EINVAL;
44.     if (cher_patch_is_secure_path(tmp->name) < 0) {
45.         putname(tmp);
46.         return -EPERM;
47.     }
48.     if (!strncmp("/SANDBOX/", tmp->name, 9)) *p_path += 9;
49.     putname(tmp);
50.     return 0;
51. }