fusermount: refuse unknown options

Blacklists are notoriously fragile; especially if the kernel wishes to add
some security-critical mount option at a later date, all existing systems
with older versions of fusermount installed will suddenly have a security
problem.
Additionally, if the kernel's option parsing became a tiny bit laxer, the
blacklist could probably be bypassed.

Whitelist known-harmless flags instead, even if it's slightly more
inconvenient.

diff --git a/util/fusermount.c b/util/fusermount.c
index 012affb16d7689e334d916829feab463cbfd01d2..552ac6ce845ba38cc7b6c117c37df6410ad9fd0a 100644 (file)
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -806,10 +806,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
                                                flags |= flag;
                                        else
                                                flags  &= ~flag;
-                               } else {
+                               } else if (opt_eq(s, len, "default_permissions") ||
+                                          opt_eq(s, len, "allow_other") ||
+                                          begins_with(s, "max_read=") ||
+                                          begins_with(s, "blksize=")) {
                                        memcpy(d, s, len);
                                        d += len;
                                        *d++ = ',';
+                               } else {
+                                       fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
+                                       exit(1);
                                }
                        }
                }