From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B0789198006 for ; Mon, 25 Feb 2013 04:24:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 57126E05E8; Mon, 25 Feb 2013 04:24:02 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AADC5E05E8 for ; Mon, 25 Feb 2013 04:24:01 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3963B33DDAD for ; Mon, 25 Feb 2013 04:24:00 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id C46D1E4083 for ; Mon, 25 Feb 2013 04:23:58 +0000 (UTC) From: "Mike Frysinger" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" Message-ID: <1361765848.d8b21b35fd536af8411975ad05eab85f89e84a2e.vapier@gentoo> Subject: [gentoo-commits] proj/sandbox:master commit in: /, libsandbox/ X-VCS-Repository: proj/sandbox X-VCS-Files: TODO libsandbox/libsandbox.c X-VCS-Directories: / libsandbox/ X-VCS-Committer: vapier X-VCS-Committer-Name: Mike Frysinger X-VCS-Revision: d8b21b35fd536af8411975ad05eab85f89e84a2e X-VCS-Branch: master Date: Mon, 25 Feb 2013 04:23:58 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6198ba26-d44d-46cb-beab-d7e27a5c785c X-Archives-Hash: 58a419d31d808c31e0c09643eae7f6c6 commit: d8b21b35fd536af8411975ad05eab85f89e84a2e Author: Mike Frysinger gentoo org> AuthorDate: Sat Feb 23 03:03:08 2013 +0000 Commit: Mike Frysinger gentoo org> CommitDate: Mon Feb 25 04:17:28 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=d8b21b35 libsandbox: fix early var init In commit 5498907383c7f1654188b6a0d02d8b03112a28c3, we tried to fix handling of ELFs that had their own constructors. Unfortunately, this broke use cases like `env -i` that screw with the environment before we get a chance to extract our settings. URL: http://bugs.gentoo.org/404013 Signed-off-by: Mike Frysinger gentoo.org> --- TODO | 2 ++ libsandbox/libsandbox.c | 33 +++++++++++++++++++++++++-------- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/TODO b/TODO index e8d1d14..6470621 100644 --- a/TODO +++ b/TODO @@ -25,3 +25,5 @@ handle multiple processing writing to log simultaneously doesnt seem to work quite right: echo $(./vfork-0 ./mkdir_static-0 2>&1) + +handle env var modification inside of traced apps diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 0ec5fe1..5d9a796 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -50,6 +50,7 @@ static char debug_log_path[SB_PATH_MAX]; static char message_path[SB_PATH_MAX]; bool sandbox_on = true; static bool sb_init = false; +static bool sb_env_init = false; int (*sbio_open)(const char *, int, mode_t) = sb_unwrapped_open; FILE *(*sbio_popen)(const char *, const char *) = sb_unwrapped_popen; @@ -62,6 +63,29 @@ static void init_env_entries(char ***, int *, const char *, const char *, int); const char *sbio_message_path; const char sbio_fallback_path[] = "/dev/tty"; +/* We need to initialize these vars before main(). This is to handle programs + * (like `env`) that will clear the environment before making any syscalls + * other than execve(). At that point, trying to get the settings is too late. + * However, we might still need to init the env vars in the syscall wrapper for + * programs that have their own constructors. #404013 + */ +__attribute__((constructor)) +void libsb_init(void) +{ + if (sb_env_init) + /* Ah, we already saw a syscall */ + return; + sb_env_init = true; + + /* Get the path and name to this library */ + get_sandbox_lib(sandbox_lib); + + get_sandbox_log(log_path, NULL); + get_sandbox_debug_log(debug_log_path, NULL); + get_sandbox_message_path(message_path); + sbio_message_path = message_path; +} + /* resolve_dirfd_path - get the path relative to a dirfd * * return value: @@ -937,14 +961,7 @@ bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, in sb_lock(); if (!sb_init) { - /* Get the path and name to this library */ - get_sandbox_lib(sandbox_lib); - - get_sandbox_log(log_path, NULL); - get_sandbox_debug_log(debug_log_path, NULL); - get_sandbox_message_path(message_path); - sbio_message_path = message_path; - + libsb_init(); init_context(&sbcontext); sb_init = true; }