[gentoo-commits] proj/sandbox:master commit in: libsbutil/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/sandbox:master commit in: libsbutil/
Date: Fri, 11 Sep 2015 07:53:28 +0000 (UTC)	[thread overview]
Message-ID: <1362306849.9ea6140984ba4e18ce2aaedb7ebc21466b60c433.vapier@gentoo> (raw)

commit:     9ea6140984ba4e18ce2aaedb7ebc21466b60c433
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Mar  3 10:34:09 2013 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Mar  3 10:34:09 2013 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9ea61409

sandbox: accept SANDBOX_LOG vars whatever their values

Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox
with portage.  It changed how the sandbox log env var was accessed by
moving from getenv() to get_sandbox_log().  The latter has path checking
and will kick out values that contain a slash.  That means every time a
new process starts, a new sandbox log path will be generated, and when a
program triggers a violation, it'll write to the new file.  Meanwhile,
portage itself watches the original one which never gets updated.

This code has been around forever w/out documentation, and I can't think
of a reason we need it.  So punt it.

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 libsbutil/get_sandbox_log.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c
index a79b399..bdb4278 100644
--- a/libsbutil/get_sandbox_log.c
+++ b/libsbutil/get_sandbox_log.c
@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c
 
 	sandbox_log_env = getenv(env);
 
-	if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) {
-		/* When testing, just use what the env says to */
+	if (sandbox_log_env) {
+		/* If the env is viable, roll with it.  We aren't really
+		 * about people breaking the security of the sandbox by
+		 * exporting SANDBOX_LOG=/dev/null.
+		 */
 		strncpy(path, sandbox_log_env, SB_PATH_MAX);
 	} else {
-		/* THIS CHUNK BREAK THINGS BY DOING THIS:
-		 * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log
-		 */
-		if ((NULL != sandbox_log_env) &&
-		    (NULL != strchr(sandbox_log_env, '/')))
-		    sandbox_log_env = NULL;
-
 		/* If running as a user w/out write access to /var/log, don't
 		 * shit ourselves.
 		 */

next             reply	other threads:[~2015-09-11  7:54 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-11  7:53 Mike Frysinger [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-03-09 18:09 [gentoo-commits] proj/sandbox:master commit in: libsbutil/ Mike Gilbert
2023-07-17 13:54 Mike Gilbert
2021-11-05 10:25 Mike Frysinger
2021-11-03 21:10 Andreas K. Hüttel
2021-11-03  4:59 Mike Frysinger
2021-10-18  8:48 Mike Frysinger
2016-11-27 18:31 Mike Frysinger
2016-01-18  6:18 Mike Frysinger
2015-12-20  8:41 Mike Frysinger
2015-09-20  8:15 Mike Frysinger
2015-09-11  7:53 Mike Frysinger
2015-09-11  7:53 Mike Frysinger
2013-02-25  4:08 Mike Frysinger
2012-12-24  5:23 Mike Frysinger
2012-12-24  5:19 Mike Frysinger
2012-11-26 10:10 Mike Frysinger

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a79b399 dfblob:bdb4278 )
 OR (
bs:"[gentoo-commits] proj/sandbox:master commit in: libsbutil/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1362306849.9ea6140984ba4e18ce2aaedb7ebc21466b60c433.vapier@gentoo \
    --to=vapier@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox