* [gentoo-commits] proj/sandbox:master commit in: etc/
@ 2015-09-20 8:43 Mike Frysinger
0 siblings, 0 replies; 2+ messages in thread
From: Mike Frysinger @ 2015-09-20 8:43 UTC (permalink / raw
To: gentoo-commits
commit: 6b9b505f4a7716a50ff9e63c85f2c4882987a732
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 08:40:39 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 08:40:39 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=6b9b505f
sandbox.conf: allow writing to /dev/ptmx
We implicitly permit write access to this node by not catching functions
like openpty and posix_openpt, but when projects try to access the node
directly (due to legacy/fallback logic), the sandbox would reject them.
Make access to the node explicit since it's generally harmless.
URL: https://bugs.gentoo.org/413327
URL: https://bugs.gentoo.org/550650
URL: https://bugs.gentoo.org/550670
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
etc/sandbox.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/etc/sandbox.conf b/etc/sandbox.conf
index dc460f0..1d7655c 100644
--- a/etc/sandbox.conf
+++ b/etc/sandbox.conf
@@ -64,7 +64,7 @@ SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
# Console device nodes
SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
# Device filesystems
-SANDBOX_WRITE="/dev/pts/:/dev/shm"
+SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
# Tempory storage
SANDBOX_WRITE="/tmp/:/var/tmp/"
# Needed for shells
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: etc/
@ 2021-03-11 8:04 Sergei Trofimovich
0 siblings, 0 replies; 2+ messages in thread
From: Sergei Trofimovich @ 2021-03-11 8:04 UTC (permalink / raw
To: gentoo-commits
commit: 001a95fb06aea725642397db09584a05c39246c9
Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 23 07:07:55 2020 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Thu Mar 11 08:02:21 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=001a95fb
etc/sandbox.conf: allow /usr/tmp/ for write
In bug #737220 sandbox was denying write access to /usr/tmp
(a symlink to /var/tmp) for statically linked binaries.
It happens because erealpath() helper conservatively does not
resolve any symlink for external traced processes (to avoid
symlink confusion via /proc/ that could refer to tracer and not
tracee).
Instead of fixing erealpath() to handle more cases of symlinks
let's just allow /usr/tmp as if it was /var/tmp.
Reported-by: Kirill Chibisov
Bug: https://bugs.gentoo.org/737220
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
etc/sandbox.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/etc/sandbox.conf b/etc/sandbox.conf
index 5f09ee4..2501e11 100644
--- a/etc/sandbox.conf
+++ b/etc/sandbox.conf
@@ -86,7 +86,7 @@ SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
# Device filesystems
SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
# Tempory storage
-SANDBOX_WRITE="/tmp/:/var/tmp/"
+SANDBOX_WRITE="/tmp/:/var/tmp/:/usr/tmp/"
# Needed for shells
SANDBOX_WRITE="${HOME}/.bash_history"
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-11 8:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-20 8:43 [gentoo-commits] proj/sandbox:master commit in: etc/ Mike Frysinger
-- strict thread matches above, loose matches on Subject: below --
2021-03-11 8:04 Sergei Trofimovich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox