[gentoo-commits] proj/sandbox:master commit in: libsandbox/trace/linux/, libsandbox/

[gentoo-commits] proj/sandbox:master commit in: libsandbox/trace/linux/, libsandbox/

[Mike Frysinger]

commit:     19c9819364989b4831917c880af9a977beb5ce83
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Mon Mar  5 06:57:19 2012 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Mar  6 19:00:33 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=19c98193

libsandbox: set syscall error rather than killing on violations

If we kill the app, then the syscall that we flagged as a violation will
complete, and our entire purpose has failed -- to prevent modifications
to the protected paths.

Instead, set the syscall number to an invalid one, continue the syscall,
then set the syscall return value (which will become the errno) after the
syscall finishes.  This way the bad syscall isn't actually executed, and
we let the app continue to run like normal.

URL: http://bugs.gentoo.org/406543
Reported-by: Marijn Schouten <hkbst <AT> gentoo.org>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

---
 libsandbox/trace.c              |   28 ++++++++++++++++++++++------
 libsandbox/trace/linux/arch.c   |   14 ++++++++++++++
 libsandbox/trace/linux/bfin.c   |   10 ++++++----
 libsandbox/trace/linux/common.c |    1 +
 libsandbox/trace/linux/hppa.c   |   10 ++++++----
 libsandbox/trace/linux/i386.c   |   10 ++++++----
 libsandbox/trace/linux/x86_64.c |   10 ++++++++++
 7 files changed, 65 insertions(+), 18 deletions(-)

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 45bb5d4..5ccab87 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -76,6 +76,11 @@ static long do_peekuser(long offset)
 	return do_ptrace(PTRACE_PEEKUSER, (void *)offset, NULL);
 }
 
+static long do_pokeuser(long offset, long val)
+{
+	return do_ptrace(PTRACE_POKEUSER, (void *)offset, (void *)val);
+}
+
 static long do_peekdata(long offset)
 {
 	return do_ptrace(PTRACE_PEEKDATA, (void *)offset, NULL);
@@ -384,6 +389,9 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 #ifndef trace_get_regs
 # define trace_get_regs(regs) do_ptrace(PTRACE_GETREGS, NULL, regs)
 #endif
+#ifndef trace_set_regs
+# define trace_set_regs(regs) do_ptrace(PTRACE_SETREGS, NULL, regs)
+#endif
 /* Some arches (like sparc) don't implement PTRACE_PEEK* ...
  * more asshats !
  */
@@ -394,13 +402,14 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 static void trace_loop(void)
 {
 	trace_regs regs;
-	bool before_syscall;
+	bool before_syscall, fake_syscall_ret;
 	long ret;
 	int nr, exec_state;
 	const struct syscall_entry *se, *tbl_at_fork;
 
 	exec_state = 0;
 	before_syscall = true;
+	fake_syscall_ret = false;
 	tbl_at_fork = NULL;
 	do {
 		ret = do_ptrace(PTRACE_SYSCALL, NULL, NULL);
@@ -431,14 +440,21 @@ static void trace_loop(void)
 			_SB_DEBUG("%s:%i", se ? se->name : "IDK", nr);
 			if (!trace_check_syscall(se, &regs)) {
 				if (is_env_on(ENV_SANDBOX_DEBUG))
-					SB_EINFO("trace_loop", " destroying after %s\n",
+					SB_EINFO("trace_loop", " forcing EPERM after %s\n",
 						se->name);
-				do_ptrace(PTRACE_KILL, NULL, NULL);
-				exit(1);
+				trace_set_sysnum(&regs, -1);
+				fake_syscall_ret = true;
 			}
 		} else {
 			int err;
-			ret = trace_result(&regs, &err);
+
+			if (unlikely(fake_syscall_ret)) {
+				ret = -1;
+				err = EPERM;
+				trace_set_ret(&regs, err);
+				fake_syscall_ret = false;
+			} else
+				ret = trace_result(&regs, &err);
 
 			__SB_DEBUG(" = %li", ret);
 			if (err) {
@@ -480,7 +496,7 @@ void trace_main(const char *filename, char *const argv[])
 	}
 
 	trace_pid = fork();
-	if (trace_pid == -1) {
+	if (unlikely(trace_pid == -1)) {
 		SB_EERROR("ISE:trace_main ", "vfork() failed: %s\n",
 			strerror(errno));
 		sb_abort();

diff --git a/libsandbox/trace/linux/arch.c b/libsandbox/trace/linux/arch.c
index de86109..df2fe5b 100644
--- a/libsandbox/trace/linux/arch.c
+++ b/libsandbox/trace/linux/arch.c
@@ -20,4 +20,18 @@
 #ifdef SB_NO_TRACE_ARCH
 # warning "trace: sorry, no support for your architecture"
 # define SB_NO_TRACE
+#else
+# ifdef trace_sysnum_puser
+
+static int trace_sysnum(void)
+{
+	return do_peekuser(trace_sysnum_puser);
+}
+
+static void trace_set_sysnum(void *vregs, long nr)
+{
+	do_pokeuser(trace_sysnum_puser, nr);
+}
+
+# endif
 #endif

diff --git a/libsandbox/trace/linux/bfin.c b/libsandbox/trace/linux/bfin.c
index 4188034..60a8ef8 100644
--- a/libsandbox/trace/linux/bfin.c
+++ b/libsandbox/trace/linux/bfin.c
@@ -1,7 +1,4 @@
-static int trace_sysnum(void)
-{
-	return do_peekuser(PT_ORIG_P0);
-}
+#define trace_sysnum_puser PT_ORIG_P0
 
 static long trace_raw_ret(void *vregs)
 {
@@ -9,6 +6,11 @@ static long trace_raw_ret(void *vregs)
 	return regs->r0;
 }
 
+static void trace_set_ret(void *vregs, int err)
+{
+	do_pokeuser(PT_R0, -err);
+}
+
 static unsigned long trace_arg(void *vregs, int num)
 {
 	trace_regs *regs = vregs;

diff --git a/libsandbox/trace/linux/common.c b/libsandbox/trace/linux/common.c
index 287af0a..de74caf 100644
--- a/libsandbox/trace/linux/common.c
+++ b/libsandbox/trace/linux/common.c
@@ -1,4 +1,5 @@
 static long do_peekuser(long offset);
+static long do_pokeuser(long offset, long val);
 
 static int trace_errno(long err)
 {

diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c
index d98310f..b7fab1c 100644
--- a/libsandbox/trace/linux/hppa.c
+++ b/libsandbox/trace/linux/hppa.c
@@ -1,7 +1,4 @@
-static int trace_sysnum(void)
-{
-	return do_peekuser(20 * 4); /* PT_GR20 */
-}
+#define trace_sysnum_puser (20 * 4)	/* PT_GR20 */
 
 static long trace_raw_ret(void *vregs)
 {
@@ -9,6 +6,11 @@ static long trace_raw_ret(void *vregs)
 	return regs->gr[28];
 }
 
+static void trace_set_ret(void *vregs, int err)
+{
+	do_pokeuser(28 * 4 /* PT_GR28 */, -err);
+}
+
 static unsigned long trace_arg(void *vregs, int num)
 {
 	trace_regs *regs = vregs;

diff --git a/libsandbox/trace/linux/i386.c b/libsandbox/trace/linux/i386.c
index 7508e25..9a3f590 100644
--- a/libsandbox/trace/linux/i386.c
+++ b/libsandbox/trace/linux/i386.c
@@ -1,7 +1,4 @@
-static int trace_sysnum(void)
-{
-	return do_peekuser(4 * ORIG_EAX);
-}
+#define trace_sysnum_puser (4 * ORIG_EAX)
 
 static long trace_raw_ret(void *vregs)
 {
@@ -9,6 +6,11 @@ static long trace_raw_ret(void *vregs)
 	return regs->eax;
 }
 
+static void trace_set_ret(void *vregs, int err)
+{
+	do_pokeuser(EAX, -err);
+}
+
 static unsigned long trace_arg(void *vregs, int num)
 {
 	trace_regs *regs = vregs;

diff --git a/libsandbox/trace/linux/x86_64.c b/libsandbox/trace/linux/x86_64.c
index b864801..0110302 100644
--- a/libsandbox/trace/linux/x86_64.c
+++ b/libsandbox/trace/linux/x86_64.c
@@ -47,6 +47,16 @@ static long trace_raw_ret(void *vregs)
 	return pers_is_32() ? (int)regs->rax : regs->rax;
 }
 
+static void trace_set_sysnum(void *vregs, long nr)
+{
+	do_pokeuser(8 * ORIG_RAX, nr);
+}
+
+static void trace_set_ret(void *vregs, int err)
+{
+	do_pokeuser(8 * RAX, -err);
+}
+
 static unsigned long trace_arg(void *vregs, int num)
 {
 	trace_regs *regs = vregs;

[gentoo-commits] proj/sandbox:master commit in: libsandbox/trace/linux/, libsandbox/

[Mike Frysinger]

commit:     13b45f7910d6039e3a3a0971c786a5750f80cd9b
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 20 00:55:14 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Dec 20 00:55:14 2015 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=13b45f79

libsandbox: switch to PTRACE_O_TRACEEXEC

Rather than try to deal with the inconsistent cross-arch behavior when it
comes to tracking exec behavior, use the PTRACE_O_TRACEEXEC option.  This
means we only support ptrace on linux-2.6+ systems, but that's fine as we
have been requiring that for a long time now.  It also means the code is
much simpler and stable across arches.

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 libsandbox/trace.c            | 68 +++++++++++++++----------------------------
 libsandbox/trace/linux/arch.c |  8 +++--
 2 files changed, 29 insertions(+), 47 deletions(-)

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index f9194fe..d424389 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -430,41 +430,34 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 static void trace_loop(void)
 {
 	trace_regs regs;
-	bool before_syscall, fake_syscall_ret;
+	bool before_exec, before_syscall, fake_syscall_ret;
 	long ret;
-	int nr, exec_state;
-	const struct syscall_entry *se, *tbl_at_fork, *tbl_after_fork;
+	int nr, status;
+	const struct syscall_entry *se, *tbl_after_fork;
 
-	exec_state = 0;
-	before_syscall = true;
+	before_exec = true;
+	before_syscall = false;
 	fake_syscall_ret = false;
-	tbl_at_fork = tbl_after_fork = NULL;
+	tbl_after_fork = NULL;
 	do {
 		ret = do_ptrace(PTRACE_SYSCALL, NULL, NULL);
-		waitpid(trace_pid, NULL, 0);
-		ret = trace_get_regs(&regs);
-		nr = trace_get_sysnum(&regs);
+		waitpid(trace_pid, &status, 0);
 
-		if (!exec_state) {
-			if (!tbl_at_fork)
-				tbl_at_fork = trace_check_personality(&regs);
-			se = lookup_syscall_in_tbl(tbl_at_fork, nr);
-			if (!before_syscall || !se || se->sys != SB_NR_EXECVE) {
-				if (before_syscall)
-					_sb_debug(">%s:%i", se ? se->name : "IDK", nr);
-				else
-					__sb_debug("(...pre-exec...) = ...\n");
-				goto loop_again;
-			}
-			++exec_state;
-		} else if (exec_state == 1) {
-			/* Don't bother poking exec return */
-			++exec_state;
-			goto loop_again;
+		if (before_exec) {
+			unsigned event = ((unsigned)status >> 16);
+			if (event == PTRACE_EVENT_EXEC) {
+				_sb_debug("hit exec!");
+				before_exec = false;
+			} else
+				_sb_debug("waiting for exec; status: %#x", status);
+			ret = trace_get_regs(&regs);
+			tbl_after_fork = trace_check_personality(&regs);
+			continue;
 		}
 
-		if (!tbl_after_fork)
-			tbl_after_fork = trace_check_personality(&regs);
+		ret = trace_get_regs(&regs);
+		nr = trace_get_sysnum(&regs);
+
 		se = lookup_syscall_in_tbl(tbl_after_fork, nr);
 		ret = trace_get_regs(&regs);
 		if (before_syscall) {
@@ -486,24 +479,11 @@ static void trace_loop(void)
 				ret = trace_result(&regs, &err);
 
 			__sb_debug(" = %li", ret);
-			if (err) {
+			if (err)
 				__sb_debug(" (errno: %i: %s)", err, strerror(err));
-
-				/* If the exec() failed for whatever reason, kill the
-				 * child and have the parent resume like normal
-				 */
-				if (exec_state == 1) {
-					do_ptrace(PTRACE_KILL, NULL, NULL);
-					trace_pid = 0;
-					return;
-				}
-			}
 			__sb_debug("\n");
-
-			exec_state = 2;
 		}
 
- loop_again:
 		before_syscall = !before_syscall;
 	} while (1);
 }
@@ -527,10 +507,8 @@ void trace_main(const char *filename, char *const argv[])
 	} else if (trace_pid) {
 		sb_debug("parent waiting for child (pid=%i) to signal", trace_pid);
 		waitpid(trace_pid, NULL, 0);
-#if defined(PTRACE_SETOPTIONS) && defined(PTRACE_O_TRACESYSGOOD)
-		/* Not all kernel versions support this, so ignore return */
-		ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD);
-#endif
+		do_ptrace(PTRACE_SETOPTIONS, NULL,
+			(void *)(PTRACE_O_TRACESYSGOOD | PTRACE_O_TRACEEXEC));
 		sb_close_all_fds();
 		trace_loop();
 		sb_ebort("ISE: child should have quit, as should we\n");

diff --git a/libsandbox/trace/linux/arch.c b/libsandbox/trace/linux/arch.c
index 5ca1acb..957db3b 100644
--- a/libsandbox/trace/linux/arch.c
+++ b/libsandbox/trace/linux/arch.c
@@ -1,7 +1,11 @@
 #include "common.c"
 
-/* Linux uses ptrace() */
-#if !defined(HAVE_PTRACE) || !defined(HAVE_SYS_PTRACE_H) || !defined(HAVE_SYS_USER_H)
+/* Linux uses ptrace().  We require PTRACE_SETOPTIONS so the exec tracing logic
+ * is sane.  Otherwise we need a lot of arch-specific hacks to make it work.
+ * This should be fine for linux-2.6+ versions.
+ */
+#if !defined(HAVE_PTRACE) || !defined(HAVE_SYS_PTRACE_H) || \
+    !defined(HAVE_SYS_USER_H) || !defined(PTRACE_SETOPTIONS)
 # define SB_NO_TRACE_ARCH
 #elif defined(__bfin__)
 # include "bfin.c"

[gentoo-commits] proj/sandbox:master commit in: libsandbox/trace/linux/, libsandbox/

[Mike Frysinger]

commit:     e99597cc31b454f97d2629f17d3d6f5145f978d7
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 20 21:35:21 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Dec 20 21:35:21 2015 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=e99597cc

libsandbox: new ia64 ptrace port

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 libsandbox/trace.c            |  1 +
 libsandbox/trace/linux/arch.c |  2 ++
 libsandbox/trace/linux/ia64.c | 81 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+)

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 5ccda2a..fb1fc32 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -9,6 +9,7 @@
 #include "wrappers.h"
 #include "sb_nr.h"
 
+static long do_peekdata(long offset);
 static long _do_ptrace(enum __ptrace_request request, const char *srequest, void *addr, void *data);
 #define do_ptrace(request, addr, data) _do_ptrace(request, #request, addr, data)
 #define _trace_possible(data) true

diff --git a/libsandbox/trace/linux/arch.c b/libsandbox/trace/linux/arch.c
index fbf5b79..4b3d615 100644
--- a/libsandbox/trace/linux/arch.c
+++ b/libsandbox/trace/linux/arch.c
@@ -17,6 +17,8 @@
 # include "hppa.c"
 #elif defined(__i386__)
 # include "i386.c"
+#elif defined(__ia64__)
+# include "ia64.c"
 #elif defined(__powerpc__)
 # include "powerpc.c"
 #elif defined(__s390__)

diff --git a/libsandbox/trace/linux/ia64.c b/libsandbox/trace/linux/ia64.c
new file mode 100644
index 0000000..5029994
--- /dev/null
+++ b/libsandbox/trace/linux/ia64.c
@@ -0,0 +1,81 @@
+#include <asm/ptrace_offsets.h>
+#include <asm/rse.h>
+
+/* We only care about two ptrace regs, so extract them ourselves rather than
+ * get the "full" set via GETREGS.  We still need to extract the out regs by
+ * hand either way.
+ */
+#undef trace_regs
+struct sb_ia64_trace_regs {
+	unsigned long r8, r10, r15;
+	unsigned long out[6];
+};
+#define trace_regs struct sb_ia64_trace_regs
+
+#define trace_reg_sysnum r15
+
+static unsigned long trace_arg(void *vregs, int num)
+{
+	trace_regs *regs = vregs;
+	if (num < 7)
+		return regs->out[num - 1];
+	else
+		return -1;
+}
+
+static long do_peekuser(long offset)
+{
+	return do_ptrace(PTRACE_PEEKUSER, (void *)offset, NULL);
+}
+
+static long do_pokeuser(long offset, long val)
+{
+	return do_ptrace(PTRACE_POKEUSER, (void *)offset, (void *)val);
+}
+
+#undef trace_get_regs
+static long trace_get_regs(void *vregs)
+{
+	trace_regs *regs = vregs;
+	size_t i;
+	unsigned long *out0, cfm, sof, sol;
+	long rbs_end;
+
+	regs->r15 = do_peekuser(PT_R15);
+
+	/* Here there be gremlins! */
+	rbs_end = do_peekuser(PT_AR_BSP);
+	cfm = do_peekuser(PT_CFM);
+	sof = (cfm >> 0) & 0x7f;
+	sol = (cfm >> 7) & 0x7f;
+	out0 = ia64_rse_skip_regs((unsigned long *)rbs_end, -sof + sol);
+	for (i = 0; i < 7; ++i)
+		regs->out[i] = do_peekdata((uintptr_t)ia64_rse_skip_regs(out0, i));
+
+	return 0;
+}
+
+#undef trace_set_regs
+static long trace_set_regs(void *vregs)
+{
+	trace_regs *regs = vregs;
+	/* We only support rewriting of syscall/err # currently (not args). */
+	do_pokeuser(PT_R8, regs->r8);
+	do_pokeuser(PT_R10, regs->r10);
+	do_pokeuser(PT_R15, regs->r15);
+	return 0;
+}
+
+static long trace_raw_ret(void *vregs)
+{
+	trace_regs *regs = vregs;
+	return regs->r8;
+}
+
+static void trace_set_ret(void *vregs, int err)
+{
+	trace_regs *regs = vregs;
+	regs->r8 = err;
+	regs->r10 = -1;
+	trace_set_regs(regs);
+}