[gentoo-commits] proj/sandbox:master commit in: etc/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Sergei Trofimovich" <slyfox@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/sandbox:master commit in: etc/
Date: Thu, 11 Mar 2021 08:04:43 +0000 (UTC)	[thread overview]
Message-ID: <1615449741.001a95fb06aea725642397db09584a05c39246c9.slyfox@gentoo> (raw)

commit:     001a95fb06aea725642397db09584a05c39246c9
Author:     Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 23 07:07:55 2020 +0000
Commit:     Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Thu Mar 11 08:02:21 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=001a95fb

etc/sandbox.conf: allow /usr/tmp/ for write

In bug #737220 sandbox was denying write access to /usr/tmp
(a symlink to /var/tmp) for statically linked binaries.

It happens because erealpath() helper conservatively does not
resolve any symlink for external traced processes (to avoid
symlink confusion via /proc/ that could refer to tracer and not
tracee).

Instead of fixing erealpath() to handle more cases of symlinks
let's just allow /usr/tmp as if it was /var/tmp.

Reported-by: Kirill Chibisov
Bug: https://bugs.gentoo.org/737220
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>

 etc/sandbox.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/sandbox.conf b/etc/sandbox.conf
index 5f09ee4..2501e11 100644
--- a/etc/sandbox.conf
+++ b/etc/sandbox.conf
@@ -86,7 +86,7 @@ SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
 # Device filesystems
 SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
 # Tempory storage
-SANDBOX_WRITE="/tmp/:/var/tmp/"
+SANDBOX_WRITE="/tmp/:/var/tmp/:/usr/tmp/"
 # Needed for shells
 SANDBOX_WRITE="${HOME}/.bash_history"

next             reply	other threads:[~2021-03-11  8:04 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-11  8:04 Sergei Trofimovich [this message]
  -- strict thread matches above, loose matches on Subject: below --
2015-09-20  8:43 [gentoo-commits] proj/sandbox:master commit in: etc/ Mike Frysinger

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5f09ee4 dfblob:2501e11 )
 OR (
bs:"[gentoo-commits] proj/sandbox:master commit in: etc/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1615449741.001a95fb06aea725642397db09584a05c39246c9.slyfox@gentoo \
    --to=slyfox@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox