* [gentoo-commits] proj/sandbox:master commit in: libsandbox/, /
@ 2021-11-03 0:34 Mike Frysinger
0 siblings, 0 replies; only message in thread
From: Mike Frysinger @ 2021-11-03 0:34 UTC (permalink / raw
To: gentoo-commits
commit: e4441de47e6b4b588689ce407d057c134f8130c7
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 2 07:28:11 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov 3 00:05:30 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=e4441de4
libsandbox: merge sandbox settings from tracee end when execing
This allows traced children to change their sandox settings on the fly
and the out-of-process tracer will react accordingly. We don't try to
read the environ all the time as it's kind of impossible to know where
the tracee is storing it (since it can point |environ| anywhere).
This means turning the sandbox on/off won't work in the current process,
only in forked children.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
TODO | 2 --
libsandbox/trace.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/TODO b/TODO
index f48068c..2210d84 100644
--- a/TODO
+++ b/TODO
@@ -46,8 +46,6 @@ handle multiple processing writing to log simultaneously
doesnt seem to work quite right:
echo $(./vfork-0 ./mkdir_static-0 2>&1)
-handle env var modification inside of traced apps
-
messaging still needs a little work. consider:
- user is running as root
- user does `emerge foo`
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 0434f96..2110a46 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -390,6 +390,39 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
ret = 1;
free(path);
return ret;
+
+ } else if (nr == SB_NR_EXECVE || nr == SB_NR_EXECVEAT) {
+ /* Try to extract environ and merge with our own. */
+ char *path;
+ unsigned long environ, i = 0;
+
+ if (nr == SB_NR_EXECVEAT) {
+ int dirfd = do_peekdata(trace_arg(regs, 1));
+ unsigned long argv = trace_arg(regs, 3);
+ environ = trace_arg(regs, 4);
+ path = do_peekstr(trace_arg(regs, 2));
+ __sb_debug("(%i, \"%s\", %lx, %lx{", dirfd, path, argv, environ);
+ } else {
+ path = do_peekstr(trace_arg(regs, 1));
+ unsigned long argv = trace_arg(regs, 2);
+ environ = trace_arg(regs, 3);
+ __sb_debug("(\"%s\", %lx, %lx{", path, argv, environ);
+ }
+
+ while (1) {
+ unsigned long envp = do_peekdata(environ + i);
+ if (!envp)
+ break;
+
+ char *env = do_peekstr(envp);
+ if (strncmp(env, "SANDBOX_", 8) == 0) {
+ __sb_debug("\"%s\" ", env);
+ putenv(env);
+ }
+ i += sizeof(long);
+ }
+ __sb_debug("})");
+ return 1;
}
done:
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-11-03 0:34 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-03 0:34 [gentoo-commits] proj/sandbox:master commit in: libsandbox/, / Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox