[gentoo-commits] proj/sandbox:master commit in: libsandbox/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Mike Gilbert" <floppym@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/sandbox:master commit in: libsandbox/
Date: Tue,  1 Aug 2023 14:14:34 +0000 (UTC)	[thread overview]
Message-ID: <1690818179.27232d52fee4abecd5f709acc616fa1296e0464f.floppym@gentoo> (raw)

commit:     27232d52fee4abecd5f709acc616fa1296e0464f
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 31 15:39:40 2023 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Mon Jul 31 15:42:59 2023 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=27232d52

libsandbox: always permit access to '/memfd:'

For memfd objects, the kernel populates the target for symlinks under
/proc/$PID/fd as "/memfd:name". Said target does not actually exist.

It is unfortunate that the kernel includes the leading slash, but we
will just have to work around it.

Bug: https://bugs.gentoo.org/910561
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 libsandbox/libsandbox.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 847b4e2..e5f6d38 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
 		/* Fall in a read/write denied path, Deny Access */
 		goto out;
 
+	if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) {
+		/* Allow operations on memfd objects #910561 */
+		result = 1;
+		goto out;
+	}
+
 	if (!sym_func) {
 		retval = check_prefixes(sbcontext->deny_prefixes,
 			sbcontext->num_deny_prefixes, resolv_path);

next             reply	other threads:[~2023-08-01 14:14 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-01 14:14 Mike Gilbert [this message]
  -- strict thread matches above, loose matches on Subject: below --
2024-11-04 19:15 [gentoo-commits] proj/sandbox:master commit in: libsandbox/ Mike Gilbert
2024-01-27 18:05 Mike Gilbert
2024-01-22 21:41 Mike Gilbert
2023-08-08 15:27 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-04  0:26 Mike Gilbert
2021-11-03 16:40 Mike Frysinger
2021-11-03 16:40 Mike Frysinger
2021-11-03  6:59 Mike Frysinger
2021-10-31 23:54 Mike Frysinger
2021-10-28  9:56 Mike Frysinger
2021-10-28  7:14 Mike Frysinger
2021-10-28  3:41 Mike Frysinger
2021-10-23 22:19 Mike Frysinger
2021-10-23  6:10 Mike Frysinger
2021-10-23  6:10 Mike Frysinger
2021-10-22  4:20 Mike Frysinger
2021-10-22  4:15 Mike Frysinger
2021-10-21 20:37 Mike Frysinger
2021-10-21 20:37 Mike Frysinger
2021-10-21  1:51 Mike Frysinger
2021-10-18 22:04 Mike Frysinger
2021-09-07 15:35 Michał Górny
2021-04-02 11:22 Sergei Trofimovich
2021-03-15 18:08 Sergei Trofimovich
2019-06-25  6:42 Sergei Trofimovich
2018-12-02 15:22 Michał Górny
2018-07-19 11:50 Michał Górny
2018-02-18 21:32 Michał Górny
2017-10-03 16:42 Ian Stakenvicius
2017-10-03 16:39 Michał Górny
2016-03-30  5:22 Mike Frysinger
2016-03-29 12:24 Mike Frysinger
2015-12-19 18:10 Mike Frysinger
2015-12-19 18:10 Mike Frysinger
2015-12-19  7:29 Mike Frysinger
2015-09-27  6:13 Mike Frysinger
2015-09-27  6:13 Mike Frysinger
2015-09-20  8:15 Mike Frysinger
2015-09-20  8:15 Mike Frysinger
2015-09-20  8:15 Mike Frysinger
2015-09-20  8:15 Mike Frysinger
2015-09-11  7:53 Mike Frysinger
2013-02-25  4:12 Mike Frysinger
2013-02-25  4:08 Mike Frysinger
2012-06-23 23:12 Mike Frysinger
2012-06-23 22:40 Mike Frysinger
2012-06-23 21:21 Mike Frysinger
2012-03-07  5:28 Mike Frysinger
2011-07-08 19:53 Mike Frysinger
2011-07-08 19:53 Mike Frysinger

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:847b4e2 dfblob:e5f6d38 )
 OR (
bs:"[gentoo-commits] proj/sandbox:master commit in: libsandbox/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1690818179.27232d52fee4abecd5f709acc616fa1296e0464f.floppym@gentoo \
    --to=floppym@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox