[gentoo-commits] proj/sandbox:master commit in: tests/, libsandbox/

[gentoo-commits] proj/sandbox:master commit in: tests/, libsandbox/

[Mike Frysinger]

commit:     4377a68df2a20cda06aadb58c179ce2e8d78f7cd
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Mon Sep 28 20:01:33 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Sep 28 20:01:33 2015 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=4377a68d

libsandbox: do not unnecessarily dereference symlinks

When the target uses a func that operates on a symlink, we should not
dereference that symlink when trying to validate the call.  It's both
a waste of time and it subtly breaks code that checks atime updates.
The act of reading symlinks is enough to cause their atime to change.

URL: https://bugs.gentoo.org/415475
Reported-by: Marien Zwart <marienz <AT> gentoo.org>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 libsandbox/libsandbox.c | 15 ++++++++++++---
 tests/utimensat-4.sh    | 30 ++++++++++++++++++++++++++++++
 tests/utimensat.at      |  1 +
 3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 1d9fa04..2bcff95 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -909,7 +909,14 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
 	bool access, debug, verbose, set;
 
 	absolute_path = resolve_path(file, 0);
-	resolved_path = resolve_path(file, 1);
+	/* Do not bother dereferencing symlinks when we are using a function that
+	 * itself does not dereference.  This speeds things up and avoids updating
+	 * the atime implicitly. #415475
+	 */
+	if (symlink_func(sb_nr, flags, absolute_path))
+		resolved_path = absolute_path;
+	else
+		resolved_path = resolve_path(file, 1);
 	if (!absolute_path || !resolved_path)
 		goto error;
 	sb_debug_dyn("absolute_path: %s\n", absolute_path);
@@ -955,7 +962,8 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
 	}
 
 	free(absolute_path);
-	free(resolved_path);
+	if (absolute_path != resolved_path)
+		free(resolved_path);
 
 	errno = old_errno;
 
@@ -967,7 +975,8 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
 	 */
 	if (errno_is_too_long()) {
 		free(absolute_path);
-		free(resolved_path);
+		if (absolute_path != resolved_path)
+			free(resolved_path);
 		return 2;
 	}
 

diff --git a/tests/utimensat-4.sh b/tests/utimensat-4.sh
new file mode 100755
index 0000000..731c7d1
--- /dev/null
+++ b/tests/utimensat-4.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+# make sure we don't accidentally trip atime updates on files
+# through symlinks #415475
+[ "${at_xfail}" = "yes" ] && exit 77 # see script-0
+
+# We assume $PWD supports atimes, and the granularity is more than 1 second.
+# If it doesn't, this test will still pass, but not really because the code
+# was proven to be correct.
+
+# XXX: Maybe we need to add our own stat shim to avoid portability issues ?
+get_atime() {
+	# This shows the full atime field (secs, msecs, nsecs).
+	stat -c %x "$1"
+}
+
+# Create a symlink.
+sym="sym"
+ln -s atime "${sym}"
+
+# Get the state before we test it.
+before=$(get_atime "${sym}")
+
+# A quick sleep of a few msecs.
+sleep 0.1
+
+# See if the atime changes -- it should not.
+utimensat-0 -1,EINVAL AT_FDCWD "${sym}" -1,-1 AT_SYMLINK_NOFOLLOW || exit 1
+after=$(get_atime "${sym}")
+
+[ "${after}" = "${before}" ]

diff --git a/tests/utimensat.at b/tests/utimensat.at
index eec4638..1909650 100644
--- a/tests/utimensat.at
+++ b/tests/utimensat.at
@@ -1,3 +1,4 @@
 SB_CHECK(1)
 SB_CHECK(2)
 SB_CHECK(3)
+SB_CHECK(4)

[gentoo-commits] proj/sandbox:master commit in: tests/, libsandbox/

[Mike Gilbert]

commit:     cdc89a00ac0bc3170d4ca7bfc77bc2572ce076b0
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 12 14:58:39 2023 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Mon Jun 12 16:00:04 2023 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=cdc89a00

libsandbox: add lutimes to symlink_func

lutimes operates on symlinks, so we should not check for access against
the symlink target.

Bug: https://bugs.gentoo.org/908105
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 libsandbox/libsandbox.c | 1 +
 tests/lutimes-1.sh      | 9 +++++++++
 tests/lutimes.at        | 1 +
 3 files changed, 11 insertions(+)

diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 0ca2bc9..b9ef52e 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -679,6 +679,7 @@ static bool symlink_func(int sb_nr, int flags)
 	    sb_nr == SB_NR_LCHOWN       ||
 	    sb_nr == SB_NR_LREMOVEXATTR ||
 	    sb_nr == SB_NR_LSETXATTR    ||
+	    sb_nr == SB_NR_LUTIMES      ||
 	    sb_nr == SB_NR_REMOVE       ||
 	    sb_nr == SB_NR_RENAME       ||
 	    sb_nr == SB_NR_RENAMEAT     ||

diff --git a/tests/lutimes-1.sh b/tests/lutimes-1.sh
new file mode 100755
index 0000000..8638bb2
--- /dev/null
+++ b/tests/lutimes-1.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+addwrite "${PWD}"
+
+sym="lutimes-1.sym"
+ln -s /bad/path "${sym}"
+
+lutimes-0 0 "${sym}" NULL || exit 1
+lutimes-0 -1,EACCES /bin/sh NULL || exit 1

diff --git a/tests/lutimes.at b/tests/lutimes.at
new file mode 100644
index 0000000..081d7d2
--- /dev/null
+++ b/tests/lutimes.at
@@ -0,0 +1 @@
+SB_CHECK(1)

[gentoo-commits] proj/sandbox:master commit in: tests/, libsandbox/

[Mike Gilbert]

commit:     de4f57761821e3d97e841a99af38768ee9605633
Author:     Aliaksei Urbanski <aliaksei.urbanski <AT> gmail <DOT> com>
AuthorDate: Thu Jun 27 03:51:47 2024 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Thu Jun 27 15:23:48 2024 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=de4f5776

libsandbox: fix violations where ENOENT is expected

These changes revert f7d02c04 that aimed to resolve 921581 and
fix it in a way that doesn't cause unwanted sandbox violations.

Bug: https://bugs.gentoo.org/921581
Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski <AT> gmail.com>
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 libsandbox/pre_check_mkdirat.c | 8 +++++---
 tests/mkdirat-3.sh             | 2 ++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/libsandbox/pre_check_mkdirat.c b/libsandbox/pre_check_mkdirat.c
index 49c382a..c717576 100644
--- a/libsandbox/pre_check_mkdirat.c
+++ b/libsandbox/pre_check_mkdirat.c
@@ -37,15 +37,17 @@ bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
 	 * will trigger a sandbox violation.
 	 */
 	struct stat64 st;
-	if (0 == lstat64(pathname, &st)) {
+	if (0 == lstat64(canonic, &st)) {
 		int new_errno;
 		sb_debug_dyn("EARLY FAIL: %s(%s[%s]) @ lstat: %s\n",
 			func, pathname, canonic, strerror(errno));
 
 		new_errno = EEXIST;
 
-		/* Hmm, is this a broken symlink we're trying to extend ? */
-		if (S_ISLNK(st.st_mode) && stat64(pathname, &st) != 0) {
+		/* Hmm, is this a broken symlink we're trying to extend ?
+		 * Or is this a path like "foo/.." ?
+		 */
+		if (stat64(pathname, &st) != 0) {
 			/* XXX: This awful hack should probably be turned into a
 			 * common func that does a better job.  For now, we have
 			 * enough crap to catch gnulib tests #297026.

diff --git a/tests/mkdirat-3.sh b/tests/mkdirat-3.sh
index fe20579..8292af9 100755
--- a/tests/mkdirat-3.sh
+++ b/tests/mkdirat-3.sh
@@ -4,4 +4,6 @@
 set -e
 mkdirat-0 -1,ENOENT .:O_DIRECTORY '' 0
 
+mkdirat-0 -1,ENOENT .:O_DIRECTORY 'foo/..' 0
+
 mkdirat-0 -1,ENOENT -3 '' 0

[gentoo-commits] proj/sandbox:master commit in: tests/, libsandbox/

[Mike Gilbert]

commit:     986ca640c66862e55a9c54779c2723c0b64373f6
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 22 03:32:48 2024 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sun Dec 22 03:32:48 2024 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=986ca640

trace: wire up faccessat2

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 libsandbox/symbols.h.in     |  1 +
 libsandbox/trace.c          | 16 +++++++++++++---
 tests/faccessat_static-0.c  |  1 +
 tests/faccessat_static-1.sh |  8 ++++++++
 tests/faccessat_static.at   |  1 +
 tests/local.mk              |  1 +
 6 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in
index 5805592..1232874 100644
--- a/libsandbox/symbols.h.in
+++ b/libsandbox/symbols.h.in
@@ -33,6 +33,7 @@ mkfifo
 mkfifoat
 access
 faccessat
+faccessat2
 remove
 rename
 renameat

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index e570207..1b874d0 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -385,9 +385,9 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 
 	else if (nr == SB_NR_ACCESS) {
 		char *path = do_peekstr(trace_arg(regs, 1));
-		int flags = trace_arg(regs, 2);
-		__sb_debug("(\"%s\", %x)", path, flags);
-		ret = _SB_SAFE_ACCESS(nr, name, path, flags);
+		int mode = trace_arg(regs, 2);
+		__sb_debug("(\"%s\", %x)", path, mode);
+		ret = _SB_SAFE_ACCESS(nr, name, path, mode);
 		free(path);
 		return ret;
 
@@ -400,6 +400,16 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 		free(path);
 		return ret;
 
+	} else if (nr == SB_NR_FACCESSAT2) {
+		int dirfd = trace_arg(regs, 1);
+		char *path = do_peekstr(trace_arg(regs, 2));
+		int mode = trace_arg(regs, 3);
+		int flags = trace_arg(regs, 4);
+		__sb_debug("(%i, \"%s\", %x, %x)", dirfd, path, mode, flags);
+		ret = _SB_SAFE_ACCESS_AT(nr, name, dirfd, path, mode, flags);
+		free(path);
+		return ret;
+
 	} else if (nr == SB_NR_OPEN) {
 		char *path = do_peekstr(trace_arg(regs, 1));
 		int flags = trace_arg(regs, 2);

diff --git a/tests/faccessat_static-0.c b/tests/faccessat_static-0.c
new file mode 100644
index 0000000..8e3bdd9
--- /dev/null
+++ b/tests/faccessat_static-0.c
@@ -0,0 +1 @@
+#include "faccessat-0.c"

diff --git a/tests/faccessat_static-1.sh b/tests/faccessat_static-1.sh
new file mode 100644
index 0000000..4bf209d
--- /dev/null
+++ b/tests/faccessat_static-1.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+[ "${at_xfail}" = "yes" ] && exit 77 # see trace-0
+set -e
+addwrite "$PWD/file"
+faccessat_static-0 0 'file:O_RDWR|O_CREAT:0666' '' rw AT_EMPTY_PATH
+exec 9<file
+adddeny "$PWD/file"
+faccessat_static-0 -1,EPERM 9 '' rw AT_EMPTY_PATH

diff --git a/tests/faccessat_static.at b/tests/faccessat_static.at
new file mode 100644
index 0000000..081d7d2
--- /dev/null
+++ b/tests/faccessat_static.at
@@ -0,0 +1 @@
+SB_CHECK(1)

diff --git a/tests/local.mk b/tests/local.mk
index f1f4ac0..5a32207 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -29,6 +29,7 @@ check_PROGRAMS += \
 	%D%/execv-0 \
 	%D%/execvp-0 \
 	%D%/faccessat-0 \
+	%D%/faccessat_static-0 \
 	%D%/fchmod-0 \
 	%D%/fchmodat-0 \
 	%D%/fchown-0 \

[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/, tests/

[Mike Gilbert]

commit:     251591503bb59f39dfb404c79deb50dda243e854
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 22 03:32:48 2024 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sun Dec 22 03:43:25 2024 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=25159150

trace: wire up faccessat2

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
(cherry picked from commit 986ca640c66862e55a9c54779c2723c0b64373f6)

 libsandbox/symbols.h.in     |  1 +
 libsandbox/trace.c          | 16 +++++++++++++---
 tests/faccessat_static-0.c  |  1 +
 tests/faccessat_static-1.sh |  8 ++++++++
 tests/faccessat_static.at   |  1 +
 tests/local.mk              |  1 +
 6 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in
index 5805592..1232874 100644
--- a/libsandbox/symbols.h.in
+++ b/libsandbox/symbols.h.in
@@ -33,6 +33,7 @@ mkfifo
 mkfifoat
 access
 faccessat
+faccessat2
 remove
 rename
 renameat

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 59449d9..f839ffe 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -353,9 +353,9 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 
 	else if (nr == SB_NR_ACCESS) {
 		char *path = do_peekstr(trace_arg(regs, 1));
-		int flags = trace_arg(regs, 2);
-		__sb_debug("(\"%s\", %x)", path, flags);
-		ret = _SB_SAFE_ACCESS(nr, name, path, flags);
+		int mode = trace_arg(regs, 2);
+		__sb_debug("(\"%s\", %x)", path, mode);
+		ret = _SB_SAFE_ACCESS(nr, name, path, mode);
 		free(path);
 		return ret;
 
@@ -368,6 +368,16 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 		free(path);
 		return ret;
 
+	} else if (nr == SB_NR_FACCESSAT2) {
+		int dirfd = trace_arg(regs, 1);
+		char *path = do_peekstr(trace_arg(regs, 2));
+		int mode = trace_arg(regs, 3);
+		int flags = trace_arg(regs, 4);
+		__sb_debug("(%i, \"%s\", %x, %x)", dirfd, path, mode, flags);
+		ret = _SB_SAFE_ACCESS_AT(nr, name, dirfd, path, mode, flags);
+		free(path);
+		return ret;
+
 	} else if (nr == SB_NR_OPEN) {
 		char *path = do_peekstr(trace_arg(regs, 1));
 		int flags = trace_arg(regs, 2);

diff --git a/tests/faccessat_static-0.c b/tests/faccessat_static-0.c
new file mode 100644
index 0000000..8e3bdd9
--- /dev/null
+++ b/tests/faccessat_static-0.c
@@ -0,0 +1 @@
+#include "faccessat-0.c"

diff --git a/tests/faccessat_static-1.sh b/tests/faccessat_static-1.sh
new file mode 100644
index 0000000..4bf209d
--- /dev/null
+++ b/tests/faccessat_static-1.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+[ "${at_xfail}" = "yes" ] && exit 77 # see trace-0
+set -e
+addwrite "$PWD/file"
+faccessat_static-0 0 'file:O_RDWR|O_CREAT:0666' '' rw AT_EMPTY_PATH
+exec 9<file
+adddeny "$PWD/file"
+faccessat_static-0 -1,EPERM 9 '' rw AT_EMPTY_PATH

diff --git a/tests/faccessat_static.at b/tests/faccessat_static.at
new file mode 100644
index 0000000..081d7d2
--- /dev/null
+++ b/tests/faccessat_static.at
@@ -0,0 +1 @@
+SB_CHECK(1)

diff --git a/tests/local.mk b/tests/local.mk
index 2f429e6..f14c1c9 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -29,6 +29,7 @@ check_PROGRAMS += \
 	%D%/execv-0 \
 	%D%/execvp-0 \
 	%D%/faccessat-0 \
+	%D%/faccessat_static-0 \
 	%D%/fchmod-0 \
 	%D%/fchmodat-0 \
 	%D%/fchown-0 \

[gentoo-commits] proj/sandbox:master commit in: tests/, libsandbox/

[Mike Gilbert]

commit:     251591503bb59f39dfb404c79deb50dda243e854
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 22 03:32:48 2024 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sun Dec 22 03:43:25 2024 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=25159150

trace: wire up faccessat2

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
(cherry picked from commit 986ca640c66862e55a9c54779c2723c0b64373f6)

 libsandbox/symbols.h.in     |  1 +
 libsandbox/trace.c          | 16 +++++++++++++---
 tests/faccessat_static-0.c  |  1 +
 tests/faccessat_static-1.sh |  8 ++++++++
 tests/faccessat_static.at   |  1 +
 tests/local.mk              |  1 +
 6 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in
index 5805592..1232874 100644
--- a/libsandbox/symbols.h.in
+++ b/libsandbox/symbols.h.in
@@ -33,6 +33,7 @@ mkfifo
 mkfifoat
 access
 faccessat
+faccessat2
 remove
 rename
 renameat

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 59449d9..f839ffe 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -353,9 +353,9 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 
 	else if (nr == SB_NR_ACCESS) {
 		char *path = do_peekstr(trace_arg(regs, 1));
-		int flags = trace_arg(regs, 2);
-		__sb_debug("(\"%s\", %x)", path, flags);
-		ret = _SB_SAFE_ACCESS(nr, name, path, flags);
+		int mode = trace_arg(regs, 2);
+		__sb_debug("(\"%s\", %x)", path, mode);
+		ret = _SB_SAFE_ACCESS(nr, name, path, mode);
 		free(path);
 		return ret;
 
@@ -368,6 +368,16 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
 		free(path);
 		return ret;
 
+	} else if (nr == SB_NR_FACCESSAT2) {
+		int dirfd = trace_arg(regs, 1);
+		char *path = do_peekstr(trace_arg(regs, 2));
+		int mode = trace_arg(regs, 3);
+		int flags = trace_arg(regs, 4);
+		__sb_debug("(%i, \"%s\", %x, %x)", dirfd, path, mode, flags);
+		ret = _SB_SAFE_ACCESS_AT(nr, name, dirfd, path, mode, flags);
+		free(path);
+		return ret;
+
 	} else if (nr == SB_NR_OPEN) {
 		char *path = do_peekstr(trace_arg(regs, 1));
 		int flags = trace_arg(regs, 2);

diff --git a/tests/faccessat_static-0.c b/tests/faccessat_static-0.c
new file mode 100644
index 0000000..8e3bdd9
--- /dev/null
+++ b/tests/faccessat_static-0.c
@@ -0,0 +1 @@
+#include "faccessat-0.c"

diff --git a/tests/faccessat_static-1.sh b/tests/faccessat_static-1.sh
new file mode 100644
index 0000000..4bf209d
--- /dev/null
+++ b/tests/faccessat_static-1.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+[ "${at_xfail}" = "yes" ] && exit 77 # see trace-0
+set -e
+addwrite "$PWD/file"
+faccessat_static-0 0 'file:O_RDWR|O_CREAT:0666' '' rw AT_EMPTY_PATH
+exec 9<file
+adddeny "$PWD/file"
+faccessat_static-0 -1,EPERM 9 '' rw AT_EMPTY_PATH

diff --git a/tests/faccessat_static.at b/tests/faccessat_static.at
new file mode 100644
index 0000000..081d7d2
--- /dev/null
+++ b/tests/faccessat_static.at
@@ -0,0 +1 @@
+SB_CHECK(1)

diff --git a/tests/local.mk b/tests/local.mk
index 2f429e6..f14c1c9 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -29,6 +29,7 @@ check_PROGRAMS += \
 	%D%/execv-0 \
 	%D%/execvp-0 \
 	%D%/faccessat-0 \
+	%D%/faccessat_static-0 \
 	%D%/fchmod-0 \
 	%D%/fchmodat-0 \
 	%D%/fchown-0 \