* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2011-07-08 19:53 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2011-07-08 19:53 UTC (permalink / raw
To: gentoo-commits
commit: bcd3ee28a16cd2a811efcbfd986ebeda9491ed35
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Jul 8 19:46:49 2011 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Jul 8 19:46:49 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=bcd3ee28
libsandbox: tweak code to avoid undefined behavior warnings
Some gcc versions don't like the construct here where we modified a
variable in the middle of multiple checks.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/libsandbox.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index a8929ae..84191d9 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1167,7 +1167,7 @@ bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char
const char *ext_func;
if ((*mode == 'r') && ((0 == (strcmp(mode, "r"))) ||
/* The strspn accept args are known non-writable modifiers */
- (strlen(++mode) == strspn(mode, "xbtmce"))))
+ (strlen(mode+1) == strspn(mode+1, "xbtmce"))))
sb_nr = SB_NR_OPEN_RD, ext_func = "open_rd";
else
sb_nr = SB_NR_OPEN_WR, ext_func = "open_wr";
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2011-07-08 19:53 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2011-07-08 19:53 UTC (permalink / raw
To: gentoo-commits
commit: cb07ed0e23f1b3f3f7efe547f9b60033a429a10a
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Jul 8 19:52:35 2011 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Jul 8 19:52:35 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=cb07ed0e
libsandbox: invert debug checking order to avoid uninitialized variables
We only initialize debug_log_path if debug is set, so we need to check
debug first to avoid uninitialized warnings with debug_log_path.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/libsandbox.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 84191d9..0fcbb65 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -990,7 +990,7 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
goto error;
}
- if (debug_log_path && debug) {
+ if (debug && debug_log_path) {
bool worked = write_logfile(debug_log_path, func, file, absolute_path, resolved_path, access);
if (!worked && errno)
goto error;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2012-03-07 5:28 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2012-03-07 5:28 UTC (permalink / raw
To: gentoo-commits
commit: 1860d33fc9c9d05907db9bf02f1c81e0f517c09f
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 7 05:25:41 2012 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Mar 7 05:28:01 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=1860d33f
libsandbox: add missing close to logfile fd
When we log a lot, we end up leaking fd's, so make sure to clean them.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/libsandbox.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 77a2415..e0b291a 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -468,6 +468,7 @@ static bool write_logfile(const char *logfile, const char *func, const char *pat
struct stat log_stat;
int stat_ret;
int logfd;
+ bool ret = false;
stat_ret = lstat(logfile, &log_stat);
/* Do not care about failure */
@@ -523,10 +524,12 @@ static bool write_logfile(const char *logfile, const char *func, const char *pat
}
_SB_WRITE_STR("\n");
- return true;
+ ret = true;
error:
- return false;
+ sb_close(logfd);
+
+ return ret;
}
static void init_context(sbcontext_t *context)
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2012-06-23 21:21 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2012-06-23 21:21 UTC (permalink / raw
To: gentoo-commits
commit: 75910f59e718caa079644dadd6e663fc68994239
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 23 21:11:46 2012 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Jun 23 21:12:36 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=75910f59
libsandbox: add uninstall target to fix distcheck
Newer distcheck runs uninstall which is apparently broken.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/Makefile.am | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/libsandbox/Makefile.am b/libsandbox/Makefile.am
index 9edd466..0856aa4 100644
--- a/libsandbox/Makefile.am
+++ b/libsandbox/Makefile.am
@@ -36,6 +36,10 @@ libsandbox_la_SOURCES = \
install-exec-hook:
rm -f $(DESTDIR)$(libdir)/libsandbox.la
+# Since we removed the .la file, libtool uninstall doesn't work,
+# so we have to manually uninstall libsandbox.so ourselves.
+uninstall-hook:
+ rm -f $(DESTDIR)$(libdir)/libsandbox.so
libsandbox.c: libsandbox.map sb_nr.h
trace.c: trace_syscalls.h sb_nr.h $(TRACE_FILES)
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2012-06-23 22:40 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2012-06-23 22:40 UTC (permalink / raw
To: gentoo-commits
commit: 84b955a043a8962aaef8feab29ac66d21874af81
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Jun 22 21:42:37 2012 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Jun 23 22:38:46 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=84b955a0
libsandbox: kill off SB_MEM_DEBUG
The mcheck/mtrace logic assumes we're using glibc's memory allocator,
but that hasn't been true for sometime (we use our own based on mmap
and such), so this code no longer serves a purpose. Punt it.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/libsandbox.c | 17 -----------------
1 files changed, 0 insertions(+), 17 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index eac134e..60d4614 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -10,18 +10,11 @@
* as some of the InstallWatch code was used.
*/
-/* Uncomment below to enable memory debugging. */
-/* #define SB_MEM_DEBUG 1 */
-
#define open xxx_open
#define open64 xxx_open64
#include "headers.h"
-#ifdef SB_MEM_DEBUG
-# include <mcheck.h>
-#endif
-
#undef open
#undef open64
@@ -74,16 +67,6 @@ static void init_env_entries(char ***, int *, const char *, const char *, int);
const char sbio_fallback_path[] = "/dev/tty";
-#ifdef SB_MEM_DEBUG
-__attribute__((constructor))
-void libsb_init(void)
-{
- save_errno();
- mtrace();
- restore_errno();
-}
-#endif
-
/* resolve_dirfd_path - get the path relative to a dirfd
*
* return value:
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2012-06-23 23:12 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2012-06-23 23:12 UTC (permalink / raw
To: gentoo-commits
commit: bb49765c205f9c383efd147d20a977b6982d5b4d
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 23 02:48:46 2012 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Jun 23 23:07:27 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=bb49765c
libsandbox: regenerate trace headers when autotools change
If you re-run configure with different settings, the trace headers might
be out of date. Have the generated headers depend on the Makefile so that
when this situation does come up, we force sanity. This step is fairly
quick, so shouldn't be a big deal.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/Makefile.am | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libsandbox/Makefile.am b/libsandbox/Makefile.am
index b25e4b3..dc45618 100644
--- a/libsandbox/Makefile.am
+++ b/libsandbox/Makefile.am
@@ -70,7 +70,7 @@ TRACE_MAKE_HEADER = \
$(SB_AWK) $(GEN_TRACE_SCRIPT) -v MODE=gen | \
$(COMPILE) -E -include $(top_srcdir)/headers.h - $$f | \
$(SB_AWK) $(GEN_TRACE_SCRIPT) -v syscall_prefix=$$t > $$header
-trace_syscalls.h: $(GEN_TRACE_SCRIPT)
+trace_syscalls.h: $(GEN_TRACE_SCRIPT) Makefile
if SB_SCHIZO
$(AM_V_GEN)for pers in $(SB_SCHIZO_SETTINGS) ; do \
t=_$${pers%:*}; \
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2013-02-25 4:08 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2013-02-25 4:08 UTC (permalink / raw
To: gentoo-commits
commit: c8118ad3af11dce5f67d595b3784c5010c764579
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 25 05:58:56 2012 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Feb 25 04:05:05 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=c8118ad3
libsandbox: add some likely/unlikely settings
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/libsandbox.c | 12 +++++-------
1 files changed, 5 insertions(+), 7 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 184fc0b..bdef2d9 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -821,7 +821,7 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
result = check_access(sbcontext, sb_nr, func, flags, absolute_path, resolved_path);
- if (verbose) {
+ if (unlikely(verbose)) {
int sym_len = SB_MAX_STRING_LEN + 1 - strlen(func);
if (!result && sbcontext->show_access_violation)
sb_eerror("%sACCESS DENIED%s: %s:%*s%s\n",
@@ -839,22 +839,20 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
else
access = true;
- if (!access) {
+ if (unlikely(!access)) {
bool worked = write_logfile(log_path, func, file, absolute_path, resolved_path, access);
if (!worked && errno)
goto error;
}
- if (debug) {
+ if (unlikely(debug)) {
bool worked = write_logfile(debug_log_path, func, file, absolute_path, resolved_path, access);
if (!worked && errno)
goto error;
}
- if (NULL != absolute_path)
- free(absolute_path);
- if (NULL != resolved_path)
- free(resolved_path);
+ free(absolute_path);
+ free(resolved_path);
errno = old_errno;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2013-02-25 4:12 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2013-02-25 4:12 UTC (permalink / raw
To: gentoo-commits
commit: 63e816ad7731e40e34a7c766d895a6c6c9e8138f
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 23 02:29:49 2013 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Feb 25 04:11:37 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=63e816ad
libsandbox: handle ENOSYS w/process_vm_readv
If we have a newer glibc built against/running on an older kernel, the
func return ENOSYS at runtime. Handle that.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/trace.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index c38ea12..32ad2d6 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -103,7 +103,12 @@ static char *do_peekstr(unsigned long lptr)
riov.iov_len = liov.iov_len = len;
while (1) {
- process_vm_readv(trace_pid, &liov, 1, &riov, 1, 0);
+ if (process_vm_readv(trace_pid, &liov, 1, &riov, 1, 0) == -1) {
+ if (errno == ENOSYS)
+ break;
+ sb_ebort("ISE:do_peekstr: process_vm_readv() hates us: %s\n",
+ strerror(errno));
+ }
for (i = 0; i < liov.iov_len; ++i)
if (!((char *)liov.iov_base)[i])
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-09-11 7:53 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-09-11 7:53 UTC (permalink / raw
To: gentoo-commits
commit: 32b850d49a5ae11dbaf0b4b79067c7fa9dfc3726
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Apr 15 03:25:08 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Apr 15 03:25:08 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=32b850d4
libsandbox: fix building w/gcc-5
The preprocessed output of gcc has changed a bit to retain more
whitespace, but this just confuses/breaks the scripts that parse
it. Add the -P flag to normalize things a bit.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsandbox/Makefile.am b/libsandbox/Makefile.am
index 2eb8da1..529d835 100644
--- a/libsandbox/Makefile.am
+++ b/libsandbox/Makefile.am
@@ -68,7 +68,7 @@ sb_nr.h: symbols.h $(SB_NR_FILE)
TRACE_MAKE_HEADER = \
$(SB_AWK) $(GEN_TRACE_SCRIPT) -v MODE=gen | \
- $(COMPILE) -E -include $(top_srcdir)/headers.h - $$f | \
+ $(COMPILE) -E -P -include $(top_srcdir)/headers.h - $$f | \
$(SB_AWK) $(GEN_TRACE_SCRIPT) -v syscall_prefix=$$t > $$header
trace_syscalls.h: $(GEN_TRACE_SCRIPT) Makefile
if SB_SCHIZO
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-09-20 8:15 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-09-20 8:15 UTC (permalink / raw
To: gentoo-commits
commit: 98db340d61a9607ab179a5d4dc057cf453d90e55
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Sep 15 18:21:29 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Sep 15 18:21:29 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=98db340d
libsandbox: avoid leaking memory when extracting strings
If userland supports process_vm_readv, but the kernel does not (newer
kernel headers & C lib than kernel), then we leak a bit of memory when
we fallback to the ptrace code. Do not re-allocate the ret buffer if
the code does fallback.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index dfbab18..1d40392 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -119,11 +119,12 @@ static char *do_peekstr(unsigned long lptr)
ret = xrealloc(ret, len);
liov.iov_base = ret + len - l;
}
+#else
+ len = 1024;
+ ret = xmalloc(len);
#endif
l = 0;
- len = 1024;
- ret = xmalloc(len);
while (1) {
a = lptr & (sizeof(long) - 1);
lptr -= a;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-09-20 8:15 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-09-20 8:15 UTC (permalink / raw
To: gentoo-commits
commit: 167ded327a715f6378942f668f326ebc26f15d1a
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 06:57:54 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:57:54 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=167ded32
libsandbox: egetcwd: fix handling of NULL inputs
We don't want to let the C library do the memory allocation for us when
buf==NULL as it won't use our memory functions, so when we try to call
our free on it, we get corruption. Handle the automatic allocation in
the code directly.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 4f4589f..3bd3794 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -306,7 +306,16 @@ static char *resolve_path(const char *path, int follow_link)
char *egetcwd(char *buf, size_t size)
{
struct stat st;
- char *tmpbuf, *oldbuf = buf;
+ char *tmpbuf;
+
+ /* We can't let the C lib allocate memory for us since we have our
+ * own local routines to handle things.
+ */
+ bool allocated = (buf == NULL);
+ if (allocated) {
+ size = SB_PATH_MAX;
+ buf = xmalloc(size);
+ }
/* If tracing a child, our cwd may not be the same as the child's */
if (trace_pid) {
@@ -354,9 +363,9 @@ char *egetcwd(char *buf, size_t size)
errno = ENAMETOOLONG;
if (errno && errno != EACCES) {
- /* If getcwd() allocated the buffer, free it. */
- if (NULL == oldbuf)
- free(tmpbuf);
+ /* If getcwd() allocated the buffer, free it. */
+ if (allocated)
+ free(buf);
/* Not sure if we should quit here, but I guess if
* lstat() fails, getcwd could have messed up. Not
@@ -368,6 +377,9 @@ char *egetcwd(char *buf, size_t size)
restore_errno();
} else if (errno != 0) {
+ /* If getcwd() allocated the buffer, free it. */
+ if (allocated)
+ free(buf);
/* Make sure we do not return garbage if the current libc or
* kernel's getcwd() is buggy.
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-09-20 8:15 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-09-20 8:15 UTC (permalink / raw
To: gentoo-commits
commit: efb6ac30fb0d39cbd5f801c6d251b14ed5f5a7d6
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 07:27:34 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 07:27:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=efb6ac30
libsandbox: improve debugging output a bit
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 57be731..1d9fa04 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -912,6 +912,8 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
resolved_path = resolve_path(file, 1);
if (!absolute_path || !resolved_path)
goto error;
+ sb_debug_dyn("absolute_path: %s\n", absolute_path);
+ sb_debug_dyn("resolved_path: %s\n", resolved_path);
verbose = is_env_set_on(ENV_SANDBOX_VERBOSE, &set);
if (set)
@@ -1098,9 +1100,9 @@ bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char
if ((*mode == 'r') && ((0 == (strcmp(mode, "r"))) ||
/* The strspn accept args are known non-writable modifiers */
(strlen(mode+1) == strspn(mode+1, "xbtmce"))))
- sb_nr = SB_NR_OPEN_RD, ext_func = "open_rd";
+ sb_nr = SB_NR_OPEN_RD, ext_func = "fopen_rd";
else
- sb_nr = SB_NR_OPEN_WR, ext_func = "open_wr";
+ sb_nr = SB_NR_OPEN_WR, ext_func = "fopen_wr";
return before_syscall(dirfd, sb_nr, ext_func, file, 0);
}
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-09-20 8:15 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-09-20 8:15 UTC (permalink / raw
To: gentoo-commits
commit: c17c4b85ca9e9af75bc16c9e49b6bf0b3ee6b4c8
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 07:40:16 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 07:40:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=c17c4b85
libsandbox: work around process_vm_readv EFAULTs
Some people are seeing this call fail, but it's not clear why. Include
more debugging output so as to improve the reports, and let the code fall
back to the existing ptrace logic since that seems to work. This will at
least unblock people's builds.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer <AT> gentoo.org>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 1d40392..ed05c4d 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -104,10 +104,23 @@ static char *do_peekstr(unsigned long lptr)
while (1) {
if (process_vm_readv(trace_pid, &liov, 1, &riov, 1, 0) == -1) {
- if (errno == ENOSYS)
+ int e = errno;
+ if (e == ENOSYS)
break;
+ sb_eqawarn("process_vm_readv(%i, %p{%p, %zu}, 1, %p{%p, %zu}, 1, 0) failed: %s\n",
+ trace_pid,
+ &liov, liov.iov_base, liov.iov_len,
+ &riov, riov.iov_base, riov.iov_len,
+ strerror(e));
+ if (e == EFAULT) {
+ /* This sometimes happens, but it's not clear why.
+ * Throw some extended debugging info before falling
+ * back to the ptrace code. #560396
+ */
+ break;
+ }
sb_ebort("ISE:do_peekstr: process_vm_readv() hates us: %s\n",
- strerror(errno));
+ strerror(e));
}
for (i = 0; i < liov.iov_len; ++i)
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-09-27 6:13 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-09-27 6:13 UTC (permalink / raw
To: gentoo-commits
commit: c86b0416025b4b3f8555295a89c64e233803fef2
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 20:41:28 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 20:41:28 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=c86b0416
libsandbox: use memchr to speed up NUL byte search
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index ed05c4d..47d2bdf 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -123,9 +123,8 @@ static char *do_peekstr(unsigned long lptr)
strerror(e));
}
- for (i = 0; i < liov.iov_len; ++i)
- if (!((char *)liov.iov_base)[i])
- return ret;
+ if (memchr(liov.iov_base, '\0', liov.iov_len) != NULL)
+ return ret;
riov.iov_base += l;
riov.iov_len = liov.iov_len = l;
len += l;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-09-27 6:13 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-09-27 6:13 UTC (permalink / raw
To: gentoo-commits
commit: 9a927b63d0f76fb5edaf4abf43784419b944f21c
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 22:10:01 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 22:10:01 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9a927b63
libsandbox: fix process_vm_readv addresses/lengths
The current logic calculates the lengths/base addresses incorrectly
leading to some kernels/mappings to reject accesses. Make sure we
calculate the initial length properly, and then increment the base
by that value later on.
With those fixes in place, we can clean up the warning/exit paths.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer <AT> gentoo.org>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 47d2bdf..99ef8cd 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -93,10 +93,14 @@ static char *do_peekstr(unsigned long lptr)
#ifdef HAVE_PROCESS_VM_READV
struct iovec liov, riov;
- /* We can't cross remote page boundaries when using this :( */
+ /* We can't cross remote page boundaries when using this :(.
+ * The first call reads up to the edge of the page boundary since we
+ * have no (easy) way of knowing if the next page is valid. This is
+ * less effort than reading in the /proc/.../maps file and walking it.
+ */
l = 0x1000;
riov.iov_base = (void *)lptr;
- len = lptr % l;
+ len = l - (lptr % l);
if (!len)
len = l;
liov.iov_base = ret = xmalloc(len);
@@ -105,27 +109,23 @@ static char *do_peekstr(unsigned long lptr)
while (1) {
if (process_vm_readv(trace_pid, &liov, 1, &riov, 1, 0) == -1) {
int e = errno;
- if (e == ENOSYS)
+ if (e == ENOSYS) {
+ /* This can happen if run on older kernels but built with newer ones. */
+ break;
+ } else if (e == EFAULT) {
+ /* This can happen if the target process uses a bad pointer. #560396 */
break;
- sb_eqawarn("process_vm_readv(%i, %p{%p, %zu}, 1, %p{%p, %zu}, 1, 0) failed: %s\n",
+ }
+ sb_ebort("ISE:do_peekstr:process_vm_readv(%i, %p{%p, %#zx}, 1, %p{%p, %#zx}, 1, 0) failed: %s\n",
trace_pid,
&liov, liov.iov_base, liov.iov_len,
&riov, riov.iov_base, riov.iov_len,
strerror(e));
- if (e == EFAULT) {
- /* This sometimes happens, but it's not clear why.
- * Throw some extended debugging info before falling
- * back to the ptrace code. #560396
- */
- break;
- }
- sb_ebort("ISE:do_peekstr: process_vm_readv() hates us: %s\n",
- strerror(e));
}
if (memchr(liov.iov_base, '\0', liov.iov_len) != NULL)
return ret;
- riov.iov_base += l;
+ riov.iov_base += riov.iov_len;
riov.iov_len = liov.iov_len = l;
len += l;
ret = xrealloc(ret, len);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-12-19 7:29 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-12-19 7:29 UTC (permalink / raw
To: gentoo-commits
commit: 767becaac8ccf0a271fc7633fafe635bf8126f3e
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Dec 19 06:41:36 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Dec 19 06:41:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=767becaa
libsandbox: fix memory alignment
Some targets (like sparc32) have higher alignment requirements for 64-bit
values than size_t (which is 4 bytes on sparc32). If we happen to return
4 byte aligned memory which is used to hold a 64-bit, we get bus errors.
Use the same algorithm that dlmalloc does.
URL: https://bugs.gentoo.org/565630
Reported-by: Denis Kaganovich <mahatma <AT> eu.by>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/memory.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libsandbox/memory.c b/libsandbox/memory.c
index 5609208..8581128 100644
--- a/libsandbox/memory.c
+++ b/libsandbox/memory.c
@@ -15,6 +15,9 @@
#include "libsandbox.h"
#include "sbutil.h"
+/* Pick a value to guarantee alignment requirements. #565630 */
+#define MIN_ALIGN (2 * sizeof(void *))
+
/* Well screw me sideways, someone decided to override mmap() #290249
* We probably don't need to include the exact sym version ...
*/
@@ -35,14 +38,14 @@ static int sb_munmap(void *addr, size_t length)
}
#define munmap sb_munmap
-#define SB_MALLOC_TO_MMAP(ptr) ((void*)(((size_t*)ptr) - 1))
-#define SB_MMAP_TO_MALLOC(ptr) ((void*)(((size_t*)ptr) + 1))
+#define SB_MALLOC_TO_MMAP(ptr) ((void*)((uintptr_t)(ptr) - MIN_ALIGN))
+#define SB_MMAP_TO_MALLOC(ptr) ((void*)((uintptr_t)(ptr) + MIN_ALIGN))
#define SB_MALLOC_TO_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
void *malloc(size_t size)
{
size_t *ret;
- size += sizeof(size_t);
+ size += MIN_ALIGN;
ret = mmap(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (ret == MAP_FAILED)
return NULL;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-12-19 18:10 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-12-19 18:10 UTC (permalink / raw
To: gentoo-commits
commit: 529a388ebb1b4e9d6ad8a1bb61dd8211833a5976
Author: Denis Lisov <dennis.lissov <AT> gmail <DOT> com>
AuthorDate: Sat Dec 19 16:13:58 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Dec 19 17:57:53 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=529a388e
libsandbox: fix old_malloc_size check on realloc
Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size,
while it is really the mmap size, which is greater. Thus it may fail
to reallocate even if required.
URL: https://bugs.gentoo.org/568714
Signed-off-by: Denis Lisov <dennis.lissov <AT> gmail.com>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/memory.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libsandbox/memory.c b/libsandbox/memory.c
index 8581128..a2d69a2 100644
--- a/libsandbox/memory.c
+++ b/libsandbox/memory.c
@@ -40,7 +40,8 @@ static int sb_munmap(void *addr, size_t length)
#define SB_MALLOC_TO_MMAP(ptr) ((void*)((uintptr_t)(ptr) - MIN_ALIGN))
#define SB_MMAP_TO_MALLOC(ptr) ((void*)((uintptr_t)(ptr) + MIN_ALIGN))
-#define SB_MALLOC_TO_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
+#define SB_MALLOC_TO_MMAP_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
+#define SB_MALLOC_TO_SIZE(ptr) (SB_MALLOC_TO_MMAP_SIZE(ptr) - MIN_ALIGN)
void *malloc(size_t size)
{
@@ -57,7 +58,7 @@ void free(void *ptr)
{
if (ptr == NULL)
return;
- if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_SIZE(ptr)))
+ if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_MMAP_SIZE(ptr)))
sb_ebort("sandbox memory corruption with free(%p): %s\n",
ptr, strerror(errno));
}
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2015-12-19 18:10 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2015-12-19 18:10 UTC (permalink / raw
To: gentoo-commits
commit: f02e644a90dde960b47f9bc87125fe37dece7ee9
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Dec 19 18:04:40 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Dec 19 18:04:40 2015 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f02e644a
libsandbox: tweak edge cases of realloc a bit
We need to return NULL when passed a size of 0 as the API requires the
return value be usable w/free, but we just freed the pointer so the ret
will cause memory corruption later on.
When we go to preserve the old content, we don't need the MIN check as
we already verified that a few lines up. But leave it for defensive
purposes as gcc already optimizes it out for us. Just comment things.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/memory.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libsandbox/memory.c b/libsandbox/memory.c
index a2d69a2..a8f4d4b 100644
--- a/libsandbox/memory.c
+++ b/libsandbox/memory.c
@@ -81,7 +81,7 @@ void *realloc(void *ptr, size_t size)
return malloc(size);
if (size == 0) {
free(ptr);
- return ptr;
+ return NULL;
}
old_malloc_size = SB_MALLOC_TO_SIZE(ptr);
@@ -91,6 +91,10 @@ void *realloc(void *ptr, size_t size)
ret = malloc(size);
if (!ret)
return ret;
+ /* We already verified old_malloc_size is smaller than size above, so
+ * we don't really need the MIN() here. We leave it to be defensive,
+ * and because gcc optimizes away the check for us.
+ */
memcpy(ret, ptr, MIN(size, old_malloc_size));
free(ptr);
return ret;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2016-03-29 12:24 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2016-03-29 12:24 UTC (permalink / raw
To: gentoo-commits
commit: 9fabf8eb94d8866c4f039462d1bdd06cdb0e22eb
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 29 09:03:13 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Mar 29 09:03:13 2016 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9fabf8eb
libsandbox: make check_syscall ISE a little more useful
Showing just the resolved paths isn't too helpful when they're both
NULL. Also include the failing func & original file path.
URL: https://bugs.gentoo.org/553092
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 7555862..cbe1aa1 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -985,8 +985,8 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
return 2;
/* If we get here, something bad happened */
- sb_ebort("ISE:\n\tabs_path: %s\n\tres_path: %s\n",
- absolute_path, resolved_path);
+ sb_ebort("ISE: %s(%s)\n\tabs_path: %s\n\tres_path: %s\n",
+ func, file, absolute_path, resolved_path);
}
bool is_sandbox_on(void)
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2016-03-30 5:22 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2016-03-30 5:22 UTC (permalink / raw
To: gentoo-commits
commit: 31a135d261a9bc1d65b1fa484345a858bab84db8
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 30 05:17:21 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Mar 30 05:17:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=31a135d2
libsandbox: whitelist execvpe
URL: https://bugs.gentoo.org/578516
Reported-by: Toralf Förster <toralf.foerster <AT> gmx.de>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index cbe1aa1..e809308 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -710,6 +710,7 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
sb_nr == SB_NR_EXECV ||
sb_nr == SB_NR_EXECVP ||
sb_nr == SB_NR_EXECVE ||
+ sb_nr == SB_NR_EXECVPE ||
sb_nr == SB_NR_FEXECVE))
{
retval = check_prefixes(sbcontext->read_prefixes,
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2017-10-03 16:39 Michał Górny
0 siblings, 0 replies; 55+ messages in thread
From: Michał Górny @ 2017-10-03 16:39 UTC (permalink / raw
To: gentoo-commits
commit: 8212b2ac2b6384e290084da4d164a5771d5f410a
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Mon Sep 25 16:30:51 2017 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Oct 3 16:38:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=8212b2ac
Remove no-longer-necessary symlink hack in ACL
Remove the hack supposedly responsible for making it possible to remove
symbolic links to protected files. The hack was probably necessary back
when the write check was performed on fully resolved path. However,
currently the path resolution is no longer performed when the operation
does not resolve symlinks, effectively making the hack redundant.
libsandbox/libsandbox.c | 40 ----------------------------------------
1 file changed, 40 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index de48bd7..e164dcf 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -794,46 +794,6 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
goto out;
}
- /* XXX: Hack to enable us to remove symlinks pointing to
- * protected stuff. First we make sure that the passed path
- * is writable, and if so, check if it's a symlink, and give
- * access only if the resolved path of the symlink's parent
- * also have write access. We also want to let through funcs
- * whose flags say they will operate on symlinks themselves
- * rather than dereferencing them.
- */
- if (sym_func) {
- /* Check if the symlink unresolved path have access */
- retval = check_prefixes(sbcontext->write_prefixes,
- sbcontext->num_write_prefixes, abs_path);
- if (1 == retval) { /* Does have write access on path */
- char *dname, *dname_buf, *rpath;
-
- dname_buf = xstrdup(abs_path);
- dname = dirname(dname_buf);
- /* Get symlink resolved path */
- rpath = resolve_path(dname, 1);
- free(dname_buf);
- if (NULL == rpath)
- /* Don't really worry here about
- * memory issues */
- goto unlink_hack_end;
-
- /* Now check if the symlink resolved path have access */
- retval = check_prefixes(sbcontext->write_prefixes,
- sbcontext->num_write_prefixes,
- rpath);
- free(rpath);
- if (1 == retval) {
- /* Does have write access on path, so
- * enable the hack as it is a symlink */
- result = 1;
- goto out;
- }
- }
- }
- unlink_hack_end: ;
-
/* Hack to allow writing to '/proc/self/fd' #91516. It needs
* to be here as for each process, the '/proc/self' symlink
* will differ ...
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2017-10-03 16:42 Ian Stakenvicius
0 siblings, 0 replies; 55+ messages in thread
From: Ian Stakenvicius @ 2017-10-03 16:42 UTC (permalink / raw
To: gentoo-commits
commit: ecba8795415dd571f894d457001f28d96c3f8a93
Author: Peter Levine <plevine457 <AT> gmail <DOT> com>
AuthorDate: Tue Sep 26 17:59:42 2017 +0000
Commit: Ian Stakenvicius <axs <AT> gentoo <DOT> org>
CommitDate: Tue Oct 3 16:42:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ecba8795
Ensure LD_LIBRARY_PATH is copied to my_env
Sandbox commit 55087abd8dc9802cf68cade776fe612a3f19f6a1 is for the purpose
of preventing a loop or deadlock caused by a package implementing its own
libc memory allocation functions, which themselves may call on a sandbox wrapped
system calls, whose implementation depends on further calls to such memory
functions. If any binaries export such symbols, sandbox assumes the worst
and prevents loading of libsandbox.so and instead opts for ptrace.
In preventing the loading of libsandbox, it removes all variables whose
env_pair.name field matches the name of an environment variable from the
environment, for all env_pairs of vars[] in
char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert) in
"libsandbox/libsandbox.c". This includes not just the usual environment
variables prefixed with 'SANDBOX_' but also LD_PRELOAD and LD_LIBRARY_PATH.
LD_PRELOAD clearly should be removed. But LD_LIBRARY_PATH would only seem
to be trouble if used with LD_PRELOAD. As such it makes sense to me to
prevent the removal of LD_LIBRARY_PATH.
Given the fact that the the positions of the env_pairs in vars[] are intended
to be hard-coded (from libsandbox.c: /* Indices matter -- see init below */),
this commit uses the index of the env_pair corresponding to LD_LIBRARY_PATH to
prevent its removal.
libsandbox/libsandbox.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 962690e..c126aa1 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1201,7 +1201,7 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
if (mod_cnt) {
str_list_for_each_item(envp, entry, count) {
for (i = 0; i < num_vars; ++i)
- if (is_env_var(entry, vars[i].name, vars[i].len)) {
+ if (i != 12 && is_env_var(entry, vars[i].name, vars[i].len)) {
(*mod_cnt)++;
goto skip;
}
@@ -1210,7 +1210,7 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
}
} else {
for (i = 0; i < num_vars; ++i)
- unsetenv(vars[i].name);
+ if (i != 12) unsetenv(vars[i].name);
}
} else {
if (mod_cnt) {
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2018-02-18 21:32 Michał Górny
0 siblings, 0 replies; 55+ messages in thread
From: Michał Górny @ 2018-02-18 21:32 UTC (permalink / raw
To: gentoo-commits
commit: 1b0f7b0d035a10ba172b659abbe425c8523bdb96
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Mon Feb 12 18:14:07 2018 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Mon Feb 12 19:05:27 2018 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=1b0f7b0d
Disable environment propagation if sandbox is disabled
Do not enforce restoring sandbox variables in the environment if sandbox
is explicitly disabled. This makes it possible to set SANDBOX_ON=0
and then unset LD_PRELOAD without having to resort to ugly hacks to
prevent sandbox from restoring itself.
The only limitation is that if user sets SANDBOX_ON=0 first, then wipes
the environment, he will no longer be able to reenable sandbox via doing
SANDBOX_ON=1. However, it is rather unlikely that such a thing would
need to happen in real use.
Bug: https://bugs.gentoo.org/592750
libsandbox/libsandbox.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index c126aa1..9ef13b1 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1142,6 +1142,11 @@ char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
char *found_vars[num_vars];
size_t found_var_cnt;
+ /* If sandbox is explicitly disabled, do not propagate the vars
+ * and just return user's envp */
+ if (!sbcontext.on)
+ return envp;
+
/* First figure out how many vars are already in the env */
found_var_cnt = 0;
memset(found_vars, 0, sizeof(found_vars));
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2018-07-19 11:50 Michał Górny
0 siblings, 0 replies; 55+ messages in thread
From: Michał Górny @ 2018-07-19 11:50 UTC (permalink / raw
To: gentoo-commits
commit: 8bb9e5e7607ff12f8119729077d3d420e999f7ee
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Thu Jul 19 11:27:09 2018 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jul 19 11:27:09 2018 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=8bb9e5e7
libsandbox: Remove meaningless/broken -nodefaultlibs
Remove '-nodefaultlibs' from linking flags for libsandbox as it is
apparently meaningless and broken at the same time. When regular
libtool is used, it silently strips the option, making it meaningless.
When slibtool is used instead, it passes the option which causes linking
to fail due to undefined symbols.
Thanks to the bug reporter and slibtool devs from researching
the problem in detail.
Bug: https://bugs.gentoo.org/657184
libsandbox/Makefile.am | 1 -
1 file changed, 1 deletion(-)
diff --git a/libsandbox/Makefile.am b/libsandbox/Makefile.am
index cbc73ba..ac9a548 100644
--- a/libsandbox/Makefile.am
+++ b/libsandbox/Makefile.am
@@ -20,7 +20,6 @@ libsandbox_la_LIBADD = \
# and destructor will not be executed ...
libsandbox_la_LDFLAGS = \
-no-undefined \
- -nodefaultlibs \
-avoid-version \
$(LDFLAG_VER),libsandbox.map
libsandbox_la_SOURCES = \
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2018-12-02 15:22 Michał Górny
0 siblings, 0 replies; 55+ messages in thread
From: Michał Górny @ 2018-12-02 15:22 UTC (permalink / raw
To: gentoo-commits
commit: fcb399f5a685f088b9f10d9d57e326ee78f9e6dd
Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 12 03:56:24 2018 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sun Dec 2 15:17:39 2018 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=fcb399f5
libsandbox: resolve_dirfd_path /proc/<pid> namespace safety
If /proc was mounted by a process in a different pid namespace,
getpid cannot be used create a valid /proc/<pid> path. Instead
use sb_get_fd_dir() which works in any case. This implements
option 3 of these choices:
1) Always create a mount namespace when creating a pid namespace,
and remount /proc so that /proc/<pid> entries are always consistent
with the current pid namespace.
2) Use readlink on /proc/self instead of getpid to determine the pid
of self in the pid namespace of the /proc mount.
3) Use /proc/self or /dev/fd directly.
Bug: https://bugs.gentoo.org/670966
Signed-off-by: Zac Medico <zmedico <AT> gentoo.org>
Closes: https://github.com/gentoo/sandbox/pull/1
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
libsandbox/libsandbox.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 9ef13b1..e0c9d1a 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -125,7 +125,14 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path,
save_errno();
size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0);
- sprintf(resolved_path, "/proc/%i/fd/%i", trace_pid ? : getpid(), dirfd);
+ if (trace_pid)
+ sprintf(resolved_path, "/proc/%i/fd/%i", trace_pid, dirfd);
+ else
+ /* If /proc was mounted by a process in a different pid namespace,
+ * getpid cannot be used to create a valid /proc/<pid> path. Instead
+ * use sb_get_fd_dir() which works in any case.
+ */
+ sprintf(resolved_path, "%s/%i", sb_get_fd_dir(), dirfd);
ssize_t ret = readlink(resolved_path, resolved_path, at_len);
if (ret == -1) {
/* see comments at end of check_syscall() */
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2019-06-25 6:42 Sergei Trofimovich
0 siblings, 0 replies; 55+ messages in thread
From: Sergei Trofimovich @ 2019-06-25 6:42 UTC (permalink / raw
To: gentoo-commits
commit: ed72f5d07f627464a95ab377cd101d90d4d10c7d
Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
AuthorDate: Sun Jun 23 20:48:26 2019 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Tue Jun 25 06:39:05 2019 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ed72f5d0
libsandbox/trace.c: tweak ptrace command type for musl
glibc defines ptrace as:
long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);
musl defines ptrace as:
long ptrace(int, ...);
This causes build failure in for of:
../../sandbox-2.17/libsandbox/trace/linux/x86_64.c: In function 'trace_set_ret':
../../sandbox-2.17/libsandbox/trace/linux/x86_64.c:99:2: error: type of formal parameter 1 is incomplete
trace_set_regs(regs);
^~~~~~~~~~~~~~
Let's clobber to 'int' lowest common denominator.
Bug: https://bugs.gentoo.org/549108
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
libsandbox/trace.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index fb1fc32..3efef23 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -10,7 +10,16 @@
#include "sb_nr.h"
static long do_peekdata(long offset);
-static long _do_ptrace(enum __ptrace_request request, const char *srequest, void *addr, void *data);
+/* Note on _do_ptrace argument types:
+ glibc defines ptrace as:
+ long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);
+ musl defines ptrace as:
+ long ptrace(int, ...);
+
+ Let's clobber to 'int' lowest common denominator.
+ */
+typedef int sb_ptrace_req_t;
+static long _do_ptrace(sb_ptrace_req_t request, const char *srequest, void *addr, void *data);
#define do_ptrace(request, addr, data) _do_ptrace(request, #request, addr, data)
#define _trace_possible(data) true
@@ -44,7 +53,7 @@ static void trace_exit(int status)
_exit(status);
}
-static long _do_ptrace(enum __ptrace_request request, const char *srequest, void *addr, void *data)
+static long _do_ptrace(sb_ptrace_req_t request, const char *srequest, void *addr, void *data)
{
long ret;
try_again:
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-03-15 18:08 Sergei Trofimovich
0 siblings, 0 replies; 55+ messages in thread
From: Sergei Trofimovich @ 2021-03-15 18:08 UTC (permalink / raw
To: gentoo-commits
commit: b321cd403c653d5bac54b5ec8341bc631fe3331e
Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
AuthorDate: Sat Mar 13 22:35:53 2021 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Sat Mar 13 22:53:39 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=b321cd40
libsandbox: try harder not to regenerate environment
In bug #775842 Sam noticed sandbox crash on libabigail-1.8.2 testsuite:
#0 0x00007f0e0d10e392 in sb_new_envp ()
at libsandbox.c:1184
#1 0x00007f0e0d112745 in system_DEFAULT ()
at wrapper-funcs/__wrapper_exec.c:315
#2 0x000055ece6570b52 in test_task::perform (this=0x55ece72978b0)
at /usr/lib/gcc/x86_64-pc-linux-gnu/11.0.1/include/g++-v11/bits/basic_string.h:186
#3 0x00007f0e0d05fce5 in abigail::workers::worker::wait_to_execute_a_task (p=0x55ece728f380)
at /tmp/portage/dev-util/libabigail-1.8.2/work/libabigail-1.8.2/src/abg-workers.cc:415
#4 0x00007f0e0c8f7cae in start_thread (arg=0x7f0e0b433640)
at pthread_create.c:473
#5 0x00007f0e0ca0eb2f in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
The test roughly does call system() from spawned parallel threads:
for_each_test(){
spawn_thread([]{
system("cmd"); wait();
}
}
Sandbox has to inject sandbox-specific environment variables where
they don't exist. This is fundamentally racy in multithreaded
environment:
for_each_test(){
spawn_thread([]{
environ = modified_env;
system("cmd"); wait();
environ = orig_env;
}
}
Most of the time environment does not have to change after initial
environment injection. f3e51a9303124 ("exec*() wrappers: never mutate
'environ' of host process") exposed a bug in sandbox's logic of
checking existing environment: unset variables like `SANDBOX_DENY`
The change treats unset/expected-unset variables as non deviating.
Reported-by: Sam James
Bug: https://bugs.gentoo.org/775842
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
libsandbox/libsandbox.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index b4d732d..166516c 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1181,6 +1181,7 @@ struct sb_envp_ctx sb_new_envp(char **envp, bool insert)
found_var_cnt = 0;
memset(found_vars, 0, sizeof(found_vars));
+ /* Iterate through user's environment and check against expected. */
str_list_for_each_item(envp, entry, count) {
for (i = 0; i < num_vars; ++i) {
if (found_vars[i])
@@ -1192,6 +1193,14 @@ struct sb_envp_ctx sb_new_envp(char **envp, bool insert)
}
}
+ /* Treat unset and expected-unset variables as found. This will allow us
+ * to keep existing environment. */
+ for (i = 0; i < num_vars; ++i) {
+ if (vars[i].value == NULL && found_vars[i] == NULL) {
+ ++found_var_cnt;
+ }
+ }
+
/* Now specially handle merging of LD_PRELOAD */
char *ld_preload;
bool merge_ld_preload = found_vars[0] && !strstr(found_vars[0], sandbox_lib);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-04-02 11:22 Sergei Trofimovich
0 siblings, 0 replies; 55+ messages in thread
From: Sergei Trofimovich @ 2021-04-02 11:22 UTC (permalink / raw
To: gentoo-commits
commit: b393720bc6e87d16c5013839553c894f2b163961
Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 2 11:19:46 2021 +0000
Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
CommitDate: Fri Apr 2 11:19:46 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=b393720b
libsandbox: fix error handling of absolute_path() in check_syscall()
The failure is initially observed as a test failure on script/5 test
(getcwd against infinite recursion). On the test sandbox was ICEing as:
* libsandbox.c:check_syscall():984: failure (Bad address):
* ISE: rmdir('confdir3')
abs_path: (null)
res_path: /confdir3
errno=14: Bad address
Signed-off-by: Sergei Trofimovich <slyfox <AT> gentoo.org>
libsandbox/libsandbox.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 166516c..3d55dd7 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -895,6 +895,9 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
bool access, debug, verbose, set;
absolute_path = resolve_path(file, 0);
+ if (!absolute_path)
+ goto error;
+
/* Do not bother dereferencing symlinks when we are using a function that
* itself does not dereference. This speeds things up and avoids updating
* the atime implicitly. #415475
@@ -980,7 +983,7 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
}
/* If we get here, something bad happened */
- sb_ebort("ISE: %s(%s)\n"
+ sb_ebort("ISE: %s('%s')\n"
"\tabs_path: %s\n"
"\tres_path: %s\n"
"\terrno=%i: %s\n",
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-09-07 15:35 Michał Górny
0 siblings, 0 replies; 55+ messages in thread
From: Michał Górny @ 2021-09-07 15:35 UTC (permalink / raw
To: gentoo-commits
commit: 96374d9bff64bcee64340f6572cca9f1cc3f696d
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 8 15:08:54 2021 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Sep 7 15:31:07 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=96374d9b
libsandbox: adjust hard-coded denial for /var/log/sandbox
Move this hack after the read checks, but before the write checks. This
allows processes to read the log directory, but not write to it.
This is helpful in case a process does something like this:
find /var/log -name system.journal
Bug: https://bugs.gentoo.org/794949
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
Closes: https://bugs.gentoo.org/794949
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
libsandbox/libsandbox.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 3d55dd7..758c0dc 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -714,15 +714,6 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
goto out;
}
- /* Hardcode denying write to the whole log dir. While this is a
- * parial match and so rejects paths that also start with this
- * string, that isn't going to happen in real life so live with
- * it. We can't append a slash to this path either as that would
- * allow people to open the dir itself for writing.
- */
- if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, strlen(SANDBOX_LOG_LOCATION)))
- goto out;
-
if (sbcontext->read_prefixes &&
(sb_nr == SB_NR_ACCESS_RD ||
sb_nr == SB_NR_OPEN_RD ||
@@ -754,6 +745,15 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
}
}
+ /* Hardcode denying write to the whole log dir. While this is a
+ * parial match and so rejects paths that also start with this
+ * string, that isn't going to happen in real life so live with
+ * it. We can't append a slash to this path either as that would
+ * allow people to open the dir itself for writing.
+ */
+ if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, strlen(SANDBOX_LOG_LOCATION)))
+ goto out;
+
if (sb_nr == SB_NR_ACCESS_WR ||
sb_nr == SB_NR_CHMOD ||
sb_nr == SB_NR_CHOWN ||
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-18 22:04 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-18 22:04 UTC (permalink / raw
To: gentoo-commits
commit: baf15c305c8687d1573c7accc12a62f29384259c
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 18 22:03:57 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Oct 18 22:03:57 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=baf15c30
libsandbox: fix incorrect indentation
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 02f5ef2..d69fecd 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -132,14 +132,15 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path,
save_errno();
size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0);
- if (trace_pid)
- sprintf(resolved_path, "/proc/%i/fd/%i", trace_pid, dirfd);
- else
- /* If /proc was mounted by a process in a different pid namespace,
- * getpid cannot be used to create a valid /proc/<pid> path. Instead
- * use sb_get_fd_dir() which works in any case.
- */
- sprintf(resolved_path, "%s/%i", sb_get_fd_dir(), dirfd);
+ if (trace_pid) {
+ sprintf(resolved_path, "/proc/%i/fd/%i", trace_pid, dirfd);
+ } else {
+ /* If /proc was mounted by a process in a different pid namespace,
+ * getpid cannot be used to create a valid /proc/<pid> path. Instead
+ * use sb_get_fd_dir() which works in any case.
+ */
+ sprintf(resolved_path, "%s/%i", sb_get_fd_dir(), dirfd);
+ }
ssize_t ret = readlink(resolved_path, resolved_path, at_len);
if (ret == -1) {
/* see comments at end of check_syscall() */
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-21 1:51 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-21 1:51 UTC (permalink / raw
To: gentoo-commits
commit: 861541d1080fca9400c264c221bc5ec6b48de1b0
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 21 01:43:36 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 21 01:43:36 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=861541d1
libsandbox: drop redundant regs ptrace lookup
We don't need to lookup the register set twice, so drop the 2nd call.
These parts of the code were merged during a refactor and while they
made sense when they were in separate places, they don't here.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 3efef23..fc700e3 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -467,9 +467,8 @@ static void trace_loop(void)
ret = trace_get_regs(®s);
nr = trace_get_sysnum(®s);
-
se = lookup_syscall_in_tbl(tbl_after_fork, nr);
- ret = trace_get_regs(®s);
+
if (before_syscall) {
_sb_debug("%s:%i", se ? se->name : "IDK", nr);
if (!trace_check_syscall(se, ®s)) {
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-21 20:37 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-21 20:37 UTC (permalink / raw
To: gentoo-commits
commit: ef35a16d1b5dcc1a99d17470799e680879278600
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 21 10:09:04 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 21 10:09:04 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ef35a16d
build: create libsandbox dir before writing files
Merging subdir Makefile.am files up meant that creation of those
dirs for outputs is no longer handled immediately by autoconf, so
make sure our custom rules have mkdir calls.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/local.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libsandbox/local.mk b/libsandbox/local.mk
index 892121a..58e597a 100644
--- a/libsandbox/local.mk
+++ b/libsandbox/local.mk
@@ -57,13 +57,16 @@ GEN_TRACE_SCRIPT = $(SCRIPT_DIR)/gen_trace_header.awk
SB_AWK = LC_ALL=C $(AWK) -v SYMBOLS_LIST="$(SYMBOLS_LIST)" -v srcdir="$(top_srcdir)/%D%" -f
%D%/libsandbox.map: $(SYMBOLS_FILE) $(GEN_VERSION_MAP_SCRIPT)
+ @$(MKDIR_P) %D%
$(AM_V_GEN)$(READELF) -s $(LIBC_PATH) | $(SB_AWK) $(GEN_VERSION_MAP_SCRIPT) > $@
%D%/symbols.h: $(SYMBOLS_FILE) $(GEN_HEADER_SCRIPT)
+ @$(MKDIR_P) %D%
$(AM_V_GEN)$(READELF) -s $(LIBC_PATH) | $(SB_AWK) $(GEN_HEADER_SCRIPT) > $@
SB_NR_FILE = %D%/sb_nr.h.in
%D%/sb_nr.h: %D%/symbols.h $(SB_NR_FILE)
+ @$(MKDIR_P) %D%
$(AM_V_GEN)$(EGREP) -h '^\#define SB_' $^ > $@
TRACE_MAKE_HEADER = \
@@ -78,6 +81,7 @@ else
endif
$(SB_SCHIZO_HEADERS): $(GEN_TRACE_SCRIPT)
+ @$(MKDIR_P) %D%
$(AM_V_GEN)for pers in $(SB_SCHIZO_SETTINGS) ; do \
t=_$${pers%:*}; \
f=$${pers#*:}; \
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-21 20:37 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-21 20:37 UTC (permalink / raw
To: gentoo-commits
commit: e5501952ff0513d32723f7b9a3250702076be0a6
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 21 16:00:53 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 21 16:00:53 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=e5501952
libsandbox: tweak const markings on env vars
This fixes compiler warnings, but shouldn't make a difference otherwise.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index d69fecd..b084daa 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1130,7 +1130,7 @@ bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char
typedef struct {
const char *name;
size_t len;
- char *value;
+ const char *value;
} env_pair;
#define ENV_PAIR(x, n, v) [x] = { .name = n, .len = sizeof(n) - 1, .value = v, }
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-22 4:15 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-22 4:15 UTC (permalink / raw
To: gentoo-commits
commit: 511e721d08b415464ed6712efb67af24baa9d04f
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 22 04:10:32 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Oct 22 04:15:04 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=511e721d
libsandbox: use wide readelf output
Newer versions of binutils will truncate symbol output weirdly unless
the --wide option is used. This manifests itself as libsandbox not
including symbols when their name and symbol version is too long.
The new removexattr symbol tests were failing because of this, but
it seems the others were either not too long, or we didn't have any
test coverage for them (oops).
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/local.mk | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsandbox/local.mk b/libsandbox/local.mk
index 58e597a..86a7d44 100644
--- a/libsandbox/local.mk
+++ b/libsandbox/local.mk
@@ -58,11 +58,11 @@ SB_AWK = LC_ALL=C $(AWK) -v SYMBOLS_LIST="$(SYMBOLS_LIST)" -v srcdir="$(top_srcd
%D%/libsandbox.map: $(SYMBOLS_FILE) $(GEN_VERSION_MAP_SCRIPT)
@$(MKDIR_P) %D%
- $(AM_V_GEN)$(READELF) -s $(LIBC_PATH) | $(SB_AWK) $(GEN_VERSION_MAP_SCRIPT) > $@
+ $(AM_V_GEN)$(READELF) -sW $(LIBC_PATH) | $(SB_AWK) $(GEN_VERSION_MAP_SCRIPT) > $@
%D%/symbols.h: $(SYMBOLS_FILE) $(GEN_HEADER_SCRIPT)
@$(MKDIR_P) %D%
- $(AM_V_GEN)$(READELF) -s $(LIBC_PATH) | $(SB_AWK) $(GEN_HEADER_SCRIPT) > $@
+ $(AM_V_GEN)$(READELF) -sW $(LIBC_PATH) | $(SB_AWK) $(GEN_HEADER_SCRIPT) > $@
SB_NR_FILE = %D%/sb_nr.h.in
%D%/sb_nr.h: %D%/symbols.h $(SB_NR_FILE)
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-22 4:20 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-22 4:20 UTC (permalink / raw
To: gentoo-commits
commit: 60cff8d682fe7816ca0656d4da27e630855287e7
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 22 04:18:15 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Oct 22 04:19:44 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=60cff8d6
libsandbox: drop old *.py[co] hack #775416
With our eclasses & python frameworks responsible for generating
these files now, we should be able to reject write attempts to these
again. Lets turn it back on and see what blows up.
Bug: http://bugs.gentoo.org/256953
Closes: https://bugs.gentoo.org/775416
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index beaf305..4e92cbe 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -868,20 +868,6 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
goto out;
}
- /* A very common bug (apparently) is for .py[co] files to fall out
- * of sync with their .py source files. Rather than trigger a hard
- * failure, let's just whine about it. Once python itself gets
- * sorted out, we can drop this #256953.
- */
- size_t len = strlen(resolv_path);
- if (len > 4) {
- const char *py = resolv_path + len - 4;
- if (!strcmp(py, ".pyc") || !strcmp(py, ".pyo")) {
- sbcontext->show_access_violation = false;
- goto out;
- }
- }
-
/* If we are here, and still no joy, and its the access() call,
* do not log it, but just return -1 */
if (sb_nr == SB_NR_ACCESS_WR) {
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-23 6:10 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-23 6:10 UTC (permalink / raw
To: gentoo-commits
commit: 44ae70a638486dee0feb427ec9731bc4d723ce0b
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 23 04:33:28 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Oct 23 04:33:28 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=44ae70a6
libsandbox: regen trace headers when symbols header changes
Since it uses the symbols header as input, make sure we regen on
changes to it so we don't get stuck in weird stale states.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/local.mk | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsandbox/local.mk b/libsandbox/local.mk
index 86a7d44..f0ef01f 100644
--- a/libsandbox/local.mk
+++ b/libsandbox/local.mk
@@ -73,14 +73,14 @@ TRACE_MAKE_HEADER = \
$(SB_AWK) $(GEN_TRACE_SCRIPT) -v MODE=gen | \
$(COMPILE) -E -P -include $(top_srcdir)/headers.h - $$f | \
$(SB_AWK) $(GEN_TRACE_SCRIPT) -v syscall_prefix=$$t > $$header
-%D%/trace_syscalls.h: $(GEN_TRACE_SCRIPT) $(SB_SCHIZO_HEADERS)
+%D%/trace_syscalls.h: $(SYMBOLS_FILE) $(GEN_TRACE_SCRIPT) $(SB_SCHIZO_HEADERS)
if SB_SCHIZO
$(AM_V_GEN)touch $@
else
$(AM_V_GEN)t= f= header=$@; $(TRACE_MAKE_HEADER)
endif
-$(SB_SCHIZO_HEADERS): $(GEN_TRACE_SCRIPT)
+$(SB_SCHIZO_HEADERS): $(SYMBOLS_FILE) $(GEN_TRACE_SCRIPT)
@$(MKDIR_P) %D%
$(AM_V_GEN)for pers in $(SB_SCHIZO_SETTINGS) ; do \
t=_$${pers%:*}; \
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-23 6:10 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-23 6:10 UTC (permalink / raw
To: gentoo-commits
commit: b9756c8938e2b5c7712c15ef0add7342790614a6
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 23 04:35:14 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Oct 23 04:35:14 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=b9756c89
libsandbox: only lookup syscall number on entry
The ptrace API does not guarantee the syscall number lookup will be
valid on syscall exit (since the underlying register might have been
clobbered), so stop trying to look it up then. We only used it when
decoding entry anyways, so this is more minor housekeeping.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 77991e1..89bd591 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -390,8 +390,8 @@ static void trace_loop(void)
bool before_exec, before_syscall, fake_syscall_ret;
unsigned event;
long ret;
- int nr, status, sig;
- const struct syscall_entry *se, *tbl_after_fork;
+ int status, sig;
+ const struct syscall_entry *tbl_after_fork;
before_exec = true;
before_syscall = false;
@@ -461,10 +461,12 @@ static void trace_loop(void)
}
ret = trace_get_regs(®s);
- nr = trace_get_sysnum(®s);
- se = lookup_syscall_in_tbl(tbl_after_fork, nr);
if (before_syscall) {
+ /* NB: The kernel guarantees syscall NR is valid only on entry. */
+ int nr = trace_get_sysnum(®s);
+ const struct syscall_entry *se = lookup_syscall_in_tbl(tbl_after_fork, nr);
+
_sb_debug("%s:%i", se ? se->name : "IDK", nr);
if (!trace_check_syscall(se, ®s)) {
sb_debug_dyn("trace_loop: forcing EPERM after %s\n", se->name);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-23 22:19 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-23 22:19 UTC (permalink / raw
To: gentoo-commits
commit: 9b81814db56a02384e40f6e19576a4e9777628ac
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 23 06:39:35 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Oct 23 22:18:03 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9b81814d
libsandbox: fix flags extraction for a few syscalls
While many syscalls follow similar patterns for dirfd & path handling,
the flags argument is less consistent -- it tends to be last with all
other arguments in between. As a result, a few syscalls were pulling
the wrong argument for the flags settings:
* fchmodat: the syscall interface has no flags at all
* fchownat: the flags come after uid & gid
* utimensat: the flags come after the timespec
These syscalls haven't been a problem in practice because no one ever
tries to chmod/chown/utimes on symlinks themselves.
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 89bd591..7660d47 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -217,6 +217,7 @@ struct syscall_state {
bool (*pre_check)(const char *func, const char *pathname, int dirfd);
};
+/* Check syscall that only takes a path as its |ibase| argument. */
static bool _trace_check_syscall_C(struct syscall_state *state, int ibase)
{
char *path = do_peekstr(trace_arg(state->regs, ibase));
@@ -233,6 +234,7 @@ static bool _trace_check_syscall_C(struct syscall_state *state, int ibase)
free(path);
return ret;
}
+/* Check syscall that only takes a path as its first argument. */
static bool trace_check_syscall_C(struct syscall_state *state)
{
return _trace_check_syscall_C(state, 1);
@@ -255,20 +257,24 @@ static bool __trace_check_syscall_DCF(struct syscall_state *state, int ibase, in
free(path);
return ret;
}
-static bool _trace_check_syscall_DCF(struct syscall_state *state, int ibase)
+/* Check syscall that takes a dirfd & path starting at |ibase| argument, and flags at |fbase|. */
+static bool _trace_check_syscall_DCF(struct syscall_state *state, int ibase, int fbase)
{
- int flags = trace_arg(state->regs, ibase + 2);
+ int flags = trace_arg(state->regs, fbase);
return __trace_check_syscall_DCF(state, ibase, flags);
}
+/* Check syscall that takes a dirfd, path, and flags as its first 3 arguments. */
static bool trace_check_syscall_DCF(struct syscall_state *state)
{
- return _trace_check_syscall_DCF(state, 1);
+ return _trace_check_syscall_DCF(state, 1, 3);
}
+/* Check syscall that takes a dirfd & path starting at |ibase| argument. */
static bool _trace_check_syscall_DC(struct syscall_state *state, int ibase)
{
return __trace_check_syscall_DCF(state, ibase, 0);
}
+/* Check syscall that takes a dirfd & path as its first 2 arguments (but no flags). */
static bool trace_check_syscall_DC(struct syscall_state *state)
{
return _trace_check_syscall_DC(state, 1);
@@ -311,12 +317,13 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
else if (nr == SB_NR_CHMOD) return trace_check_syscall_C (&state);
else if (nr == SB_NR_CHOWN) return trace_check_syscall_C (&state);
else if (nr == SB_NR_CREAT) return trace_check_syscall_C (&state);
- else if (nr == SB_NR_FCHMODAT) return trace_check_syscall_DCF(&state);
- else if (nr == SB_NR_FCHOWNAT) return trace_check_syscall_DCF(&state);
+ /* NB: Linux syscall does not have a flags argument. */
+ else if (nr == SB_NR_FCHMODAT) return trace_check_syscall_DC (&state);
+ else if (nr == SB_NR_FCHOWNAT) return _trace_check_syscall_DCF(&state, 1, 5);
else if (nr == SB_NR_FUTIMESAT) return trace_check_syscall_DC (&state);
else if (nr == SB_NR_LCHOWN) return trace_check_syscall_C (&state);
else if (nr == SB_NR_LINK) return _trace_check_syscall_C (&state, 2);
- else if (nr == SB_NR_LINKAT) return _trace_check_syscall_DCF(&state, 3);
+ else if (nr == SB_NR_LINKAT) return _trace_check_syscall_DCF(&state, 3, 5);
else if (nr == SB_NR_MKDIR) return trace_check_syscall_C (&state);
else if (nr == SB_NR_MKDIRAT) return trace_check_syscall_DC (&state);
else if (nr == SB_NR_MKNOD) return trace_check_syscall_C (&state);
@@ -336,7 +343,7 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
else if (nr == SB_NR_UNLINKAT) return trace_check_syscall_DCF(&state);
else if (nr == SB_NR_UTIME) return trace_check_syscall_C (&state);
else if (nr == SB_NR_UTIMES) return trace_check_syscall_C (&state);
- else if (nr == SB_NR_UTIMENSAT) return _trace_check_syscall_DCF(&state, 1);
+ else if (nr == SB_NR_UTIMENSAT) return _trace_check_syscall_DCF(&state, 1, 4);
else if (nr == SB_NR_ACCESS) {
char *path = do_peekstr(trace_arg(regs, 1));
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-28 3:41 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-28 3:41 UTC (permalink / raw
To: gentoo-commits
commit: 49e6eb50d1c77f06d8b4c728cd222d3d404c8d08
Author: Mike Frysinger <vapier <AT> chromium <DOT> org>
AuthorDate: Thu Oct 28 03:17:00 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 28 03:17:00 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=49e6eb50
libsandbox: drop lstat check for symlink funcs
When checking paths for violations, we need to know whether the path
is a symlink, and whether the current function dereferences them. If
it dereferences, we have to check the symlink and its target. If it
doesn't, we can skip the target check.
The helper to see if the function operates on symlinks ends with an
lstat on the path itself -- if it exists and is a symlink, we will
skip the target check. If it doesn't exist, or isn't a symlink, we
check the target. This logic doesn't make sense since (1) if it
doesn't exist, or isn't a symlink, there is no "target" and (2) the
symlink nature of the function is unchanged.
In practice, this largely doesn't matter. If the path wasn't a
symlink, and it (as the source) already passed checks, then it's
also going to pass checks (as the target) since they're the same
path.
However, we get into a fun TOCTOU race: if there are multiple things
trying to create a symlink at the same path, then we can get into a
state where:
- process 1 calls a symlink func on a path doesn't exist
- lstat fails, so symlink_func() returns false
- the kernel contexts switches away from process 1
- process 2 calls a symlink func on the same path
- lstat fails, so symlink_func() returns false
- the target path is "resolved" and passes validation
- process 2 creates the symlink to a place like /usr/bin/foo
- process 1 resumes
- the target path is resolved since it now actually exists
- the target is a bad path (/usr/bin/foo)
- sandbox denies the access even though it's a func that only
operates on symlinks and never dereferences
This scenario too rarely happens (causes it's so weird), but it is
possible. A quick way to reproduce is with:
while [[ ! -e $SANDBOX_LOG ]] ; do
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
rm -f f
wait
done
Eventually this will manage to trigger the TOCTOU race.
So just delete the lstat check in the symlink_func() helper. If the
path doesn't exist, we can safely let it fail. If the path shows up
in parallel, either as a symlink or not, we already validated it as
being safe, so letting the func be called is safe.
Bug: https://issuetracker.google.com/issues/204375293
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/libsandbox.c | 51 ++++++++++++++++++++++---------------------------
1 file changed, 23 insertions(+), 28 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 4e92cbe..b4db9ba 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -671,36 +671,31 @@ static int check_prefixes(char **prefixes, int num_prefixes, const char *path)
}
/* Is this a func that works on symlinks, and is the file a symlink ? */
-static bool symlink_func(int sb_nr, int flags, const char *abs_path)
+static bool symlink_func(int sb_nr, int flags)
{
- struct stat st;
-
/* These funcs always operate on symlinks */
- if (!(sb_nr == SB_NR_UNLINK ||
- sb_nr == SB_NR_UNLINKAT ||
- sb_nr == SB_NR_LCHOWN ||
- sb_nr == SB_NR_LREMOVEXATTR ||
- sb_nr == SB_NR_LSETXATTR ||
- sb_nr == SB_NR_REMOVE ||
- sb_nr == SB_NR_RENAME ||
- sb_nr == SB_NR_RENAMEAT ||
- sb_nr == SB_NR_RENAMEAT2 ||
- sb_nr == SB_NR_RMDIR ||
- sb_nr == SB_NR_SYMLINK ||
- sb_nr == SB_NR_SYMLINKAT))
- {
- /* These funcs sometimes operate on symlinks */
- if (!((sb_nr == SB_NR_FCHOWNAT ||
- sb_nr == SB_NR_FCHMODAT ||
- sb_nr == SB_NR_UTIMENSAT) &&
- (flags & AT_SYMLINK_NOFOLLOW)))
- return false;
- }
+ if (sb_nr == SB_NR_UNLINK ||
+ sb_nr == SB_NR_UNLINKAT ||
+ sb_nr == SB_NR_LCHOWN ||
+ sb_nr == SB_NR_LREMOVEXATTR ||
+ sb_nr == SB_NR_LSETXATTR ||
+ sb_nr == SB_NR_REMOVE ||
+ sb_nr == SB_NR_RENAME ||
+ sb_nr == SB_NR_RENAMEAT ||
+ sb_nr == SB_NR_RENAMEAT2 ||
+ sb_nr == SB_NR_RMDIR ||
+ sb_nr == SB_NR_SYMLINK ||
+ sb_nr == SB_NR_SYMLINKAT)
+ return true;
- if (-1 != lstat(abs_path, &st) && S_ISLNK(st.st_mode))
+ /* These funcs sometimes operate on symlinks */
+ if ((sb_nr == SB_NR_FCHOWNAT ||
+ sb_nr == SB_NR_FCHMODAT ||
+ sb_nr == SB_NR_UTIMENSAT) &&
+ (flags & AT_SYMLINK_NOFOLLOW))
return true;
- else
- return false;
+
+ return false;
}
static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
@@ -709,7 +704,7 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
int old_errno = errno;
int result = 0;
int retval;
- bool sym_func = symlink_func(sb_nr, flags, abs_path);
+ bool sym_func = symlink_func(sb_nr, flags);
retval = check_prefixes(sbcontext->deny_prefixes,
sbcontext->num_deny_prefixes, abs_path);
@@ -904,7 +899,7 @@ static int check_syscall(sbcontext_t *sbcontext, int sb_nr, const char *func,
* itself does not dereference. This speeds things up and avoids updating
* the atime implicitly. #415475
*/
- if (symlink_func(sb_nr, flags, absolute_path))
+ if (symlink_func(sb_nr, flags))
resolved_path = absolute_path;
else
resolved_path = resolve_path(file, 1);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-28 7:14 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-28 7:14 UTC (permalink / raw
To: gentoo-commits
commit: a374b1f829a07cce3eb708f078a2a70f9bc4d975
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 28 05:49:33 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 28 05:49:33 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=a374b1f8
libsandbox: fix signal pass through with ptrace main loop
When we're notified that the child has received a signal, we need to
pass it through since we don't care about signals. We did that, but
using PTRACE_CONT which causes the process to just resume, and then
we'd call PTRACE_SYSCALL on that resumed state. When the pass thru
logic was a signal handler, PTRACE_CONT was correct since it would
come in while in the middle of PTRACE_SYSCALL, but after the rewrite
of the main loop, it's now the wrong call. Pass the signal back to
the existing PTRACE_SYSCALL call so that we stay in the main loop
and get notified on the next syscall event.
Closes: https://bugs.gentoo.org/820407
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index b7e65b4..d53051d 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -405,13 +405,16 @@ static void trace_loop(void)
long ret;
int status, sig;
const struct syscall_entry *tbl_after_fork;
+ void *data;
before_exec = true;
before_syscall = false;
fake_syscall_ret = false;
tbl_after_fork = NULL;
+ data = NULL;
do {
- ret = do_ptrace(PTRACE_SYSCALL, NULL, NULL);
+ ret = do_ptrace(PTRACE_SYSCALL, NULL, data);
+ data = NULL;
waitpid(trace_pid, &status, 0);
event = (unsigned)status >> 16;
@@ -444,7 +447,7 @@ static void trace_loop(void)
* and we'll exit then.
*/
sb_debug("passing signal through %s (%i)", strsig(sig), sig);
- do_ptrace(PTRACE_CONT, NULL, (void *)(uintptr_t)(sig));
+ data = (void *)(uintptr_t)(sig);
continue;
}
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-28 9:56 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-28 9:56 UTC (permalink / raw
To: gentoo-commits
commit: 7aef2481be644aa3117dea4ffa96e0fa94709fa2
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 28 09:53:34 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 28 09:53:34 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=7aef2481
build: create libsandbox for trace_syscalls.h too
Commit ef35a16d1b5dcc1a99d17470799e680879278600 ("build: create
libsandbox dir before writing files") added a mkdir call to most
targets, but trace_syscalls.h was missed.
Bug: https://issuetracker.google.com/issues/204404822
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/local.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsandbox/local.mk b/libsandbox/local.mk
index a386505..131bcd8 100644
--- a/libsandbox/local.mk
+++ b/libsandbox/local.mk
@@ -72,6 +72,7 @@ TRACE_MAKE_HEADER = \
$(COMPILE) -E -P -include $(top_srcdir)/headers.h - $$f | \
$(SB_AWK) $(GEN_TRACE_SCRIPT) -v syscall_prefix=$$t > $$header
%D%/trace_syscalls.h: $(SYMBOLS_FILE) $(GEN_TRACE_SCRIPT) $(SB_SCHIZO_HEADERS)
+ @$(MKDIR_P) %D%
if SB_SCHIZO
$(AM_V_GEN)touch $@
else
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-10-31 23:54 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-10-31 23:54 UTC (permalink / raw
To: gentoo-commits
commit: d8b9a41d76de38cab079951cd494cdb491b55126
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 31 23:50:01 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Oct 31 23:50:01 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=d8b9a41d
libsandbox: do not use ptrace if it returns ENOSYS
QEMU's linux-user does not implement ptrace for any architecture, and
any attempt to call it fails with ENOSYS. Detect that scenario.
Closes: https://bugs.gentoo.org/648516
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 4e01f6e..4ae58aa 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -584,8 +584,14 @@ static char *flatten_args(char *const argv[])
bool trace_possible(const char *filename, char *const argv[], const void *data)
{
- if (_trace_possible(data))
- return true;
+ if (_trace_possible(data)) {
+ /* If we're in an environment like QEMU where ptrace doesn't work, then
+ * don't try to use it. If ptrace does work, this should fail with ESRCH.
+ */
+ errno = 0;
+ ptrace(PTRACE_CONT, 0, NULL, NULL);
+ return errno == ENOSYS ? false : true;
+ }
char *args = flatten_args(argv);
sb_eqawarn("Unable to trace static ELF: %s: %s\n", filename, args);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-11-03 6:59 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-11-03 6:59 UTC (permalink / raw
To: gentoo-commits
commit: 746d68ae5972575d5fd87b7bd82e318d56352d9e
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 3 06:40:08 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov 3 06:40:08 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=746d68ae
libsandbox: add YAMA checks and skip ptrace when active
The YAMA ptrace_scope knob restricts access to different ptrace calls
depending on the capabilities the current process holds. For now, do
not try to ptrace processes when the YAMA level is incompatible with
the capabilities that we have.
This means we basically cannot protect against processes when they
get into this state, so for now, we release them rather than abort.
Bug: https://bugs.gentoo.org/771360
Bug: https://bugs.gentoo.org/821403
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 2110a46..f3390d9 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -46,6 +46,26 @@ pid_t trace_pid;
# define sb_openat_pre_check sb_openat64_pre_check
#endif
+static int trace_yama_level(void)
+{
+ char ch;
+ int fd;
+
+ /* ptrace scope binds access to specific capabilities. Lets use uid==0 as a
+ * lazy proxy for "we have all capabilities" until we can refine this.
+ */
+ if (getuid() == 0)
+ return 0;
+
+ fd = open("/proc/sys/kernel/yama/ptrace_scope", O_RDONLY | O_CLOEXEC);
+ if (fd == -1)
+ return 0;
+
+ RETRY_EINTR(read(fd, &ch, 1));
+ close(fd);
+ return ch - '0';
+}
+
static void trace_exit(int status)
{
/* if we were vfork-ed, clear trace_pid and exit */
@@ -526,6 +546,16 @@ static void trace_loop(void)
sb_debug("following forking event %i; pid=%li %i\n",
event, newpid, before_syscall);
+ /* If YAMA ptrace_scope is active, then we can't hand off the child
+ * to a new tracer. Give up. #821403
+ */
+ int yama = trace_yama_level();
+ if (yama >= 1) {
+ sb_eqawarn("Unable to trace children due to YAMA ptrace_scope=%i\n", yama);
+ ptrace(PTRACE_DETACH, newpid, NULL, NULL);
+ continue;
+ }
+
/* Pipe for synchronizing detach & attach events. */
int fds[2];
ret = pipe(fds);
@@ -674,6 +704,13 @@ static char *flatten_args(char *const argv[])
bool trace_possible(const char *filename, char *const argv[], const void *data)
{
+ /* If YAMA ptrace_scope is very high, then we can't trace at all. #771360 */
+ int yama = trace_yama_level();
+ if (yama >= 2) {
+ sb_eqawarn("YAMA ptrace_scope=%i\n", yama);
+ goto fail;
+ }
+
if (_trace_possible(data)) {
/* If we're in an environment like QEMU where ptrace doesn't work, then
* don't try to use it. If ptrace does work, this should fail with ESRCH.
@@ -683,6 +720,7 @@ bool trace_possible(const char *filename, char *const argv[], const void *data)
return errno == ENOSYS ? false : true;
}
+ fail:
char *args = flatten_args(argv);
sb_eqawarn("Unable to trace static ELF: %s: %s\n", filename, args);
free(args);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-11-03 16:40 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-11-03 16:40 UTC (permalink / raw
To: gentoo-commits
commit: 82f6d876660ba1132d75ccfef5c4301d123ea505
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 3 16:25:10 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov 3 16:25:10 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=82f6d876
libsandbox: tweak label/decl code for some compiler settings
Looks like gcc is inconsistent in when it chokes on this code:
> a label can only be part of a statement and a declaration is not a statement
Hoist the decl up to the top of scope to avoid the issue.
Bug: https://bugs.gentoo.org/821433
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index f3390d9..d2899b7 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -704,6 +704,8 @@ static char *flatten_args(char *const argv[])
bool trace_possible(const char *filename, char *const argv[], const void *data)
{
+ char *args;
+
/* If YAMA ptrace_scope is very high, then we can't trace at all. #771360 */
int yama = trace_yama_level();
if (yama >= 2) {
@@ -721,7 +723,7 @@ bool trace_possible(const char *filename, char *const argv[], const void *data)
}
fail:
- char *args = flatten_args(argv);
+ args = flatten_args(argv);
sb_eqawarn("Unable to trace static ELF: %s: %s\n", filename, args);
free(args);
return false;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2021-11-03 16:40 Mike Frysinger
0 siblings, 0 replies; 55+ messages in thread
From: Mike Frysinger @ 2021-11-03 16:40 UTC (permalink / raw
To: gentoo-commits
commit: 01318f0d48654425b4ea3a90520a52f774b60ead
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 3 16:34:54 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov 3 16:34:54 2021 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=01318f0d
libsandbox: refine yama check to abort on level 3+
There's no way we can support level 3+ since the kernel blocks it,
so give up and inform the user their setup is incompatible.
Bug: https://bugs.gentoo.org/771360
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
libsandbox/trace.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index d2899b7..036d57f 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -49,13 +49,7 @@ pid_t trace_pid;
static int trace_yama_level(void)
{
char ch;
- int fd;
-
- /* ptrace scope binds access to specific capabilities. Lets use uid==0 as a
- * lazy proxy for "we have all capabilities" until we can refine this.
- */
- if (getuid() == 0)
- return 0;
+ int fd, level;
fd = open("/proc/sys/kernel/yama/ptrace_scope", O_RDONLY | O_CLOEXEC);
if (fd == -1)
@@ -63,7 +57,25 @@ static int trace_yama_level(void)
RETRY_EINTR(read(fd, &ch, 1));
close(fd);
- return ch - '0';
+ level = ch - '0';
+
+ switch (level) {
+ case 0:
+ /* Normal levels work fine. */
+ return 0;
+
+ case 1:
+ case 2:
+ /* ptrace scope binds access to specific capabilities. Lets use uid==0 as a
+ * lazy proxy for "we have all capabilities" until we can refine this.
+ */
+ return getuid() == 0 ? 0 : level;
+
+ case 3:
+ default:
+ /* Level 3+ is not supported. */
+ sb_ebort("YAMA ptrace_scope=%i+ is not supported as it makes tracing impossible.\n", level);
+ }
}
static void trace_exit(int status)
@@ -709,7 +721,7 @@ bool trace_possible(const char *filename, char *const argv[], const void *data)
/* If YAMA ptrace_scope is very high, then we can't trace at all. #771360 */
int yama = trace_yama_level();
if (yama >= 2) {
- sb_eqawarn("YAMA ptrace_scope=%i\n", yama);
+ sb_eqawarn("YAMA ptrace_scope=%i is not currently supported\n", yama);
goto fail;
}
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2023-08-01 14:14 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2023-08-01 14:14 UTC (permalink / raw
To: gentoo-commits
commit: 27232d52fee4abecd5f709acc616fa1296e0464f
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 31 15:39:40 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Mon Jul 31 15:42:59 2023 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=27232d52
libsandbox: always permit access to '/memfd:'
For memfd objects, the kernel populates the target for symlinks under
/proc/$PID/fd as "/memfd:name". Said target does not actually exist.
It is unfortunate that the kernel includes the leading slash, but we
will just have to work around it.
Bug: https://bugs.gentoo.org/910561
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/libsandbox.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 847b4e2..e5f6d38 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
/* Fall in a read/write denied path, Deny Access */
goto out;
+ if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) {
+ /* Allow operations on memfd objects #910561 */
+ result = 1;
+ goto out;
+ }
+
if (!sym_func) {
retval = check_prefixes(sbcontext->deny_prefixes,
sbcontext->num_deny_prefixes, resolv_path);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2023-08-04 0:26 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2023-08-04 0:26 UTC (permalink / raw
To: gentoo-commits
commit: 8d6a4839ebd909903691e4a71d6a94b3809adc82
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 17 14:55:27 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Thu Aug 3 19:12:42 2023 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=8d6a4839
libsandbox: skip checking access() without W_OK or R_OK mode
If access/faccessat is called with F_OK or X_OK in the mode argument,
there is no need to check the path.
Bug: https://bugs.gentoo.org/910273
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/libsandbox.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index e5f6d38..08b85ce 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1095,8 +1095,11 @@ bool before_syscall_access(int dirfd, int sb_nr, const char *func, const char *f
const char *ext_func;
if (flags & W_OK)
sb_nr = SB_NR_ACCESS_WR, ext_func = "access_wr";
- else
+ else if (flags & R_OK)
sb_nr = SB_NR_ACCESS_RD, ext_func = "access_rd";
+ else
+ /* Must be F_OK or X_OK; we do not need to check either. */
+ return true;
return before_syscall(dirfd, sb_nr, ext_func, file, flags);
}
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2023-08-05 23:38 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2023-08-05 23:38 UTC (permalink / raw
To: gentoo-commits
commit: 4b27824ee27013c672f75bce2066c950a71280d2
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 5 19:39:21 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Aug 5 20:08:11 2023 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=4b27824e
resolve_dirfd_path: use separate buffer for readlink
Fixes a compile warning:
```
warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict]
```
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/libsandbox.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 4edcf60..6a7368c 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -132,24 +132,25 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path,
save_errno();
+ char fd_path[SB_PATH_MAX];
size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0);
if (trace_pid) {
- sprintf(resolved_path, "/proc/%i/fd/%i", trace_pid, dirfd);
+ sprintf(fd_path, "/proc/%i/fd/%i", trace_pid, dirfd);
} else {
/* If /proc was mounted by a process in a different pid namespace,
* getpid cannot be used to create a valid /proc/<pid> path. Instead
* use sb_get_fd_dir() which works in any case.
*/
- sprintf(resolved_path, "%s/%i", sb_get_fd_dir(), dirfd);
+ sprintf(fd_path, "%s/%i", sb_get_fd_dir(), dirfd);
}
- ssize_t ret = readlink(resolved_path, resolved_path, at_len);
+ ssize_t ret = readlink(fd_path, resolved_path, at_len);
if (ret == -1) {
/* see comments at end of check_syscall() */
if (errno_is_too_long()) {
restore_errno();
return 2;
}
- sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", resolved_path, strerror(errno));
+ sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", fd_path, strerror(errno));
/* If the fd isn't found, some guys (glibc) expect errno */
if (errno == ENOENT)
errno = EBADF;
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2023-08-05 23:38 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2023-08-05 23:38 UTC (permalink / raw
To: gentoo-commits
commit: 8c3bc21729c3ad13295b586cd185b2b5da686731
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 5 19:18:53 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Aug 5 20:08:11 2023 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=8c3bc217
erealpath: use separate buffer for readlink
Fixes a compiler warning:
```
warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict]
```
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/canonicalize.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c
index 6c9a2d6..f8d32f0 100644
--- a/libsandbox/canonicalize.c
+++ b/libsandbox/canonicalize.c
@@ -102,10 +102,12 @@ erealpath(const char *name, char *resolved)
if (lstat64(rpath, &st))
break;
if (S_ISLNK(st.st_mode)) {
- ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX - 1);
+ char buffer[SB_PATH_MAX];
+ ssize_t cnt = readlink(rpath, buffer, SB_PATH_MAX - 1);
if (cnt == -1)
break;
- rpath[cnt] = '\0';
+ buffer[cnt] = '\0';
+ strcpy(rpath, buffer);
if (p) {
size_t bytes_left = strlen(p);
if (bytes_left >= SB_PATH_MAX)
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2023-08-05 23:38 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2023-08-05 23:38 UTC (permalink / raw
To: gentoo-commits
commit: 1c9a17d40de6dd3ea5b7aacaa76878357350881b
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 5 19:14:09 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Aug 5 20:08:10 2023 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=1c9a17d4
erealpath: leave space for a trailing '\0' in readlink's buffer
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/canonicalize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c
index f282bdd..6c9a2d6 100644
--- a/libsandbox/canonicalize.c
+++ b/libsandbox/canonicalize.c
@@ -102,7 +102,7 @@ erealpath(const char *name, char *resolved)
if (lstat64(rpath, &st))
break;
if (S_ISLNK(st.st_mode)) {
- ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX);
+ ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX - 1);
if (cnt == -1)
break;
rpath[cnt] = '\0';
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2023-08-05 23:38 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2023-08-05 23:38 UTC (permalink / raw
To: gentoo-commits
commit: 128d5b32b301a552299feff7cc64e5f8f7c4fee7
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 5 19:11:58 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Aug 5 20:08:10 2023 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=128d5b32
erealpath: drop unused path_max variable
The SB_PATH_MAX macro is always defined, so this variable was pointless.
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/canonicalize.c | 26 +++++++++-----------------
1 file changed, 9 insertions(+), 17 deletions(-)
diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c
index f742ed4..f282bdd 100644
--- a/libsandbox/canonicalize.c
+++ b/libsandbox/canonicalize.c
@@ -49,7 +49,6 @@ erealpath(const char *name, char *resolved)
{
char *rpath, *dest, *recover;
const char *start, *end, *rpath_limit;
- long int path_max;
if (name == NULL) {
/* As per Single Unix Specification V2 we must return an error if
@@ -66,16 +65,9 @@ erealpath(const char *name, char *resolved)
__set_errno(ENOENT);
return NULL;
}
-#ifdef SB_PATH_MAX
- path_max = SB_PATH_MAX;
-#else
- path_max = pathconf(name, _PC_PATH_MAX);
- if (path_max <= 0)
- path_max = 1024;
-#endif
if (resolved == NULL) {
- rpath = xmalloc(path_max);
+ rpath = xmalloc(SB_PATH_MAX);
} else {
/* We can't handle resolving a buffer inline, so demand
* separate read and write strings.
@@ -83,11 +75,11 @@ erealpath(const char *name, char *resolved)
sb_assert(name != resolved);
rpath = resolved;
}
- rpath_limit = rpath + path_max;
+ rpath_limit = rpath + SB_PATH_MAX;
recover = NULL;
if (name[0] != '/') {
- if (!egetcwd(rpath, path_max)) {
+ if (!egetcwd(rpath, SB_PATH_MAX)) {
rpath[0] = '\0';
goto error;
}
@@ -110,16 +102,16 @@ erealpath(const char *name, char *resolved)
if (lstat64(rpath, &st))
break;
if (S_ISLNK(st.st_mode)) {
- ssize_t cnt = readlink(rpath, rpath, path_max);
+ ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX);
if (cnt == -1)
break;
rpath[cnt] = '\0';
if (p) {
size_t bytes_left = strlen(p);
- if (bytes_left >= path_max)
+ if (bytes_left >= SB_PATH_MAX)
break;
strncat(rpath, name + (p - rpath + 1),
- path_max - bytes_left - 1);
+ SB_PATH_MAX - bytes_left - 1);
}
/* Ok, we have a chance at something better. If
@@ -187,10 +179,10 @@ erealpath(const char *name, char *resolved)
goto error;
}
new_size = rpath_limit - rpath;
- if (end - start + 1 > path_max)
+ if (end - start + 1 > SB_PATH_MAX)
new_size += end - start + 1;
else
- new_size += path_max;
+ new_size += SB_PATH_MAX;
new_rpath = (char *) xrealloc(rpath, new_size);
rpath = new_rpath;
rpath_limit = rpath + new_size;
@@ -213,7 +205,7 @@ erealpath(const char *name, char *resolved)
error:
if (resolved)
- snprintf(resolved, path_max, "%s", rpath);
+ snprintf(resolved, SB_PATH_MAX, "%s", rpath);
else
free(rpath);
free(recover);
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2023-08-08 15:27 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2023-08-08 15:27 UTC (permalink / raw
To: gentoo-commits
commit: d4d11afa436f1a0b4e4defc021c24e5992b0645f
Author: Oskari Pirhonen <xxc3ncoredxx <AT> gmail <DOT> com>
AuthorDate: Mon Aug 7 00:58:11 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Tue Aug 8 15:27:09 2023 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=d4d11afa
egetcwd: fix some edge cases
- Ensure all potentially 21 chars + NUL from "/proc/%i/cwd" fit in its
buffer
- Use snprintf(3) instead of sprintf(3) to fill in the buffer
- readlink(2) does not add a NUL terminator, so ensure it only writes up
to the allocated length - 1
- Use a more descriptive name for the return value of readlink(2)
Signed-off-by: Oskari Pirhonen <xxc3ncoredxx <AT> gmail.com>
Closes: https://github.com/gentoo/sandbox/pull/24
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/libsandbox.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 6a7368c..9705db1 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -349,14 +349,14 @@ char *egetcwd(char *buf, size_t size)
/* If tracing a child, our cwd may not be the same as the child's */
if (trace_pid) {
- char proc[20];
- sprintf(proc, "/proc/%i/cwd", trace_pid);
- ssize_t ret = readlink(proc, buf, size);
- if (ret == -1) {
+ char proc[22];
+ snprintf(proc, sizeof(proc), "/proc/%i/cwd", trace_pid);
+ ssize_t link_len = readlink(proc, buf, size - 1);
+ if (link_len == -1) {
errno = ESRCH;
return NULL;
}
- buf[ret] = '\0';
+ buf[link_len] = '\0';
return buf;
}
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2024-01-22 21:41 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2024-01-22 21:41 UTC (permalink / raw
To: gentoo-commits
commit: ef9208bea4e0f0dff5abf358002565f36e4d7a8d
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Mon Jan 8 19:59:35 2024 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Mon Jan 8 20:04:09 2024 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ef9208be
libsandbox: stat the original path for EEXIST hackaround
Resolves an issue that can occur with paths that contain parent
directory references (/../).
If part of the path does not exist, the sandboxed program should get ENOENT,
not EEXIST. If we use the canonicalized path, intermediate paths will be
eliminated and we produce the wrong result.
Bug: https://bugs.gentoo.org/921581
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/pre_check_mkdirat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsandbox/pre_check_mkdirat.c b/libsandbox/pre_check_mkdirat.c
index b1e86cf..49c382a 100644
--- a/libsandbox/pre_check_mkdirat.c
+++ b/libsandbox/pre_check_mkdirat.c
@@ -37,7 +37,7 @@ bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
* will trigger a sandbox violation.
*/
struct stat64 st;
- if (0 == lstat64(canonic, &st)) {
+ if (0 == lstat64(pathname, &st)) {
int new_errno;
sb_debug_dyn("EARLY FAIL: %s(%s[%s]) @ lstat: %s\n",
func, pathname, canonic, strerror(errno));
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2024-01-27 18:05 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2024-01-27 18:05 UTC (permalink / raw
To: gentoo-commits
commit: 1f7d3654498e17e0a91c83f57e6265e08628d5fe
Author: Sv. Lockal <lockalsash <AT> gmail <DOT> com>
AuthorDate: Sat Jan 27 10:44:55 2024 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Jan 27 18:04:16 2024 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=1f7d3654
Fix SIGSEGV in gtest death tests due to small stack
In https://github.com/google/googletest/blob/v1.14.0/googletest/src/gtest-death-test.cc#L1307
on x86-64 gtest sallocates 8192 bytes for `clone`:
```
static pid_t ExecDeathTestSpawnChild(char* const* argv, int close_fd) {
const auto stack_size = static_cast<size_t>(getpagesize() * 2);
...
child_pid = clone(&ExecDeathTestChildMain, stack_top, SIGCHLD, &args);
```
After that attempt to call execv is intercepted by libsandbox.so, which
allocates 8192 + more bytes multiple times on stack, causing SIGSEGV
(instead of expected types of crashes).
This PR moves all allocations for related function to heap, so now
call path fits `getpagesize() * 2` with large margin.
Bug: https://bugs.gentoo.org/923013
Closes: https://github.com/gentoo/sandbox/pull/26
Signed-off-by: Sv. Lockal <lockalsash <AT> gmail.com>
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/libsandbox.c | 34 +++++++++++++++++++++++++++++-----
1 file changed, 29 insertions(+), 5 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 9705db1..acd8585 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -132,7 +132,8 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path,
save_errno();
- char fd_path[SB_PATH_MAX];
+ char *fd_path = xmalloc(SB_PATH_MAX * sizeof(char));
+
size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0);
if (trace_pid) {
sprintf(fd_path, "/proc/%i/fd/%i", trace_pid, dirfd);
@@ -148,12 +149,14 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path,
/* see comments at end of check_syscall() */
if (errno_is_too_long()) {
restore_errno();
+ free(fd_path);
return 2;
}
sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", fd_path, strerror(errno));
/* If the fd isn't found, some guys (glibc) expect errno */
if (errno == ENOENT)
errno = EBADF;
+ free(fd_path);
return -1;
}
resolved_path[ret] = '/';
@@ -162,6 +165,7 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path,
strcat(resolved_path, path);
restore_errno();
+ free(fd_path);
return 0;
}
@@ -286,7 +290,7 @@ static char *resolve_path(const char *path, int follow_link)
}
if (!ret) {
- char tmp_str1[SB_PATH_MAX];
+ char *tmp_str1 = xmalloc(SB_PATH_MAX * sizeof(char));
snprintf(tmp_str1, SB_PATH_MAX, "%s", path);
dname = dirname(tmp_str1);
@@ -304,7 +308,7 @@ static char *resolve_path(const char *path, int follow_link)
filtered_path = NULL;
}
} else {
- char tmp_str2[SB_PATH_MAX];
+ char *tmp_str2 = xmalloc(SB_PATH_MAX * sizeof(char));
/* OK, now add the basename to keep our access
* checking happy (don't want '/usr/lib' if we
* tried to do something with non-existing
@@ -316,7 +320,10 @@ static char *resolve_path(const char *path, int follow_link)
snprintf(filtered_path + len, SB_PATH_MAX - len, "%s%s",
(filtered_path[len - 1] != '/') ? "/" : "",
bname);
+ free(tmp_str2);
}
+
+ free(tmp_str1);
}
}
@@ -1034,10 +1041,24 @@ bool is_sandbox_on(void)
return result;
}
+static int resolve_dirfd_path_alloc(int dirfd, const char *path, char **resolved_path)
+{
+ size_t resolved_path_size = SB_PATH_MAX * sizeof(char);
+ *resolved_path = xmalloc(resolved_path_size);
+ int result = resolve_dirfd_path(dirfd, path, *resolved_path, resolved_path_size);
+
+ if (result) {
+ free(*resolved_path);
+ *resolved_path = NULL;
+ }
+
+ return result;
+}
+
bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, int flags)
{
int result;
- char at_file_buf[SB_PATH_MAX];
+ char *at_file_buf;
/* Some funcs operate on a fd directly and so filename is NULL, but
* the rest should get rejected as "file/directory does not exist".
@@ -1056,7 +1077,7 @@ bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, in
}
}
- switch (resolve_dirfd_path(dirfd, file, at_file_buf, sizeof(at_file_buf))) {
+ switch (resolve_dirfd_path_alloc(dirfd, file, &at_file_buf)) {
case -1: return false;
case 0: file = at_file_buf; break;
case 2: return true;
@@ -1079,6 +1100,9 @@ bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, in
result = check_syscall(&sbcontext, sb_nr, func, file, flags);
+ if (at_file_buf)
+ free(at_file_buf);
+
sb_unlock();
if (0 == result) {
^ permalink raw reply related [flat|nested] 55+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/
@ 2024-11-04 19:15 Mike Gilbert
0 siblings, 0 replies; 55+ messages in thread
From: Mike Gilbert @ 2024-11-04 19:15 UTC (permalink / raw
To: gentoo-commits
commit: 69000bb059a57560762b979e7957f96decb25f10
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 4 19:02:51 2024 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Mon Nov 4 19:02:51 2024 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=69000bb0
Fix behavior of utimensat(..., AT_EMPTY_PATH)
Bug: https://bugs.gentoo.org/935716
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
libsandbox/libsandbox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index acd8585..3d6f1a9 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1064,7 +1064,7 @@ bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, in
* the rest should get rejected as "file/directory does not exist".
*/
if (file == NULL || file[0] == '\0') {
- if (file == NULL && dirfd != AT_FDCWD &&
+ if ((file == NULL || (flags & AT_EMPTY_PATH)) &&
(sb_nr == SB_NR_UTIMENSAT || sb_nr == SB_NR_FUTIMESAT))
{
/* let it slide -- the func is magic and changes behavior
^ permalink raw reply related [flat|nested] 55+ messages in thread
end of thread, other threads:[~2024-11-04 19:15 UTC | newest]
Thread overview: 55+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-08 19:53 [gentoo-commits] proj/sandbox:master commit in: libsandbox/ Mike Frysinger
-- strict thread matches above, loose matches on Subject: below --
2024-11-04 19:15 Mike Gilbert
2024-01-27 18:05 Mike Gilbert
2024-01-22 21:41 Mike Gilbert
2023-08-08 15:27 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-05 23:38 Mike Gilbert
2023-08-04 0:26 Mike Gilbert
2023-08-01 14:14 Mike Gilbert
2021-11-03 16:40 Mike Frysinger
2021-11-03 16:40 Mike Frysinger
2021-11-03 6:59 Mike Frysinger
2021-10-31 23:54 Mike Frysinger
2021-10-28 9:56 Mike Frysinger
2021-10-28 7:14 Mike Frysinger
2021-10-28 3:41 Mike Frysinger
2021-10-23 22:19 Mike Frysinger
2021-10-23 6:10 Mike Frysinger
2021-10-23 6:10 Mike Frysinger
2021-10-22 4:20 Mike Frysinger
2021-10-22 4:15 Mike Frysinger
2021-10-21 20:37 Mike Frysinger
2021-10-21 20:37 Mike Frysinger
2021-10-21 1:51 Mike Frysinger
2021-10-18 22:04 Mike Frysinger
2021-09-07 15:35 Michał Górny
2021-04-02 11:22 Sergei Trofimovich
2021-03-15 18:08 Sergei Trofimovich
2019-06-25 6:42 Sergei Trofimovich
2018-12-02 15:22 Michał Górny
2018-07-19 11:50 Michał Górny
2018-02-18 21:32 Michał Górny
2017-10-03 16:42 Ian Stakenvicius
2017-10-03 16:39 Michał Górny
2016-03-30 5:22 Mike Frysinger
2016-03-29 12:24 Mike Frysinger
2015-12-19 18:10 Mike Frysinger
2015-12-19 18:10 Mike Frysinger
2015-12-19 7:29 Mike Frysinger
2015-09-27 6:13 Mike Frysinger
2015-09-27 6:13 Mike Frysinger
2015-09-20 8:15 Mike Frysinger
2015-09-20 8:15 Mike Frysinger
2015-09-20 8:15 Mike Frysinger
2015-09-20 8:15 Mike Frysinger
2015-09-11 7:53 Mike Frysinger
2013-02-25 4:12 Mike Frysinger
2013-02-25 4:08 Mike Frysinger
2012-06-23 23:12 Mike Frysinger
2012-06-23 22:40 Mike Frysinger
2012-06-23 21:21 Mike Frysinger
2012-03-07 5:28 Mike Frysinger
2011-07-08 19:53 Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox