diff options
Diffstat (limited to 'src/sandbox-1.1/ChangeLog')
| -rw-r--r-- | src/sandbox-1.1/ChangeLog | 265 |
1 files changed, 0 insertions, 265 deletions
diff --git a/src/sandbox-1.1/ChangeLog b/src/sandbox-1.1/ChangeLog deleted file mode 100644 index 334af836..00000000 --- a/src/sandbox-1.1/ChangeLog +++ /dev/null @@ -1,265 +0,0 @@ -# ChangeLog for Path Sandbox -# Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Id: /var/cvsroot/gentoo-src/portage/src/sandbox-1.1/Attic/ChangeLog,v 1.37.2.3 2004/12/01 22:14:09 carpaski Exp $ - - 01 Dec 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: - Added ferringb's code to handle the sandbox pid overflow problem. - - 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard - allowing data and code mixing in code isn't available for gcc 2.95- should fix - bug #70351. - - 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c: - Fixups, and a hole closed regarding verifying SANDBOX_(|DEBUG_)LOG is sane. - - 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from - Seth Robertson that tracked down all adjuct flags for read operations that - do not invoke a write operation. - - 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: - Another fix from jstubbs regarding a free() on a stack variable for the - environment -- tracking now prevents extraneous free()'s segfault. - - 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: - J. Stubbs tracked down a new bug where mkdir was failing to the patch on - the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir. - Also remove the errno = ESUCCESS settings as documentation points out that - a library isn't allowed to do that. - - 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a - file_security_check() function to check random potential exploits on files - that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes - the 'system-crippling' exploits (bug 21923) and catches a few other - potential problems. - - 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for - 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work. - - 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: - bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>. - Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>. - - 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c : - Fix permissions and group of pids file and logs. Permissions should be 0664 - and group should be 'portage'. Bug #34260. - - 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : - Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed - to the real execve (in our execve wrapper). Seems that on some arches (sparc - among others) do not allow us to tamper with the readonly copy passed to - execve, so pass our own copy of the environment. Bug #42290. - - 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls: - Changed tail to head and added a notice about duration of glibc check. - - 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls: - Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh - as there isn't a guarentee that it is dynamic. - - 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : - If 'file' passed to before_syscall(const char *func, const char *file) is - invalid, we should set errno to ENOENT, and not EINVAL. This should - close bug #32238. - - 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : - Fix a bug that occurs mainly on 64bit arch, where the file passed to - the functions we wrap, is invalid, and then cause canonicalize to pass - garbage to before_syscall(), thanks to great detective work from - Andrea Luzzardi <al@sig11.org> (bug #29846). - - 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : - Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>. - - 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : - Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically - only checked the destination patch, and not the source, so we could move - a protected file to a unprotected directory, and then delete/modify it. - Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix. - - 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c : - Added python2.3 to the predict section/variable. - - 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, - sandbox.h, sandbox_futils.c : - Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If - it is not set, it will revert to its old value. - - 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : - Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so, - rather than failing with a violation, bug #29748. - - 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : - Fix canonicalize() to ignore calls with path = "". - - 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c, - sandbox_futils.c, canonicalize.c : - Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system - call handled strings larger than PATH_MAX (bug #21766). It however does not - work the same on 2.4 kernels. - - To fix, I added the posix implementation of getcwd() (from glibc cvs) that - do not need the system call. We use the default getcwd() function via a - wrapper (egetcwd), and then lstat the returned path. If lstat fails, it - means the current directory was removed, OR that the the system call for - getcwd failed (curious is that it do not fail and return NULL or set - errno, but rather just truncate the retured directory - usually from the - start), and if so, we use the generic getcwd() function (__egetcwd). Note - that we do not use the generic version all the time, as it calls lstat() - a great number of times, and performance degrade much. - - 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls, - libsandbox.c : - Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks. - - 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c - create-localdecls : - When checking path names of files accessed, we need to canonicalize it, else - it may be a symlink in a 'write allowed' directory pointing to a file in a - directory we should not have write access to. - - With something like coreutils-5.0, we have two problems: - 1) One of the tests checks if getcwd() can return a path longer than - PATH_MAX. This test then tries to create a dir which even while - created local (mkdir("conftest2")), it ends up being resolved with - a name that is much larger than PATH_MAX. The problem now is that - canonicalize() have undefined behaviour when the path was too long - (returned wrongly truncated paths, etc), and pass the wrong path to - before_syscall() (causing the bogus sandbox violations). - 2) The ecanonicalize() function we used, along with the canonicalize() - function did not support longer than PATH_MAX. This is partly a - cause for 1), but the error checking (rather lack of it) of calls - to erealpath() in canonicalize() was the prime reason for 1). - - As we do not use this canonicalized name to call the function, we resolve this - by fixing canonicalize() to do better error checking, and ecanonicalize() as - well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'. - While they will resolve paths properly now, and can check if a write/read is - allowed, the functions called from the sandboxed environment will still work - as expected. - - This should resolve bug #21766. - - 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : - For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under - it (bug #16298). - - Problem is that for some reason locale fopen's locale.alias with mode "rm". - - ------------------------------------------------------- - nosferatu root # grep fopen locale.log - fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias - nosferatu root # - -------------------------------------------------------- - - I checked the source of locale, but it have fopen with mode 'r', so - not sure where the "rm" mode comes from. Anyhow, changed the check in - before_syscall_open_char() to also see mode "rm" as readonly. - - 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : - - Add glibc-2.3 support. - - 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c : - - Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all - operations releated to preload, as well as only try to modify ld.so.preload - if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when - not using ld.so.preload. Fix to not write this instance of sandbox's pid - to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running. - - 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile : - - Changed the LD to CC for hppa. - - 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : - - Killed the previous changes I made. - - 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : - - Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs. - - 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c : - - Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868. - - 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls : - - Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro> - for this fix. - - 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c : - - sandbox_futils defined a dirname() function that was masking the same - function in glibc and was broken (e.g.: SANDBOX_DIR was being set to - '/usr/lib/portage/bi/'). Fixed function to return expected results and - renamed it to sb_dirname() to no longer mask the glibc function. Closes bug - 11231. - - 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> : - - Fix a segfault in libsandbox.c if canonicalize() was called with - first parameter = NULL. - - 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> : - - Fix my braindead 'return 1;' in a void function. Updated sandbox.c, - cleanup() for this. - - Change cleanup() in sandbox.c not to exit with fail status if - the pidsfile is missing. We really should still display sandbox - violations if they occured. - - 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : - - Update cleanup() in sandbox.c to remove the PIDSFILE if this is - the last sandbox running. - - 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : - - Major cleanups to mainly libsandbox.c again. - - 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : - - Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the - parties involved should please contact me so that we can fix it. - - Add opendir wrapper to libsandbox.c. - - 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : - - Do some more cleanups to ecanonicalize(), as it dropped filenames in - rare cases (after my symlink cleanups), and caused glibc to bork. - These fixes went into canonicalize.c. - - 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : - - Fix spawn_shell() and main() in sandbox.c to properly return fail - status. - - 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : - - The new canonicalize() function in libsandbox.c also resolved symlinks, - which caused on cleaning sandbox errors if the symlink pointed to a - file in the live root. Ripped out canonicalize() and realpath() from - glibc; removed the symlink stuff, and changed them to ecanonicalize() - and erealpath(). - - 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : - - Ripped out all the wrappers, and implemented those of InstallWatch. - Losts of cleanups and bugfixes. Implement a execve that forces - $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared - /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c, - sandbox.h and sandbox_futils.c. Rewrote the Makefile for most - parts; it now have an install target. - - Reformat the whole thing to look somewhat like the reworked sandbox.c - and new sandbox.h and sandbox_futils.c from: - - Brad House <brad@mainstreetsoftworks.com>. - - Additional Copyrights now due to the InstallWatch code: - - Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net> - |