Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/src/sandbox-1.1/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'src/sandbox-1.1/ChangeLog')
-rw-r--r--src/sandbox-1.1/ChangeLog265
1 files changed, 265 insertions, 0 deletions
diff --git a/src/sandbox-1.1/ChangeLog b/src/sandbox-1.1/ChangeLog
new file mode 100644
index 00000000..8da8ec9f
--- /dev/null
+++ b/src/sandbox-1.1/ChangeLog
@@ -0,0 +1,265 @@
+# ChangeLog for Path Sandbox
+# Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-src/portage/src/sandbox-1.1/Attic/ChangeLog,v 1.37.2.3 2004/12/01 22:14:09 carpaski Exp $
+
+ 01 Dec 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
+ Added ferringb's code to handle the sandbox pid overflow problem.
+
+ 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard
+ allowing data and code mixing in code isn't available for gcc 2.95- should fix
+ bug #70351.
+
+ 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c:
+ Fixups, and a hole closed regarding verifying SANDBOX_(|DEBUG_)LOG is sane.
+
+ 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from
+ Seth Robertson that tracked down all adjuct flags for read operations that
+ do not invoke a write operation.
+
+ 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
+ Another fix from jstubbs regarding a free() on a stack variable for the
+ environment -- tracking now prevents extraneous free()'s segfault.
+
+ 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
+ J. Stubbs tracked down a new bug where mkdir was failing to the patch on
+ the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir.
+ Also remove the errno = ESUCCESS settings as documentation points out that
+ a library isn't allowed to do that.
+
+ 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a
+ file_security_check() function to check random potential exploits on files
+ that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes
+ the 'system-crippling' exploits (bug 21923) and catches a few other
+ potential problems.
+
+ 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for
+ 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work.
+
+ 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c:
+ bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>.
+ Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>.
+
+ 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c :
+ Fix permissions and group of pids file and logs. Permissions should be 0664
+ and group should be 'portage'. Bug #34260.
+
+ 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
+ Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed
+ to the real execve (in our execve wrapper). Seems that on some arches (sparc
+ among others) do not allow us to tamper with the readonly copy passed to
+ execve, so pass our own copy of the environment. Bug #42290.
+
+ 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls:
+ Changed tail to head and added a notice about duration of glibc check.
+
+ 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls:
+ Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh
+ as there isn't a guarentee that it is dynamic.
+
+ 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
+ If 'file' passed to before_syscall(const char *func, const char *file) is
+ invalid, we should set errno to ENOENT, and not EINVAL. This should
+ close bug #32238.
+
+ 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
+ Fix a bug that occurs mainly on 64bit arch, where the file passed to
+ the functions we wrap, is invalid, and then cause canonicalize to pass
+ garbage to before_syscall(), thanks to great detective work from
+ Andrea Luzzardi <al@sig11.org> (bug #29846).
+
+ 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
+ Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>.
+
+ 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
+ Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically
+ only checked the destination patch, and not the source, so we could move
+ a protected file to a unprotected directory, and then delete/modify it.
+ Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix.
+
+ 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c :
+ Added python2.3 to the predict section/variable.
+
+ 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
+ sandbox.h, sandbox_futils.c :
+ Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If
+ it is not set, it will revert to its old value.
+
+ 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
+ Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so,
+ rather than failing with a violation, bug #29748.
+
+ 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
+ Fix canonicalize() to ignore calls with path = "".
+
+ 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
+ sandbox_futils.c, canonicalize.c :
+ Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system
+ call handled strings larger than PATH_MAX (bug #21766). It however does not
+ work the same on 2.4 kernels.
+
+ To fix, I added the posix implementation of getcwd() (from glibc cvs) that
+ do not need the system call. We use the default getcwd() function via a
+ wrapper (egetcwd), and then lstat the returned path. If lstat fails, it
+ means the current directory was removed, OR that the the system call for
+ getcwd failed (curious is that it do not fail and return NULL or set
+ errno, but rather just truncate the retured directory - usually from the
+ start), and if so, we use the generic getcwd() function (__egetcwd). Note
+ that we do not use the generic version all the time, as it calls lstat()
+ a great number of times, and performance degrade much.
+
+ 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls,
+ libsandbox.c :
+ Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks.
+
+ 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c
+ create-localdecls :
+ When checking path names of files accessed, we need to canonicalize it, else
+ it may be a symlink in a 'write allowed' directory pointing to a file in a
+ directory we should not have write access to.
+
+ With something like coreutils-5.0, we have two problems:
+ 1) One of the tests checks if getcwd() can return a path longer than
+ PATH_MAX. This test then tries to create a dir which even while
+ created local (mkdir("conftest2")), it ends up being resolved with
+ a name that is much larger than PATH_MAX. The problem now is that
+ canonicalize() have undefined behaviour when the path was too long
+ (returned wrongly truncated paths, etc), and pass the wrong path to
+ before_syscall() (causing the bogus sandbox violations).
+ 2) The ecanonicalize() function we used, along with the canonicalize()
+ function did not support longer than PATH_MAX. This is partly a
+ cause for 1), but the error checking (rather lack of it) of calls
+ to erealpath() in canonicalize() was the prime reason for 1).
+
+ As we do not use this canonicalized name to call the function, we resolve this
+ by fixing canonicalize() to do better error checking, and ecanonicalize() as
+ well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'.
+ While they will resolve paths properly now, and can check if a write/read is
+ allowed, the functions called from the sandboxed environment will still work
+ as expected.
+
+ This should resolve bug #21766.
+
+ 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
+ For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under
+ it (bug #16298).
+
+ Problem is that for some reason locale fopen's locale.alias with mode "rm".
+
+ -------------------------------------------------------
+ nosferatu root # grep fopen locale.log
+ fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias
+ nosferatu root #
+ --------------------------------------------------------
+
+ I checked the source of locale, but it have fopen with mode 'r', so
+ not sure where the "rm" mode comes from. Anyhow, changed the check in
+ before_syscall_open_char() to also see mode "rm" as readonly.
+
+ 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
+
+ Add glibc-2.3 support.
+
+ 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c :
+
+ Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all
+ operations releated to preload, as well as only try to modify ld.so.preload
+ if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when
+ not using ld.so.preload. Fix to not write this instance of sandbox's pid
+ to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running.
+
+ 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile :
+
+ Changed the LD to CC for hppa.
+
+ 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
+
+ Killed the previous changes I made.
+
+ 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
+
+ Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs.
+
+ 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c :
+
+ Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868.
+
+ 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
+
+ Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro>
+ for this fix.
+
+ 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c :
+
+ sandbox_futils defined a dirname() function that was masking the same
+ function in glibc and was broken (e.g.: SANDBOX_DIR was being set to
+ '/usr/lib/portage/bi/'). Fixed function to return expected results and
+ renamed it to sb_dirname() to no longer mask the glibc function. Closes bug
+ 11231.
+
+ 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Fix a segfault in libsandbox.c if canonicalize() was called with
+ first parameter = NULL.
+
+ 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Fix my braindead 'return 1;' in a void function. Updated sandbox.c,
+ cleanup() for this.
+
+ Change cleanup() in sandbox.c not to exit with fail status if
+ the pidsfile is missing. We really should still display sandbox
+ violations if they occured.
+
+ 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Update cleanup() in sandbox.c to remove the PIDSFILE if this is
+ the last sandbox running.
+
+ 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Major cleanups to mainly libsandbox.c again.
+
+ 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the
+ parties involved should please contact me so that we can fix it.
+
+ Add opendir wrapper to libsandbox.c.
+
+ 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Do some more cleanups to ecanonicalize(), as it dropped filenames in
+ rare cases (after my symlink cleanups), and caused glibc to bork.
+ These fixes went into canonicalize.c.
+
+ 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Fix spawn_shell() and main() in sandbox.c to properly return fail
+ status.
+
+ 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ The new canonicalize() function in libsandbox.c also resolved symlinks,
+ which caused on cleaning sandbox errors if the symlink pointed to a
+ file in the live root. Ripped out canonicalize() and realpath() from
+ glibc; removed the symlink stuff, and changed them to ecanonicalize()
+ and erealpath().
+
+ 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
+
+ Ripped out all the wrappers, and implemented those of InstallWatch.
+ Losts of cleanups and bugfixes. Implement a execve that forces
+ $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared
+ /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c,
+ sandbox.h and sandbox_futils.c. Rewrote the Makefile for most
+ parts; it now have an install target.
+
+ Reformat the whole thing to look somewhat like the reworked sandbox.c
+ and new sandbox.h and sandbox_futils.c from:
+
+ Brad House <brad@mainstreetsoftworks.com>.
+
+ Additional Copyrights now due to the InstallWatch code:
+
+ Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>
+