diff options
author | Martin Schlemmer <azarah@gentoo.org> | 2005-12-01 12:07:25 +0000 |
---|---|---|
committer | Martin Schlemmer <azarah@gentoo.org> | 2005-12-01 12:07:25 +0000 |
commit | 7ff2dcf907d1d60059c048e78e832f55607bf2b6 (patch) | |
tree | babf89173eb6cf4e33b31f2e08d763da86209a42 /ChangeLog.0 | |
parent | Some comment touch-ups. (diff) | |
download | sandbox-7ff2dcf907d1d60059c048e78e832f55607bf2b6.tar.gz sandbox-7ff2dcf907d1d60059c048e78e832f55607bf2b6.tar.bz2 sandbox-7ff2dcf907d1d60059c048e78e832f55607bf2b6.zip |
Add scripts/svn2cl.*; move ChangeLog and update autogen.sh to
generate ChangeLog.
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
Diffstat (limited to 'ChangeLog.0')
-rw-r--r-- | ChangeLog.0 | 713 |
1 files changed, 713 insertions, 0 deletions
diff --git a/ChangeLog.0 b/ChangeLog.0 new file mode 100644 index 0000000..bb722d0 --- /dev/null +++ b/ChangeLog.0 @@ -0,0 +1,713 @@ +# ChangeLog for Path Sandbox +# Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2 +# $Header$ + + 01 Dec 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, Makefile.am, + localdecls.h, scripts/Makefile.am, scripts/gen_symbol_version_map.awk, + scripts/gen_symbol_header.awk, src/Makefile.am, src/symbols.in, + src/libsandbox.c, src/getcwd.c, src/sandbox.c, data/sandbox.bashrc: + + Use versioned symbols on supported libc's for functions we wrap, as well as + provide all versions of specific functions. Some syntax cleanups. + + Only check SANDBOX_ACTIVE, and not its value. More BASH_ENV fixes. + + Rename configure.in to configure.ac. + + Fix non-versioned libc's to also prepend '__' to internal symbols by using + strong aliases. + + Remove the SB_STATIC and including of getcwd.c, etc voodoo, as we new use a + symbol map, and all non-exported symbols are local. Cleanup getcwd.c, as + the generic getcwd for older 2.4 kernels do not work properly anyhow, and + just makes things slower. Some other warning fixes. + + Rename src/symbols.in to src/symbols.h.in. + + Cleanup local defines for egetcwd() and erealpath(). + + Rename filter_path() to resolve_path() and other renames for clarity. + + Fixup SANDBOX_ON handling after already running changes. + + Use egetcwd() in sandbox.c. + + Rather use fstat() to get file size in file_length() than lseek(). + + Wrap mknod() as well. Misc cleanups. + + Wrap mkfifo() as it seems it was missing. + + 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, sandbox.c, + sandbox_fdutils.c: + + Detect if we on 64bit arch automatically. + + Update contact email. Fix quoting. + + Revert 64bit arch test, as we should build the 32bit version without full + path checking as well, and add --enable-multilib switch to configure. + +* sandbox-1.2.14 (2005/11/28) + + 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c, + sandbox.c, sandbox.h, sandbox.bashrc: + + Check generic getcwd()'s return as well for validity, bug #101728. + + Cleanup environ variables. + + Rather check SANDBOX_ACTIVE if we are already running. Set SANDBOX_ACTIVE + to readonly in sandbox.bashrc. + + Make sure we use our bashrc. + + 01 Nov 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + + Do not pass mode to true_open and true_open64 if not needed. Should fix a + segfault in some cases. + +* sandbox-1.2.13 (2005/09/12) + + 12 Sep 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, libsandbox.c: + + Do not handle adding working directory to SANDBOX_WRITE, as portage does it + itself. + + Make libsb_fini() do cleanup a bit more complete just in case we get another + uClibc 'call preloaded library fini before that of app' issue ... probably + will not help much, but we try. + + 04 Sep 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + + Also allow symlink() system call to operate on a symlink in a writable path + that points to non-writable path, bug #104711. + +* sandbox-1.2.12 (2005/08/05) + + 05 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.h: + + Do not give an access violation if the access() system call do not have + write/read access - it does not actually modify, so we only need to return + not being able to write/read. Noted by Andres Loeh <kosmikus@gentoo.org>, + bug #101433. + + If we are called from the command line, do not care about PORTAGE_TMPDIR, + and make the current directory the work directory. Also rename the variable + portage_tmp_dir to work_dir. + + Remove the tmp_dir variable - we do not need it. + + Improve error handling for get_sandbox_*_envvar() functions. + + 01 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + + Still do normal log if debugging is requested. + + Add support for SANDBOX_VERBOSE (enabled by default). Adjust SANDBOX_DEBUG + to only enable if equal to "1" or "yes". + + Add /dev/tts to write permit, bug #42809. + + 27 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h, + sandbox_futils.c: + + Do not resolve symlinks in PORTAGE_TMPDIR in sandbox .. we will handle that + in libsandbox .. bug #100309. + + 22 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h: + + Print all logging to stderr, bug #90343, comment #15, by Zac Medico. + +* sandbox-1.2.11 (2005/07/14) + + 14 July 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c: + Fix getcwd, bug #98419. + + 08 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c, + libsandbox.c: + - Try to cleanup and make error handling/printing consistent. + - Remove old logs if present and conflicting with current. + - Fix compile error with previous change, and return rather then exit(). + + 07 July 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.h, sandbox_futils.c: + - Fix possible segfault in env init code. + - Major cleanup of sandbox_futils.c. Removed most of the functions as we now + write to /var/log/sandbox/, so in theory do not need all that. + - Redo the interface of the get_* functions so that we do not leak memory. + - Remove sandbox_dir and co - we are not using it anymore. + - Remove unused includes and variables. + - Only declare functions in sandbox_futils.c that are used in libsandbox.c when + OUTSIDE_LIBSANDBOX is not defined. + - Cleanup access/log printing. Make access printing honour NOCOLOR. Fix log + printing's last line not honouring NOCOLOR. + + 06 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h, sandbox_futils.c, + libsandbox.c: + - Change log dir to /var/log/sandbox/. Make sure the sandboxed process cannot + write to it. + - Clean up logging in libsandbox.c, and hopefully make it more consistant. + - Add check_prefixes() with major cleanup on check_access(). + - Cleanup init_env_entries() and check_prefixes(). + + 05 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h, + sandbox_futils.c, libsandbox.c: + Remove unused 'pids file' code. + +* sandbox-1.2.10 (2005/07/03) + + 03 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Add PREDICT items for nss-db, bug #92079. Patch from Robin Johnson. + + 17 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + General cleanups: + - Remove fooling around with exit codes - we error out on presence of a log + anyhow. + - Move get_sandbox_*_envvar() to sandbox_setup_environ(), as its more + appropriate there. + + 12 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Cleanup the fail_nametoolong stuff a bit more. + + 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Remove hopefully the last ld.so.preload bits we do not use anymore. + + 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Remove the unneeded canonicalize() calls in the wrappers - we do it anyhow + in check_syscall(). Should speed things up a bit (at least for the getcwd() + and long path name test it goes down to under a second, and not 10+ seconds + like before). Also warn if we skip checking due to the canonicalized path + being too long. + + 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + More comment/readability cleanups. + + 10 June 2005; Martin Schlemmer <azarah@gentoo.org> canonicalize.c, getcwd.c, + sandbox_futils.c, libsandbox.c: + Some strncpy/strncat and other cleanups. + +* sandbox-1.2.9 (2005/06/09) + + 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Move symlink hack down a bit to try and minimize on the amount of lstat() + calls we do. + + 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c: + Add hack to allow writing to /proc/self/fd (or /dev/fd), bug #91516. + + 09 June 2005; Martin Schlemmer <azarah@gentoo.org> symbols.in, libsandbox.c: + Add wrapper for access() function, bug #85413. + + 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c: + Use generic getcwd() implementation from uclibc - should be more portable + and looks a bit cleaner. + + 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c: + Make sure our true_* pointers are initialized to NULL, and that we check for + all references that they are valid. + + 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Be default we will fail if the path name we try to canonicalize is too long. + This however could cause issues with some things (bug #94630 and #21766), so + if fail_nametoolong == 0, canonicalize() will return a null length string and + do not fail. + + 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c: + Do not abort if TMPDIR is not valid, but rather use '/tmp', bug #94360. Also + make sure we re-export the new TMPDIR environment variable. + + 08 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Fix incorrect free of non-malloc'd array, bug #92313 and #94020. Fix noted + by Marcus D. Hanwell <cryos@gentoo.org>. + + 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Add /dev/console to write list, bug #38588. + +* sandbox-1.2.8 (2005/05/13) + + 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.h, sandbox_futils.c: + General cleanups. + + 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.h: + Various LD_PRELOAD cleanups. Do not unset LD_PRELOAD for parent. + + 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.h, sandbox_futils.c: + Modify get_sandbox_pids_file(), get_sandbox_log() and get_sandbox_debug_log() + to use TMPDIR if present in environment. + + 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Remove sandbox_log_file from main() as its no longer used. + + 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h, + sandbox_futils.c: + Add get_sandbox_debug_log(), and use it (add behaviour similar to SANDBOX_LOG + if already exported when sandbox started). Fix get_sandbox_log() and new + get_sandbox_debug_log() to not use already exported environment variables if + they have '/' in them. Use snprintf()'s instead of strncpy()'s. More + SB_PATH_MAX fixes. + +* sandbox-1.2.7 (2005/05/12) + + 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h, + sandbox_futils.c: + More path limit fixes. Declare SB_BUF_LEN global and use it where needed. + + 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c: + Fix paths limited to 255 chars. Fix get_sandbox_dir() returning a string + with '(null)' in it if we did not call sandbox with absolute path. + + 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Set SANDBOX_ON *before* doing the child's env stuff, else its not set + for the child. + + 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Remove global preload_adaptable as it is no longer used. + + 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Rewrite environment stuff to only be set when execve'ing the child process + to try and avoid issues like bug #91541 that causes sandbox to crash if + we set LD_PRELOAD sandbox side already. + + 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Move print_sandbox_log() up to make things neater. + + 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Remove load_preload_libs(), as its not used anymore. + + 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h: + Remove NO_FORK stuff, as its not used, and 'strace -f' works just fine. + + 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h: + Remove USE_SYSTEM_SHELL stuff, as it is not secure, and not in use. + + 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h: + Remove ld.so.preload crap - we are not going to use it again. + + 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c: + Fix typo in code that checks if we got valid group information, causing a + segmentation fault, bug #91637. + +* sandbox-1.2.6 (2005/05/10) + + 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Do not use LD_PRELOAD if it contains libtsocks.so, as it breaks sandbox + for some odd reason, bug #91541. + + 09 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Fix typo (sizeof -> strlen). + + 08 May 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c: + rewrote the sbcontext caching code so it accounts for env changes since lib + initialization. + + 05 May 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, libctest.c: + We create libctest.c via configure, so no need to keep it around. Do some + cleanup related to libctest.c and libctest during configure. + + 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Add rename support of symlinks pointing to protected files/directories. + +* sandbox-1.2.5 (2005/05/04) + + 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.bashrc: + Do not reset already set LD_PRELOAD when starting sandbox. If LD_PRELOAD is + already set, init of the env vars fails for some reason, so do this later on, + and do not warn (bug #91431). + + 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h, + sandbox.bashrc: + Fixup sandbox and sandbox.bashrc to call bash with the proper .bashrc. + +* sandbox-1.2.4 (2005/05/03) + + 03 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Do not init the env entries with each call, as it creates too many calls to + lstat, etc. Should speedup things a bit, bug #91040. + + 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c: + Add /dev/pty to default write list. Noticed by Morfic. + + 02 May 2005; Mike Frysinger <vapier@gentoo.org> configure.in, localdecls.h, + sandbox.h: + uClibc doesn't support dlvsym() so add a configure check to make sure it doesn't + exist. Also update localdecls.h so BROKEN_RTLD_NEXT isn't defined in uClibc. + +* sandbox-1.2.3 (2005/04/29) + + 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> configure.in: + Do not check for (*&#$(* CXX or F77. + + 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Do not append '/' to pathname in filter_path() if it already ends with it. + + 28 Apr 2005; Mike Frysinger <vapier@gentoo.org> Makefile.am, configure.in: + With az's help, clean up autotools to work with cross-compiling. + +* sandbox-1.2.2 (2005/04/28) + + 28 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Only check for /dev/{null,zero} for unlink hack, else ricers using /dev/shm + have issues; bug #90592. + +* sandbox-1.2.1 (2005/04/23) + + 23 Apr 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c, + getcwd.c, libsandbox.c, localdecls.h, sandbox.h, sandbox_futils.c: + Make sure all functions used in libsandbox.c is declared static. Define + SB_STATIC in localdecls.h for this. Include sandbox_futils.c rather than + linking with its object. Hopefully this will fix bug #90153. + +* sandbox-1.2 (2005/04/23) + + 22 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Allow lchown a symlink in write-allowed path pointing to write-denied + target. + + 21 Mar 2005; Marius Mauch <genone@gentoo.org> libsandbox.c: + Also show resolved symlink names in the log. + + 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, libsandbox.c: + Seems -nostdlib was the problem with the constructor/destructor - remove it + from Makefile.am, and change the constructor/destructor names again. + + 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Also rename the _init() and _fini() declarations. + + 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c: + Fixup the constructor/destructor function names again (they should be _init() + and _fini() it seems, and not being called caused sandbox_lib_path to be + unset, and thus breaking the execve() wrapper's LD_PRELOAD protection). + Add both the path in given SANDBOX_x variable, as well as its symlink + resolved path in init_env_entries(). Modify filter_path() to be able to + resolve paths without resolving symlinks, as well as to be able to resolve + symlinks. Fix a possible segfault in check_access(). Add symlink resolving + to check_access() resolving bug #31019. Add 'hack' for unlink, as the fix + for bug #31019 cause access violations if we try to remove a symlink that is + not in protected path, but points to a protected path. Fix a memory leak in + sandbox.c (sandbox_pids_file in main()). Fix the realpath() calls in main() + (sandbox.c) being unchecked. Fix the debug logname not having the pid in it + (pid_string was uninitialized). General syntax cleanups. + + 09 Mar 2005; Brian Harring <ferringb@gentoo.org> sandbox.c: Fixed the + infamous "pids file is not a regular file" w/out newline bug. + + 09 Mar 2005; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in: + Correct libc_version path detection, since it was screwing up if libdir != + "/lib/". + + 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: + Hack to make sure sandboxed process cannot remove a device node, bug #79836. + + 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am: + Fix symbols.in not added to dist. + + 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c, + getcwd.c, libsandbox.c, sandbox.c, sandbox.h, sandbox_futils.c: + White space fixes. + + 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c, + configure.in, getcwd.c, libsandbox.c, symbols.in: + Fix inverse test logic in canonicalize.c, use a strncpy. Fix gcc warning in + getcwd.c. Add symbols.in and logic to Makefile.am to generate symbol versions + for glibc and other libc's that use this. Update libsandbox.c to use these + symbol versions if available. Fix exec wrapper to re-export LD_PRELOAD if the + process unset it. + + 01 Mar 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c: + killed off _init and _fini in favor of + void __attribute__ ((constructor)) init_func and + void __attribute__ ((destructor)) closing_func. _(init|func) were deprecated. + + 06 Dec 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, libsandbox.c, + canonicalize.c, getcwd.c: Fixed compilation *again*. Hopefully cvs is done + having the hick-ups. + + 04 Dec 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, getcwd.c, + Makefile.am: Fixed compilation. + + 01 Dec 2004; Brian Harring <ferringb@gentoo.org> aclocal.m4: + Gutted the bugger so it stops checking for a c++ and fortran compiler. + Do *not* regenerate aclocal.m4 for making a release until a better + solution is created. + + 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, sandbox_futils.c: + Removal of more hardcoded paths. + + 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in, + sandbox_futils.c: tweaks to install sandbox.bashrc, and use it. + + 19 Nov 2004; Brian Harring <ferringb@gentoo.org>: + Sandbox is now autotooled, create-localdecls needs to be killed and the code + shifted into configure.in. Currently builds *one* libsandbox.so- if multiple + are desired (-m64 and -m32 for amd64), the ebuild should do it (imo). + To get to a point of testing, automake && autoconf; created requisite files w/ + a(utomake|clocal)-1.8, and autoconf 2.59. Installs to /usr/, instead of + /lib and /usr/lib/portage/bin. + + 14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c: + closing out bug #70225, potential overflow of the sandbox_pids_file var. + + 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard, + (think it was at least) allows intermixing of code and data segments. bug #70351 + should be fixed by this. + + 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c: + futils fix from bug #65201 via solar, and libsandbox log path checks via #69137 + + 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from + Seth Robertson that tracked down all adjuct flags for read operations that + do not invoke a write operation. + + 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: + Another fix from jstubbs regarding a free() on a stack variable for the + environment -- tracking now prevents extraneous free()'s segfault. + + 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: + J. Stubbs tracked down a new bug where mkdir was failing to the patch on + the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir. + Also remove the errno = ESUCCESS settings as documentation points out that + a library isn't allowed to do that. + + 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a + file_security_check() function to check random potential exploits on files + that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes + the 'system-crippling' exploits (bug 21923) and catches a few other + potential problems. + + 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for + 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work. + + 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: + bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>. + Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>. + + 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c : + Fix permissions and group of pids file and logs. Permissions should be 0664 + and group should be 'portage'. Bug #34260. + + 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed + to the real execve (in our execve wrapper). Seems that on some arches (sparc + among others) do not allow us to tamper with the readonly copy passed to + execve, so pass our own copy of the environment. Bug #42290. + + 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls: + Changed tail to head and added a notice about duration of glibc check. + + 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls: + Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh + as there isn't a guarentee that it is dynamic. + + 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + If 'file' passed to before_syscall(const char *func, const char *file) is + invalid, we should set errno to ENOENT, and not EINVAL. This should + close bug #32238. + + 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix a bug that occurs mainly on 64bit arch, where the file passed to + the functions we wrap, is invalid, and then cause canonicalize to pass + garbage to before_syscall(), thanks to great detective work from + Andrea Luzzardi <al@sig11.org> (bug #29846). + + 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : + Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>. + + 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically + only checked the destination patch, and not the source, so we could move + a protected file to a unprotected directory, and then delete/modify it. + Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix. + + 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c : + Added python2.3 to the predict section/variable. + + 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.h, sandbox_futils.c : + Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If + it is not set, it will revert to its old value. + + 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so, + rather than failing with a violation, bug #29748. + + 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix canonicalize() to ignore calls with path = "". + + 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c, + sandbox_futils.c, canonicalize.c : + Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system + call handled strings larger than PATH_MAX (bug #21766). It however does not + work the same on 2.4 kernels. + + To fix, I added the posix implementation of getcwd() (from glibc cvs) that + do not need the system call. We use the default getcwd() function via a + wrapper (egetcwd), and then lstat the returned path. If lstat fails, it + means the current directory was removed, OR that the the system call for + getcwd failed (curious is that it do not fail and return NULL or set + errno, but rather just truncate the retured directory - usually from the + start), and if so, we use the generic getcwd() function (__egetcwd). Note + that we do not use the generic version all the time, as it calls lstat() + a great number of times, and performance degrade much. + + 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls, + libsandbox.c : + Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks. + + 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c + create-localdecls : + When checking path names of files accessed, we need to canonicalize it, else + it may be a symlink in a 'write allowed' directory pointing to a file in a + directory we should not have write access to. + + With something like coreutils-5.0, we have two problems: + 1) One of the tests checks if getcwd() can return a path longer than + PATH_MAX. This test then tries to create a dir which even while + created local (mkdir("conftest2")), it ends up being resolved with + a name that is much larger than PATH_MAX. The problem now is that + canonicalize() have undefined behaviour when the path was too long + (returned wrongly truncated paths, etc), and pass the wrong path to + before_syscall() (causing the bogus sandbox violations). + 2) The ecanonicalize() function we used, along with the canonicalize() + function did not support longer than PATH_MAX. This is partly a + cause for 1), but the error checking (rather lack of it) of calls + to erealpath() in canonicalize() was the prime reason for 1). + + As we do not use this canonicalized name to call the function, we resolve this + by fixing canonicalize() to do better error checking, and ecanonicalize() as + well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'. + While they will resolve paths properly now, and can check if a write/read is + allowed, the functions called from the sandboxed environment will still work + as expected. + + This should resolve bug #21766. + + 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under + it (bug #16298). + + Problem is that for some reason locale fopen's locale.alias with mode "rm". + + ------------------------------------------------------- + nosferatu root # grep fopen locale.log + fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias + nosferatu root # + -------------------------------------------------------- + + I checked the source of locale, but it have fopen with mode 'r', so + not sure where the "rm" mode comes from. Anyhow, changed the check in + before_syscall_open_char() to also see mode "rm" as readonly. + + 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : + + Add glibc-2.3 support. + + 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c : + + Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all + operations releated to preload, as well as only try to modify ld.so.preload + if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when + not using ld.so.preload. Fix to not write this instance of sandbox's pid + to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running. + + 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile : + + Changed the LD to CC for hppa. + + 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : + + Killed the previous changes I made. + + 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : + + Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs. + + 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c : + + Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868. + + 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls : + + Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro> + for this fix. + + 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c : + + sandbox_futils defined a dirname() function that was masking the same + function in glibc and was broken (e.g.: SANDBOX_DIR was being set to + '/usr/lib/portage/bi/'). Fixed function to return expected results and + renamed it to sb_dirname() to no longer mask the glibc function. Closes bug + 11231. + + 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> : + + Fix a segfault in libsandbox.c if canonicalize() was called with + first parameter = NULL. + + 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> : + + Fix my braindead 'return 1;' in a void function. Updated sandbox.c, + cleanup() for this. + + Change cleanup() in sandbox.c not to exit with fail status if + the pidsfile is missing. We really should still display sandbox + violations if they occured. + + 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Update cleanup() in sandbox.c to remove the PIDSFILE if this is + the last sandbox running. + + 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Major cleanups to mainly libsandbox.c again. + + 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the + parties involved should please contact me so that we can fix it. + + Add opendir wrapper to libsandbox.c. + + 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Do some more cleanups to ecanonicalize(), as it dropped filenames in + rare cases (after my symlink cleanups), and caused glibc to bork. + These fixes went into canonicalize.c. + + 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Fix spawn_shell() and main() in sandbox.c to properly return fail + status. + + 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + The new canonicalize() function in libsandbox.c also resolved symlinks, + which caused on cleaning sandbox errors if the symlink pointed to a + file in the live root. Ripped out canonicalize() and realpath() from + glibc; removed the symlink stuff, and changed them to ecanonicalize() + and erealpath(). + + 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Ripped out all the wrappers, and implemented those of InstallWatch. + Losts of cleanups and bugfixes. Implement a execve that forces + $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared + /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c, + sandbox.h and sandbox_futils.c. Rewrote the Makefile for most + parts; it now have an install target. + + Reformat the whole thing to look somewhat like the reworked sandbox.c + and new sandbox.h and sandbox_futils.c from: + + Brad House <brad@mainstreetsoftworks.com>. + + Additional Copyrights now due to the InstallWatch code: + + Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net> + |