aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2009-03-12 02:57:49 -0400
committerMike Frysinger <vapier@gentoo.org>2009-03-12 09:00:00 -0400
commit950960a7be813854495c5e7420ff5ef9d674c662 (patch)
tree3f3b789b2dd1a648ce2e7966768b2b9d69334553 /libsandbox/wrapper-funcs
parenttests: make sure non-root mkdir works with funky perms (diff)
downloadsandbox-950960a7be813854495c5e7420ff5ef9d674c662.tar.gz
sandbox-950960a7be813854495c5e7420ff5ef9d674c662.tar.bz2
sandbox-950960a7be813854495c5e7420ff5ef9d674c662.zip
libsandbox: add debug output for all wrapper early-checks
If a wrapped function bails early due to some local logic, make sure we log this at the debug level. Having them silently return on us makes tracking down problems harder than it needs to be. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'libsandbox/wrapper-funcs')
-rw-r--r--libsandbox/wrapper-funcs/__openat_2.c6
-rw-r--r--libsandbox/wrapper-funcs/fopen.c6
-rw-r--r--libsandbox/wrapper-funcs/mkdirat.c9
-rw-r--r--libsandbox/wrapper-funcs/openat.c6
-rw-r--r--libsandbox/wrapper-funcs/unlinkat.c10
5 files changed, 31 insertions, 6 deletions
diff --git a/libsandbox/wrapper-funcs/__openat_2.c b/libsandbox/wrapper-funcs/__openat_2.c
index fd13714..c64909f 100644
--- a/libsandbox/wrapper-funcs/__openat_2.c
+++ b/libsandbox/wrapper-funcs/__openat_2.c
@@ -31,8 +31,12 @@ static inline bool PRE_CHECK_FUNC(WRAPPER_NAME)(WRAPPER_ARGS_PROTO)
{
struct stat st;
save_errno();
- if (-1 == stat(pathname, &st))
+ if (-1 == stat(pathname, &st)) {
+ if (is_env_on(ENV_SANDBOX_DEBUG))
+ SB_EINFO("EARLY FAIL", " %s(%s): %s\n",
+ STRING_NAME, pathname, strerror(errno));
return false;
+ }
restore_errno();
}
}
diff --git a/libsandbox/wrapper-funcs/fopen.c b/libsandbox/wrapper-funcs/fopen.c
index bb848b6..b33c4df 100644
--- a/libsandbox/wrapper-funcs/fopen.c
+++ b/libsandbox/wrapper-funcs/fopen.c
@@ -20,8 +20,12 @@ static inline bool sb_fopen_pre_check(WRAPPER_ARGS_PROTO)
/* If we're trying to read, fail normally if file does not stat */
struct stat st;
- if (-1 == stat(pathname, &st))
+ if (-1 == stat(pathname, &st)) {
+ if (is_env_on(ENV_SANDBOX_DEBUG))
+ SB_EINFO("EARLY FAIL", " %s(%s): %s\n",
+ STRING_NAME, pathname, strerror(errno));
return false;
+ }
restore_errno();
}
diff --git a/libsandbox/wrapper-funcs/mkdirat.c b/libsandbox/wrapper-funcs/mkdirat.c
index 5d24a50..2eb1018 100644
--- a/libsandbox/wrapper-funcs/mkdirat.c
+++ b/libsandbox/wrapper-funcs/mkdirat.c
@@ -19,8 +19,12 @@ static inline bool sb_mkdirat_pre_check(WRAPPER_ARGS_PROTO)
if (-1 == canonicalize(pathname, canonic))
/* see comments in check_syscall() */
- if (ENAMETOOLONG != errno)
+ if (ENAMETOOLONG != errno) {
+ if (is_env_on(ENV_SANDBOX_DEBUG))
+ SB_EINFO("EARLY FAIL", " %s(%s) @ canonicalize: %s\n",
+ STRING_NAME, pathname, strerror(errno));
return false;
+ }
/* XXX: Hack to prevent errors if the directory exist, and are
* not writable - we rather return EEXIST than fail. This can
@@ -30,6 +34,9 @@ static inline bool sb_mkdirat_pre_check(WRAPPER_ARGS_PROTO)
*/
struct stat st;
if (0 == lstat(canonic, &st)) {
+ if (is_env_on(ENV_SANDBOX_DEBUG))
+ SB_EINFO("EARLY FAIL", " %s(%s) @ lstat: %s\n",
+ STRING_NAME, pathname, strerror(errno));
errno = EEXIST;
return false;
}
diff --git a/libsandbox/wrapper-funcs/openat.c b/libsandbox/wrapper-funcs/openat.c
index 2855464..68d90a5 100644
--- a/libsandbox/wrapper-funcs/openat.c
+++ b/libsandbox/wrapper-funcs/openat.c
@@ -35,8 +35,12 @@ static inline bool PRE_CHECK_FUNC(WRAPPER_NAME)(_WRAPPER_ARGS_PROTO)
{
struct stat st;
save_errno();
- if (-1 == stat(pathname, &st))
+ if (-1 == stat(pathname, &st)) {
+ if (is_env_on(ENV_SANDBOX_DEBUG))
+ SB_EINFO("EARLY FAIL", " %s(%s): %s\n",
+ STRING_NAME, pathname, strerror(errno));
return false;
+ }
restore_errno();
}
}
diff --git a/libsandbox/wrapper-funcs/unlinkat.c b/libsandbox/wrapper-funcs/unlinkat.c
index ddbbaf6..ea23aa7 100644
--- a/libsandbox/wrapper-funcs/unlinkat.c
+++ b/libsandbox/wrapper-funcs/unlinkat.c
@@ -20,7 +20,7 @@ static inline bool sb_unlinkat_pre_check(WRAPPER_ARGS_PROTO)
if (-1 == canonicalize(pathname, canonic))
/* see comments in check_syscall() */
if (ENAMETOOLONG != errno)
- return false;
+ goto error;
/* XXX: Hack to make sure sandboxed process cannot remove
* a device node, bug #79836. */
@@ -28,12 +28,18 @@ static inline bool sb_unlinkat_pre_check(WRAPPER_ARGS_PROTO)
0 == strcmp(canonic, "/dev/zero"))
{
errno = EACCES;
- return false;
+ goto error;
}
restore_errno();
return true;
+
+ error:
+ if (is_env_on(ENV_SANDBOX_DEBUG))
+ SB_EINFO("EARLY FAIL", " %s(%s): %s\n",
+ STRING_NAME, pathname, strerror(errno));
+ return false;
}
#define WRAPPER_PRE_CHECKS() sb_unlinkat_pre_check(WRAPPER_ARGS)