| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Sometimes the child process can get wedged and not respond to CTRL+C,
so add an escape hatch so the user can easily force SIGKILL.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Showing just the resolved paths isn't too helpful when they're both
NULL. Also include the failing func & original file path.
URL: https://bugs.gentoo.org/553092
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an app installs its own memory allocator by overriding the internal
glibc symbols, then we can easily hit a loop that cannot be broken: the
dlsym functions can attempt to allocate memory, and sandbox relies on
them to find the "real" functions. So when someone calls a symbol that
the sandbox protects, we call dlsym, and that calls malloc, which calls
back into the app, and their allocator might use another symbol such as
open ... which is protected by the sandbox. So we hit the loop like:
-> open -> libsandbox:open -> dlsym -> malloc -> open ->
libsandbox:open -> dlsym -> malloc -> ...
Change the exec checking logic to scan the ELF instead. If it exports
these glibc symbols, then we have to assume it can trigger a loop, so
scrub the sandbox environment to prevent us from being loaded. Then we
use the out-of-process tracer (i.e. ptrace). This should generally be
as robust anyways ... if it's not, that's a bug we want to fix as this
is the same code used for static apps.
URL: http://crbug.com/586444
Reported-by: Ryo Hashimoto <hashimoto@chromium.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
URL: http://bugs.gentoo.org/290249
Reported-by: Diego E. Pettenò <flameeyes@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
In commit 7a923f646ce10b7dec3c7ae5fe2079c10aa21752, we dropped the same.h
header, but the build still listed it. Drop it from the distdir list.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This verifies the error code setting with ptrace logic -- if the ptrace
code is broken, the errno will often be ENOSYS instead of EPERM.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
We don't provide same_name because the one caller we don't use, but it
relies on gc-sections to avoid link errors. That flag doesn't work on
ia64 though, so we need to hand delete the one caller. Ugh.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Forgot to include the trailing glob. Not a big deal as few people use
it with these targets.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This gets most of the tests passing, but syscall canceling still
does not work. Need to talk to upstream to figure it out.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The various debug helpers were changed to write out to a dedicated message
path, but some of the trace code still uses stderr directly. When mixing
these methods, the direct prints would sometimes be lost. Convert the few
users to a new raw print function so they all route through the same file.
We might want to extract this a bit more out in the future so it's easier
to write to them, but this should be fine for now.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
We were setting up a FILE* from a file descriptor to pass to sb_fprintf
which is a simple macro that calls fileno(fp) to pass the fd down. We
can call the fd funcs directly and avoid the whole stdio business.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Rather than try to deal with the inconsistent cross-arch behavior when it
comes to tracking exec behavior, use the PTRACE_O_TRACEEXEC option. This
means we only support ptrace on linux-2.6+ systems, but that's fine as we
have been requiring that for a long time now. It also means the code is
much simpler and stable across arches.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
The rework in commit 46fe624223cfe62fb6c2fbb609be42f2f1d1734b broke the
set up of the SB_SCHIZO automake conditional for non-schizo builds as it
was not updated to the new variable. This would cause the syscall table
to always be empty and thus the ptrace code would never match.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We need to return NULL when passed a size of 0 as the API requires the
return value be usable w/free, but we just freed the pointer so the ret
will cause memory corruption later on.
When we go to preserve the old content, we don't need the MIN check as
we already verified that a few lines up. But leave it for defensive
purposes as gcc already optimizes it out for us. Just comment things.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size,
while it is really the mmap size, which is greater. Thus it may fail
to reallocate even if required.
URL: https://bugs.gentoo.org/568714
Signed-off-by: Denis Lisov <dennis.lissov@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some targets (like sparc32) have higher alignment requirements for 64-bit
values than size_t (which is 4 bytes on sparc32). If we happen to return
4 byte aligned memory which is used to hold a 64-bit, we get bus errors.
Use the same algorithm that dlmalloc does.
URL: https://bugs.gentoo.org/565630
Reported-by: Denis Kaganovich <mahatma@eu.by>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
When the target uses a func that operates on a symlink, we should not
dereference that symlink when trying to validate the call. It's both
a waste of time and it subtly breaks code that checks atime updates.
The act of reading symlinks is enough to cause their atime to change.
URL: https://bugs.gentoo.org/415475
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
No real reason to do this other than making sure people are all
testing with the same baseline-ish versions.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This initial version doesn't enable their use by default.
URL: https://bugs.gentoo.org/512794
Reported-by: Matthew Thode <prometheanfire@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
All sandbox settings thus far have been for libsandbox.so to process.
With newer features though, we have settings that might only apply to
the main sandbox program. Add some helper functions for parsing out
those settings (which a later commit will utilize).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Rather than use gnu inline where gcc can create external references
(which we don't provide), just always inline the xgetcwd func. This
fixes building at -O0 optimization levels.
URL: https://bugs.gentoo.org/561342
Reported-by: Pryka <pryka.iluvatar@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
This lays the groundwork for adding more runtime options.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the target passes a bad pointer to the kernel, then trying to extract
the data via ptrace will also throw an error. The tracing code should not
abort though as there's no valid address to check, and kernel itself will
return an error for us. Simply return and move on.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The current logic calculates the lengths/base addresses incorrectly
leading to some kernels/mappings to reject accesses. Make sure we
calculate the initial length properly, and then increment the base
by that value later on.
With those fixes in place, we can clean up the warning/exit paths.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Probe the availability of multilib headers at configure time so that we
can show the status more cleanly. This allows the header generation to
be done in parallel and not output confusing warning messages to users.
URL: https://bugs.gentoo.org/536582
Reported-by: cmue81@gmx.de
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We implicitly permit write access to this node by not catching functions
like openpty and posix_openpt, but when projects try to access the node
directly (due to legacy/fallback logic), the sandbox would reject them.
Make access to the node explicit since it's generally harmless.
URL: https://bugs.gentoo.org/413327
URL: https://bugs.gentoo.org/550650
URL: https://bugs.gentoo.org/550670
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some people are seeing this call fail, but it's not clear why. Include
more debugging output so as to improve the reports, and let the code fall
back to the existing ptrace logic since that seems to work. This will at
least unblock people's builds.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure we properly check the target of symlinks even when the target
does not exist. This caused problems in two ways:
(1) It allowed code to bypass checks by writing through a symlink that
was in a good location but pointed to a bad (non-existent) location.
(2) It caused code to be wrongly rejected when it tried writing to a
symlink in a bad location but pointed to a good location.
In order to get this behavior, we need to use the new gnulib helpers
added in the previous commit. They include functions which can look
up the targets of symlinks even when the final path doesn't exist.
URL: https://bugs.gentoo.org/540828
Reported-by: Rick Farina <zerochaos@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lays the groundwork for fixing handling of broken symlinks. The
gnulib code is hand imported because using the gnulib tool imports a
ton of code we do not want. Only the bare minimum is imported so we
can use the canonicalize_filename_mode function.
This function is needed to canonicalize symlinks that are ultimately
broken. The current sandbox/C library code only supports two modes:
(1) dereference a single symlink
(2) dereference *all* symlinks, but only if all links are valid
For sandbox, we need to know the final path a symlink points to even
if that path doesn't (yet) exist.
Note: This commit doesn't actually fix the bug, just brings in the
functions we need to do so.
URL: https://bugs.gentoo.org/540828
Reported-by: Rick Farina <zerochaos@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Sometimes autotools generates these on us.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
We don't want to let the C library do the memory allocation for us when
buf==NULL as it won't use our memory functions, so when we try to call
our free on it, we get corruption. Handle the automatic allocation in
the code directly.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Sometimes the C library will redirect a call to strdup to __strdup which
breaks when we're using the libsandbox memory allocator. This was fixed
in libsandbox in commit d7801453aced46a6f31d8455877edeb31a5211cc, but we
didn't notice in libsbutil as no calls to strdup happened to come up.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
We don't want gcc to rewrite malloc/memset calls to calloc as it
will make calloc recursively call itself. Add other memory calls
just to be safe.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
If userland supports process_vm_readv, but the kernel does not (newer
kernel headers & C lib than kernel), then we leak a bit of memory when
we fallback to the ptrace code. Do not re-allocate the ret buffer if
the code does fallback.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Mike Frysinger
Denis Lisov
GitWeb