| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sandbox commit 55087abd8dc9802cf68cade776fe612a3f19f6a1 is for the purpose
of preventing a loop or deadlock caused by a package implementing its own
libc memory allocation functions, which themselves may call on a sandbox wrapped
system calls, whose implementation depends on further calls to such memory
functions. If any binaries export such symbols, sandbox assumes the worst
and prevents loading of libsandbox.so and instead opts for ptrace.
In preventing the loading of libsandbox, it removes all variables whose
env_pair.name field matches the name of an environment variable from the
environment, for all env_pairs of vars[] in
char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert) in
"libsandbox/libsandbox.c". This includes not just the usual environment
variables prefixed with 'SANDBOX_' but also LD_PRELOAD and LD_LIBRARY_PATH.
LD_PRELOAD clearly should be removed. But LD_LIBRARY_PATH would only seem
to be trouble if used with LD_PRELOAD. As such it makes sense to me to
prevent the removal of LD_LIBRARY_PATH.
Given the fact that the the positions of the env_pairs in vars[] are intended
to be hard-coded (from libsandbox.c: /* Indices matter -- see init below */),
this commit uses the index of the env_pair corresponding to LD_LIBRARY_PATH to
prevent its removal.
|
|
|
|
|
|
| |
Fix the path matching code to match prefixes component-wide rather than
literally. This means that a path such as '/foo' will no longer match
'/foobar' but only '/foo' and its subdirectories (if it is a directory).
|
|
|
|
|
|
|
|
| |
Remove the hack supposedly responsible for making it possible to remove
symbolic links to protected files. The hack was probably necessary back
when the write check was performed on fully resolved path. However,
currently the path resolution is no longer performed when the operation
does not resolve symlinks, effectively making the hack redundant.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a pre-check for opendir that catches too long name arguments
given to opendir, as it would get messed up and abort before it
even gets to the open*() syscall (which would handle it correctly),
due to opendir going through before_syscall/check_syscall, even
though it isn't a true syscall and it getting cut to SB_PATH_MAX
inbetween and getting confused somewhere.
Test case added by Michał Górny <mgorny@gentoo.org>.
Bug: https://bugs.gentoo.org/553092
Signed-off-by: Mart Raudsepp <leio@gentoo.org>
|
|
|
|
|
|
|
| |
These funcs don't deref their path args, so flag them as such.
URL: https://bugs.gentoo.org/612202
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Since sb_maybe_gdb is set up as a stub macro, make sure we don't define
the function either to cut down on size and build failures (when the
macro tries to expand the function prototype).
URL: https://bugs.gentoo.org/600550
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When prelink runs on an ELF, it moves the string table from right
after the symbol table to the end, and then replaces the string
table with its liblist table. This ends up breaking sandbox's
assumption that the string table always follows the symbol table
leading to prelinked ELFs crashing.
Update the range check to use the liblist table when available.
Since the prelink code has this logic hardcoded (swapping the
string table for the liblist table), this should be OK for now.
URL: https://bugs.gentoo.org/599894
Reported-by: Anders Larsson <anders.gentoo@larsson.xyz>
Reported-by: Kenton Groombridge <rustyvega@comcast.net>
Reported-by: Marien Zwart <marien.zwart@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: https://bugs.gentoo.org/578516
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
The strtab assumption works if there is no SysV hash table.
Add logic to handle that scenario.
URL: https://bugs.gentoo.org/578524
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Commit 48520a35697aa39bed046b9668a3e3e5f8a8ba93 fixed the configure logic,
but the build would fail to link for x86 systems as the syscall table was
not actually set up.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Sometimes the child process can get wedged and not respond to CTRL+C,
so add an escape hatch so the user can easily force SIGKILL.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Showing just the resolved paths isn't too helpful when they're both
NULL. Also include the failing func & original file path.
URL: https://bugs.gentoo.org/553092
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an app installs its own memory allocator by overriding the internal
glibc symbols, then we can easily hit a loop that cannot be broken: the
dlsym functions can attempt to allocate memory, and sandbox relies on
them to find the "real" functions. So when someone calls a symbol that
the sandbox protects, we call dlsym, and that calls malloc, which calls
back into the app, and their allocator might use another symbol such as
open ... which is protected by the sandbox. So we hit the loop like:
-> open -> libsandbox:open -> dlsym -> malloc -> open ->
libsandbox:open -> dlsym -> malloc -> ...
Change the exec checking logic to scan the ELF instead. If it exports
these glibc symbols, then we have to assume it can trigger a loop, so
scrub the sandbox environment to prevent us from being loaded. Then we
use the out-of-process tracer (i.e. ptrace). This should generally be
as robust anyways ... if it's not, that's a bug we want to fix as this
is the same code used for static apps.
URL: http://crbug.com/586444
Reported-by: Ryo Hashimoto <hashimoto@chromium.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/290249
Reported-by: Diego E. Pettenò <flameeyes@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
In commit 7a923f646ce10b7dec3c7ae5fe2079c10aa21752, we dropped the same.h
header, but the build still listed it. Drop it from the distdir list.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
This verifies the error code setting with ptrace logic -- if the ptrace
code is broken, the errno will often be ENOSYS instead of EPERM.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
We don't provide same_name because the one caller we don't use, but it
relies on gc-sections to avoid link errors. That flag doesn't work on
ia64 though, so we need to hand delete the one caller. Ugh.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Forgot to include the trailing glob. Not a big deal as few people use
it with these targets.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
This gets most of the tests passing, but syscall canceling still
does not work. Need to talk to upstream to figure it out.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The various debug helpers were changed to write out to a dedicated message
path, but some of the trace code still uses stderr directly. When mixing
these methods, the direct prints would sometimes be lost. Convert the few
users to a new raw print function so they all route through the same file.
We might want to extract this a bit more out in the future so it's easier
to write to them, but this should be fine for now.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
We were setting up a FILE* from a file descriptor to pass to sb_fprintf
which is a simple macro that calls fileno(fp) to pass the fd down. We
can call the fd funcs directly and avoid the whole stdio business.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Rather than try to deal with the inconsistent cross-arch behavior when it
comes to tracking exec behavior, use the PTRACE_O_TRACEEXEC option. This
means we only support ptrace on linux-2.6+ systems, but that's fine as we
have been requiring that for a long time now. It also means the code is
much simpler and stable across arches.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
The rework in commit 46fe624223cfe62fb6c2fbb609be42f2f1d1734b broke the
set up of the SB_SCHIZO automake conditional for non-schizo builds as it
was not updated to the new variable. This would cause the syscall table
to always be empty and thus the ptrace code would never match.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to return NULL when passed a size of 0 as the API requires the
return value be usable w/free, but we just freed the pointer so the ret
will cause memory corruption later on.
When we go to preserve the old content, we don't need the MIN check as
we already verified that a few lines up. But leave it for defensive
purposes as gcc already optimizes it out for us. Just comment things.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size,
while it is really the mmap size, which is greater. Thus it may fail
to reallocate even if required.
URL: https://bugs.gentoo.org/568714
Signed-off-by: Denis Lisov <dennis.lissov@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Some targets (like sparc32) have higher alignment requirements for 64-bit
values than size_t (which is 4 bytes on sparc32). If we happen to return
4 byte aligned memory which is used to hold a 64-bit, we get bus errors.
Use the same algorithm that dlmalloc does.
URL: https://bugs.gentoo.org/565630
Reported-by: Denis Kaganovich <mahatma@eu.by>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When the target uses a func that operates on a symlink, we should not
dereference that symlink when trying to validate the call. It's both
a waste of time and it subtly breaks code that checks atime updates.
The act of reading symlinks is enough to cause their atime to change.
URL: https://bugs.gentoo.org/415475
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
No real reason to do this other than making sure people are all
testing with the same baseline-ish versions.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
This initial version doesn't enable their use by default.
URL: https://bugs.gentoo.org/512794
Reported-by: Matthew Thode <prometheanfire@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
All sandbox settings thus far have been for libsandbox.so to process.
With newer features though, we have settings that might only apply to
the main sandbox program. Add some helper functions for parsing out
those settings (which a later commit will utilize).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Rather than use gnu inline where gcc can create external references
(which we don't provide), just always inline the xgetcwd func. This
fixes building at -O0 optimization levels.
URL: https://bugs.gentoo.org/561342
Reported-by: Pryka <pryka.iluvatar@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
This lays the groundwork for adding more runtime options.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
If the target passes a bad pointer to the kernel, then trying to extract
the data via ptrace will also throw an error. The tracing code should not
abort though as there's no valid address to check, and kernel itself will
return an error for us. Simply return and move on.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current logic calculates the lengths/base addresses incorrectly
leading to some kernels/mappings to reject accesses. Make sure we
calculate the initial length properly, and then increment the base
by that value later on.
With those fixes in place, we can clean up the warning/exit paths.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Probe the availability of multilib headers at configure time so that we
can show the status more cleanly. This allows the header generation to
be done in parallel and not output confusing warning messages to users.
URL: https://bugs.gentoo.org/536582
Reported-by: cmue81@gmx.de
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|