Commit message (Collapse)AuthorAgeFilesLines
* m4: ax_* update via autogen.shHEADmasterMichał Górny2019-01-1310-234/+105
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Flatten data, etc & scripts MakefilesMichał Górny2019-01-136-26/+18
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Remove pointless .pch supportMichał Górny2019-01-132-44/+3
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Bump to 2.15v2.15Michał Górny2019-01-091-1/+1
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* exec*() wrappers: never mutate 'environ' of host processSergei Trofimovich2019-01-087-55/+96
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In bug #669702 gcc exposed sandbox bug where execv() wrapper changed 'environ' global variable underneath. A few GNU projects (pex_unix_exec_child in gcc and gdb) use the following idiom: for (;;) { vfork(); char ** save_environ = environ; // [1] if (child) { environ = child_environ; // [2] execv(payload); // [3] } if (parent) { environ = save_environ; // [4] ... waitpid(child, ...); } } Code above assumes that execv() does not mutate 'environ'. In case of #669702 sandbox's execv() wrapper at '[3]' mutated 'environ' and relocated it (via maloc()/free() internally). This caused '[4]' to point 'environ' fo freed location. The change fixes it in a following way: - execv() call now works more like execve() call by mutating external array and substitutes 'environ' only for a period of 'execv()' execution. - add basic execv()/'environ' corruption test Tested on: - linux/glibc-2.28 - linux/uclibc-ng-1.0.31 Reported-and-tested-by: Walther Reported-by: 0x6d6174@posteo.de Reported-by: Andrey Korolyov Bug: https://bugs.gentoo.org/669702 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* Bump to 2.14v2.14Michał Górny2018-12-021-1/+1
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* libsandbox: resolve_dirfd_path /proc/<pid> namespace safetyZac Medico2018-12-021-1/+8
| | | | | | | | | | | | | | | | | | | | | If /proc was mounted by a process in a different pid namespace, getpid cannot be used create a valid /proc/<pid> path. Instead use sb_get_fd_dir() which works in any case. This implements option 3 of these choices: 1) Always create a mount namespace when creating a pid namespace, and remount /proc so that /proc/<pid> entries are always consistent with the current pid namespace. 2) Use readlink on /proc/self instead of getpid to determine the pid of self in the pid namespace of the /proc mount. 3) Use /proc/self or /dev/fd directly. Bug: https://bugs.gentoo.org/670966 Signed-off-by: Zac Medico <zmedico@gentoo.org> Closes: https://github.com/gentoo/sandbox/pull/1 Signed-off-by: Michał Górny <mgorny@gentoo.org>
* libsandbox: Remove meaningless/broken -nodefaultlibsMichał Górny2018-07-191-1/+0
| | | | | | | | | | | | | Remove '-nodefaultlibs' from linking flags for libsandbox as it is apparently meaningless and broken at the same time. When regular libtool is used, it silently strips the option, making it meaningless. When slibtool is used instead, it passes the option which causes linking to fail due to undefined symbols. Thanks to the bug reporter and slibtool devs from researching the problem in detail. Bug: https://bugs.gentoo.org/657184
* Update autotools filesv2.13Michał Górny2018-02-1916-237/+272
* tests: Add a test for LD_PRELOAD non-preserving (SANDBOX_ON=0)Michał Górny2018-02-192-0/+22
* Disable environment propagation if sandbox is disabledMichał Górny2018-02-121-0/+5
| | | | | | | | | | | | | | Do not enforce restoring sandbox variables in the environment if sandbox is explicitly disabled. This makes it possible to set SANDBOX_ON=0 and then unset LD_PRELOAD without having to resort to ugly hacks to prevent sandbox from restoring itself. The only limitation is that if user sets SANDBOX_ON=0 first, then wipes the environment, he will no longer be able to reenable sandbox via doing SANDBOX_ON=1. However, it is rather unlikely that such a thing would need to happen in real use. Bug: https://bugs.gentoo.org/592750
* Post-release bump to 2.13Michał Górny2017-10-031-1/+1
* Ensure LD_LIBRARY_PATH is copied to my_envv2.12Peter Levine2017-10-031-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Sandbox commit 55087abd8dc9802cf68cade776fe612a3f19f6a1 is for the purpose of preventing a loop or deadlock caused by a package implementing its own libc memory allocation functions, which themselves may call on a sandbox wrapped system calls, whose implementation depends on further calls to such memory functions. If any binaries export such symbols, sandbox assumes the worst and prevents loading of libsandbox.so and instead opts for ptrace. In preventing the loading of libsandbox, it removes all variables whose env_pair.name field matches the name of an environment variable from the environment, for all env_pairs of vars[] in char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert) in "libsandbox/libsandbox.c". This includes not just the usual environment variables prefixed with 'SANDBOX_' but also LD_PRELOAD and LD_LIBRARY_PATH. LD_PRELOAD clearly should be removed. But LD_LIBRARY_PATH would only seem to be trouble if used with LD_PRELOAD. As such it makes sense to me to prevent the removal of LD_LIBRARY_PATH. Given the fact that the the positions of the env_pairs in vars[] are intended to be hard-coded (from libsandbox.c: /* Indices matter -- see init below */), this commit uses the index of the env_pair corresponding to LD_LIBRARY_PATH to prevent its removal.
* libsandbox: Fix path matching not to dumbly match prefixesMichał Górny2017-10-033-3/+40
| | | | | | Fix the path matching code to match prefixes component-wide rather than literally. This means that a path such as '/foo' will no longer match '/foobar' but only '/foo' and its subdirectories (if it is a directory).
* Remove no-longer-necessary symlink hack in ACLMichał Górny2017-10-031-40/+0
| | | | | | | | Remove the hack supposedly responsible for making it possible to remove symbolic links to protected files. The hack was probably necessary back when the write check was performed on fully resolved path. However, currently the path resolution is no longer performed when the operation does not resolve symlinks, effectively making the hack redundant.
* libsandbox: do not abort with a long name to opendirMart Raudsepp2017-09-265-0/+37
| | | | | | | | | | | | | | Add a pre-check for opendir that catches too long name arguments given to opendir, as it would get messed up and abort before it even gets to the open*() syscall (which would handle it correctly), due to opendir going through before_syscall/check_syscall, even though it isn't a true syscall and it getting cut to SB_PATH_MAX inbetween and getting confused somewhere. Test case added by Michał Górny <mgorny@gentoo.org>. Bug: https://bugs.gentoo.org/553092 Signed-off-by: Mart Raudsepp <leio@gentoo.org>
* libsandbox: whitelist renameat/symlinkat as symlink funcsMike Frysinger2017-03-107-1/+49
| | | | | | | These funcs don't deref their path args, so flag them as such. URL: https://bugs.gentoo.org/612202 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsbutil: elide sb_maybe_gdb when -DNDEBUG is usedGuenther Brunthaler2016-11-271-0/+2
| | | | | | | | Since sb_maybe_gdb is set up as a stub macro, make sure we don't define the function either to cut down on size and build failures (when the macro tries to expand the function prototype). URL: https://bugs.gentoo.org/600550
* libsandbox: fix symtab walking with prelinked ELFsMike Frysinger2016-11-161-11/+28
| | | | | | | | | | | | | | | | | | When prelink runs on an ELF, it moves the string table from right after the symbol table to the end, and then replaces the string table with its liblist table. This ends up breaking sandbox's assumption that the string table always follows the symbol table leading to prelinked ELFs crashing. Update the range check to use the liblist table when available. Since the prelink code has this logic hardcoded (swapping the string table for the liblist table), this should be OK for now. URL: https://bugs.gentoo.org/599894 Reported-by: Anders Larsson <anders.gentoo@larsson.xyz> Reported-by: Kenton Groombridge <rustyvega@comcast.net> Reported-by: Marien Zwart <marien.zwart@gmail.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: whitelist execvpeMike Frysinger2016-03-301-0/+1
| | | | | | URL: https://bugs.gentoo.org/578516 Reported-by: Toralf Förster <toralf.foerster@gmx.de> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix symtab walking with some ELFsMike Frysinger2016-03-291-13/+17
| | | | | | | | | The strtab assumption works if there is no SysV hash table. Add logic to handle that scenario. URL: https://bugs.gentoo.org/578524 Reported-by: Toralf Förster <toralf.foerster@gmx.de> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* bump to sandbox-2.12Mike Frysinger2016-03-291-1/+1
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix x86 tracing when schizo is activev2.11Mike Frysinger2016-03-291-0/+10
| | | | | | | | Commit 48520a35697aa39bed046b9668a3e3e5f8a8ba93 fixed the configure logic, but the build would fail to link for x86 systems as the syscall table was not actually set up. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* tests: make all shell scripts executableMike Frysinger2016-03-299-0/+0
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* sandbox: allow user to force SIGKILLMike Frysinger2016-03-291-2/+10
| | | | | | | Sometimes the child process can get wedged and not respond to CTRL+C, so add an escape hatch so the user can easily force SIGKILL. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: make check_syscall ISE a little more usefulMike Frysinger2016-03-291-2/+2
| | | | | | | | Showing just the resolved paths isn't too helpful when they're both NULL. Also include the failing func & original file path. URL: https://bugs.gentoo.org/553092 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use ptrace on apps that interpose their own allocatorMike Frysinger2016-02-167-42/+210
| | | | | | | | | | | | | | | | | | | | | | | If an app installs its own memory allocator by overriding the internal glibc symbols, then we can easily hit a loop that cannot be broken: the dlsym functions can attempt to allocate memory, and sandbox relies on them to find the "real" functions. So when someone calls a symbol that the sandbox protects, we call dlsym, and that calls malloc, which calls back into the app, and their allocator might use another symbol such as open ... which is protected by the sandbox. So we hit the loop like: -> open -> libsandbox:open -> dlsym -> malloc -> open -> libsandbox:open -> dlsym -> malloc -> ... Change the exec checking logic to scan the ELF instead. If it exports these glibc symbols, then we have to assume it can trigger a loop, so scrub the sandbox environment to prevent us from being loaded. Then we use the out-of-process tracer (i.e. ptrace). This should generally be as robust anyways ... if it's not, that's a bug we want to fix as this is the same code used for static apps. URL: http://crbug.com/586444 Reported-by: Ryo Hashimoto <hashimoto@chromium.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* tests: add test for overriding mmapMike Frysinger2016-02-166-0/+56
| | | | | | URL: http://bugs.gentoo.org/290249 Reported-by: Diego E. Pettenò <flameeyes@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsbutil: clean up same.h distdir usageMike Frysinger2016-01-181-1/+0
| | | | | | | In commit 7a923f646ce10b7dec3c7ae5fe2079c10aa21752, we dropped the same.h header, but the build still listed it. Drop it from the distdir list. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add wrappers for execveat & execvpeMike Frysinger2015-12-223-0/+27
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix alpha ptrace error settingMike Frysinger2015-12-201-1/+6
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new ia64 ptrace portMike Frysinger2015-12-203-0/+84
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* tests: check errno with more static testsMike Frysinger2015-12-203-3/+3
| | | | | | | This verifies the error code setting with ptrace logic -- if the ptrace code is broken, the errno will often be ENOSYS instead of EPERM. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsbutil: gnulib: hand disable same_name usageMike Frysinger2015-12-202-34/+0
| | | | | | | | We don't provide same_name because the one caller we don't use, but it relies on gc-sections to avoid link errors. That flag doesn't work on ia64 though, so we need to hand delete the one caller. Ugh. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* build: disable gc-sections on ia64 systemsMike Frysinger2015-12-201-1/+4
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new powerpc ptrace portMike Frysinger2015-12-202-0/+32
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new alpha ptrace portMike Frysinger2015-12-202-0/+60
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new arm ptrace portMike Frysinger2015-12-202-0/+24
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* build: fix schizo match on x86 hostsMike Frysinger2015-12-201-1/+2
| | | | | | | Forgot to include the trailing glob. Not a big deal as few people use it with these targets. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new s390/s390x ptrace portMike Frysinger2015-12-203-0/+101
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: improve sparc trace code a bit moreMike Frysinger2015-12-201-8/+26
| | | | | | | This gets most of the tests passing, but syscall canceling still does not work. Need to talk to upstream to figure it out. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: avoid mixing stderr & output pipesMike Frysinger2015-12-204-5/+18
| | | | | | | | | | | | The various debug helpers were changed to write out to a dedicated message path, but some of the trace code still uses stderr directly. When mixing these methods, the direct prints would sometimes be lost. Convert the few users to a new raw print function so they all route through the same file. We might want to extract this a bit more out in the future so it's easier to write to them, but this should be fine for now. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* sb_efuncs: avoid pointless stdio indirectionMike Frysinger2015-12-191-8/+8
| | | | | | | | We were setting up a FILE* from a file descriptor to pass to sb_fprintf which is a simple macro that calls fileno(fp) to pass the fd down. We can call the fd funcs directly and avoid the whole stdio business. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: switch to PTRACE_O_TRACEEXECMike Frysinger2015-12-192-47/+29
| | | | | | | | | | Rather than try to deal with the inconsistent cross-arch behavior when it comes to tracking exec behavior, use the PTRACE_O_TRACEEXEC option. This means we only support ptrace on linux-2.6+ systems, but that's fine as we have been requiring that for a long time now. It also means the code is much simpler and stable across arches. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* build: fix SB_SCHIZO automake conditionalMike Frysinger2015-12-191-1/+1
| | | | | | | | | The rework in commit 46fe624223cfe62fb6c2fbb609be42f2f1d1734b broke the set up of the SB_SCHIZO automake conditional for non-schizo builds as it was not updated to the new variable. This would cause the syscall table to always be empty and thus the ptrace code would never match. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: tweak edge cases of realloc a bitMike Frysinger2015-12-191-1/+5
| | | | | | | | | | | | We need to return NULL when passed a size of 0 as the API requires the return value be usable w/free, but we just freed the pointer so the ret will cause memory corruption later on. When we go to preserve the old content, we don't need the MIN check as we already verified that a few lines up. But leave it for defensive purposes as gcc already optimizes it out for us. Just comment things. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix old_malloc_size check on reallocDenis Lisov2015-12-191-2/+3
| | | | | | | | | | Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size, while it is really the mmap size, which is greater. Thus it may fail to reallocate even if required. URL: https://bugs.gentoo.org/568714 Signed-off-by: Denis Lisov <dennis.lissov@gmail.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* bump to sandbox-2.11Mike Frysinger2015-12-191-1/+1
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix memory alignmentv2.10Mike Frysinger2015-12-191-3/+6
| | | | | | | | | | | Some targets (like sparc32) have higher alignment requirements for 64-bit values than size_t (which is 4 bytes on sparc32). If we happen to return 4 byte aligned memory which is used to hold a 64-bit, we get bus errors. Use the same algorithm that dlmalloc does. URL: https://bugs.gentoo.org/565630 Reported-by: Denis Kaganovich <mahatma@eu.by> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: do not unnecessarily dereference symlinksMike Frysinger2015-09-283-3/+43
| | | | | | | | | | | When the target uses a func that operates on a symlink, we should not dereference that symlink when trying to validate the call. It's both a waste of time and it subtly breaks code that checks atime updates. The act of reading symlinks is enough to cause their atime to change. URL: https://bugs.gentoo.org/415475 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>