| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Nothing uses or cares about these vars, so punt them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since non-root users typically do not have write access to /var/log,
allow it to fallback to standard tmpdirs. This makes testing locally
a lot easier.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Since all system headers are included by way of headers.h, we can
pre-compile this to speed up the build up a bit.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
The mcheck/mtrace logic assumes we're using glibc's memory allocator,
but that hasn't been true for sometime (we use our own based on mmap
and such), so this code no longer serves a purpose. Punt it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few major points we want to hit here:
- have all output from libsandbox go through portage helpers when we are
in the portage environment so that output is properly logged
- convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style
of other functions and cut down on confusion
- move all abort/output helpers to libsbutil so it can be used in all
source trees and not just by libsandbox
- migrate all abort points to the centralized sb_ebort helper
Unfortunately, it's not terribly easy to untangle these into separate
patches, but hopefully this shouldn't be too messy as much of it is
mechanical: move funcs between files, and change the name of funcs
that get called.
URL: http://bugs.gentoo.org/278761
Reported-by: Mounir Lamouri <volkmar@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
When we log a lot, we end up leaking fd's, so make sure to clean them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
We don't want to bleed these across forks/execs.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since every consumer of sb_open gets a copy of the sbio_open data, push
the init of this into the .data section of the respective consumers to
avoid the runtime overhead.
This just leaves sandbox_lib setup in the constructor function, but that
is only needed by the execve wrapper, so push down init of that to the
existing sb_init logic which happens before our execve wrapper gets used.
URL: http://bugs.gentoo.org/404013
Reported-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
We only initialize debug_log_path if debug is set, so we need to check
debug first to avoid uninitialized warnings with debug_log_path.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Some gcc versions don't like the construct here where we modified a
variable in the middle of multiple checks.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
URL: http://bugs.gentoo.org/374059
Reported-by: Nick Bowler <nbowler@draconx.ca>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
We need to special case a NULL filename with futimesat just like we
already do with utimensat.
URL: http://bugs.gentoo.org/348640
Reported-by: Jeremy Olexa <darkside@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at
prechecks) unified some path checks while unifying the dirfd code, but
prevented valid NULL paths from also being handled. Make sure we still
handle that behavior, and add a test for it to prevent future regressions.
URL: http://bugs.gentoo.org/346815
Reported-by: Jake Todd <jaketodd422@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at
prechecks) left a sizeof() in place but unfortunately no longer held the
same meaning. In previous code, the function had access to the buffer
decl and so could get the byte count. In the new code, the function has
access to the pointer only. So sizeof() now wrongly returns the size of
pointers rather than the length of the buffer.
Extend the new helper function to take the length of the buffer it is
given to fix this issue.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
The previous change for hardened users (libsandbox: avoid passing same
buffer to erealpath) made a change canonicalize() to fix the buffer
usage, but missed updating the actual call to erealpath to use the new
buffer set up just for it.
URL: http://bugs.gentoo.org/339157
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Ignoring the dirfd hasn't been a problem in the past as people weren't
really using it, but now that core packages are (like tar), we need to
handle things properly.
URL: http://bugs.gentoo.org/342983
Reported-by: Xake <xake@rymdraket.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Doing rmdir(symlink) does not remove the dir the symlink points to, but
will operate on the symlink itself. While it will always fail (since it
is a link and not a dir), that isn't something we need worry about. Just
need to avoid doing permission checking on the target of the symlink.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The erealpath function modifies the storage buffer given to it in place
and can misbehave if both the source and destination buffers point to the
same storage in memory. So fix the one case where we were doing this in
the canonicalize() function and add some run time checks to make sure this
doesn't crop up again.
URL: http://bugs.gentoo.org/292050
Reported-by: Hongjiu Zhang <voidprayer@gmail.com>
Reported-by: Fredric Johansson <johansson_fredric@hotmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
People rarely use this, but all it takes is one lame package.
URL: http://bugs.gentoo.org/297684
Reported-by: Pacho Ramos <pacho@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When attempting to access anonymous pipes/sockets/etc..., we should let
the access go through rather than rejecting the patch because we aren't
able to access it. There is no backing file after all which means there
is nothing for sandbox to check against.
While this was noticed with an anonymous pipe, the logic applies to any
anonymous fd such as sockets or whatever the kernel throws at us.
URL: http://bugs.gentoo.org/288863
Reported-by: Marcin Mirosław <bug@mejor.pl>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The SB_WRITE() macro makes using sb_write() confusing, so convert the two
small users and kill it off.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The utimensat() function can operate on file fd's directly when the path
is NULL, not just relative directory fd's. So tackle that use case.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Some arches (like ia64) return ERANGE for too long path names, so accept
that as the same way we accept ENAMETOOLONG. The BSDs also seem to do
this, so they'll get fixed as well.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
To keep with the x* conventions, the xstrdup() func should point to the
local strdup func. This is because glibc itself may define strdup() to
something that prevents us from wrapping it safely.
URL: http://bugs.gentoo.org/265098
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Stelian Ionescu <stelian.ionescu-zeus@poste.it>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Classic example of forks being used in multithreaded applications and
causing havoc with shared state (locks in this case). Make sure that
threads grabbing the sandbox lock don't screw up threads that do a fork
and then exec.
URL: http://bugs.gentoo.org/263657
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hope <rmh3093@gmail.com>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
If we're tracing a proc and it dies while checking a func, just back out
cleanly since it isn't like it can cause a violation at that point.
URL: http://bugs.gentoo.org/264478
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Paul Mulders <info@mld.demon.nl>
|
| |
|
|
|
|
|
|
|
| |
Some hardened systems disable /proc/#/ access when the process in question
is not owned by the current user.
URL: http://bugs.gentoo.org/264476
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Andreas Westin <forsaken@forsaken.se>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Looks like I made a typo when adding support for ptrace.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Some code expect that when an *at() func is given a bad fd, the errno
value be set to EBADF (like glibc). So convert some of the common errno
values of failed readlink() to what would have gone down if we called the
actual *at() function.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Add some more *at functions to the main checking code.
URL: http://bugs.gentoo.org/264320
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Harald van Dijk <truedfx@gentoo.org>
|
| |
|
|
|
|
| |
Handle /proc differences (fd/cmdline/etc...) across systems.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If attempts to access the specified path fails, this is most likely due to
funky perms being setup. Since this is really only an issue for non-root
users when testing stuff (like the coreutils tests), we can let the real
func do it's work when running as non-root. If the path contains links to
some place we would normally deny, then attempt to dereference what little
we can. If all else fails, the standard unix permissions will prevent
damage from being done even if we are unable to log it.
URL: http://bugs.gentoo.org/259876
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a path is too long, then attempting to read the fd link in /proc/*/fd/#
will fail with ENAMETOOLONG. In that case, we should restore errno and
let the normal function do its business. Chances are we wouldn't have
gotten this far in the first place if there was an actual deny in place.
This fixes some of the testcases in coreutils that create really long
paths and then test things.
URL: http://bugs.gentoo.org/259876
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
| |
|
|
|
|
|
| |
Dump symbols before we abort and if SANDBOX_GDB is enabled in the env,
automatically launch & attach gdb to the crashing setup.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
If resolve_path() was unable to resolve things, then do not restore the
errno value as we use this to signal higher layers. This should make the
getcwd tests behave better.
URL: http://bugs.gentoo.org/261936
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
While the execvp() is a common entry point, the other ones are often used
as well. While they don't take environ pointers directly, the env could
have been modified before calling the exec function, which means we need
to restore our LD_PRELOAD setting.
So now we support execv/execve/fexecve/popen/system. Missing from this
list are the execl* funcs, but that's because they aren't exactly easy to
interpose with the structure of their variable arguments.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Make sure we handle edge cases that involve symlinks and functions that
operate on symlinks. This includes newer style *at functions that can go
between operating on symlinks and operating on the linked files, and on
symlinks to files that live in explicitly denied paths.
URL: http://bugs.gentoo.org/254914
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Mike Auty <ikelos@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Since the main sandbox code maintains state with global variables (like
sbcontext), make sure we use a pthread mutex to prevent multiple threads
from corrupting each other. In the non-threaded case this shouldn't be
a problem as the C library provides redirection stubs in its own code.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
The longest wrapped symbol name has hit the hard limit of 10 chars, so
rather than manually bump it up, calculate it on the fly with the awk
scripts.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The mknodat() symbol on glibc is rewritten to __xmknodat(), so we need to
wrap that and check for all of them in the check_access() code.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Mike Frysinger
GitWeb