| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This is laying the ground work for processing more vars in the
future than just LD_PRELOAD.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[missing file]
When it comes to processing errors, an empty path is checked before
an invalid dirfd. Make sure sandbox matches that behavior for the
random testsuites out there that look for this.
Forgot to `git add` in the previous commit :/.
URL: https://bugs.gentoo.org/346929
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
When it comes to processing errors, an empty path is checked before
an invalid dirfd. Make sure sandbox matches that behavior for the
random testsuites out there that look for this.
URL: https://bugs.gentoo.org/346929
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
We don't check for O_NOFOLLOW in the open wrappers, so we end up
returning the wrong error when operating on broken symlinks.
URL: https://bugs.gentoo.org/413441
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we are non-root and run a set*id program, the ldso will ignore our
LD_PRELOAD (rightly so). Unfortunately, this opens up the ability to
run set*id apps that modify things and sandbox cannot catch it.
Instead, force ptracing of these ELFs. While the kernel will disallow
the set*id aspect when running, for the most part, that shouldn't be a
problem if it was already safe.
URL: http://bugs.gentoo.org/442172
Reported-by: Nikoli <nikoli@lavabit.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
We can trace x32 when the host is x86_64 or x32, but x32 cannot trace
x86_64 due to limitations in the kernel interface -- all pointers get
truncated to 32bits. We'll have to add external ptrace helpers in the
future to make this work, but for now, we'll just let x86_64 code run
unchecked :(.
URL: https://bugs.gentoo.org/394179
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Make sure we use O_CLOEXEC, and clean things up before forking off a
tracing process.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few major points we want to hit here:
- have all output from libsandbox go through portage helpers when we are
in the portage environment so that output is properly logged
- convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style
of other functions and cut down on confusion
- move all abort/output helpers to libsbutil so it can be used in all
source trees and not just by libsandbox
- migrate all abort points to the centralized sb_ebort helper
Unfortunately, it's not terribly easy to untangle these into separate
patches, but hopefully this shouldn't be too messy as much of it is
mechanical: move funcs between files, and change the name of funcs
that get called.
URL: http://bugs.gentoo.org/278761
Reported-by: Mounir Lamouri <volkmar@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/374059
Reported-by: Nick Bowler <nbowler@draconx.ca>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at
prechecks) left a sizeof() in place but unfortunately no longer held the
same meaning. In previous code, the function had access to the buffer
decl and so could get the byte count. In the new code, the function has
access to the pointer only. So sizeof() now wrongly returns the size of
pointers rather than the length of the buffer.
Extend the new helper function to take the length of the buffer it is
given to fix this issue.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Ignoring the dirfd hasn't been a problem in the past as people weren't
really using it, but now that core packages are (like tar), we need to
handle things properly.
URL: http://bugs.gentoo.org/342983
Reported-by: Xake <xake@rymdraket.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some gnulib tests that are bundled with multiple GNU packages stress the
POSIX correctness of mkdir behavior across broken symlinks. While this
specific behavior under ssandbox doesn't really matter (as packages don't
create broken symlinks and then need this errno value), it isn't really
feasible to patch all the random packages. So add a smallish hack for
now to keep them happy until something better can be formulated.
URL: http://bugs.gentoo.org/297026
Reported-by: Diego E. Pettenò <flameeyes@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
People rarely use this, but all it takes is one lame package.
URL: http://bugs.gentoo.org/297684
Reported-by: Pacho Ramos <pacho@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
For systems that lack *at() funcs, make sure we still include the
pre-checks as we use these functions in the non-at version.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
The normal wrapped functions go through some "pre checks" where certain
normal conditions are not flagged as problematic. The static tracing
lacked those pre checks though.
URL: http://bugs.gentoo.org/265885
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Daniel Robbins <drobbins@funtoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/271260
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: T Chan <something-bz@sodium.serveirc.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Classic example of forks being used in multithreaded applications and
causing havoc with shared state (locks in this case). Make sure that
threads grabbing the sandbox lock don't screw up threads that do a fork
and then exec.
URL: http://bugs.gentoo.org/263657
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hope <rmh3093@gmail.com>
|
|
|
|
|
|
|
|
| |
If an exec func is used that searches $PATH, we need to do the search as
well so that we don't miss out on binaries or denied locations that are
run without a full path.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Initial support for tracing non-default personalities. For example,
tracing a 32bit binary from a 64bit environment.
URL: http://bugs.gentoo.org/264399
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Patrick Lauer <patrick@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Break out most of the QA static ELF warning code into a new eqawarn()
func. This way we can handle dynamic stuff like calling portage's eqawarn
func to handle dirty details like logging.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
If a wrapped function bails early due to some local logic, make sure we
log this at the debug level. Having them silently return on us makes
tracking down problems harder than it needs to be.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If attempts to access the specified path fails, this is most likely due to
funky perms being setup. Since this is really only an issue for non-root
users when testing stuff (like the coreutils tests), we can let the real
func do it's work when running as non-root. If the path contains links to
some place we would normally deny, then attempt to dereference what little
we can. If all else fails, the standard unix permissions will prevent
damage from being done even if we are unable to log it.
URL: http://bugs.gentoo.org/259876
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the execvp() is a common entry point, the other ones are often used
as well. While they don't take environ pointers directly, the env could
have been modified before calling the exec function, which means we need
to restore our LD_PRELOAD setting.
So now we support execv/execve/fexecve/popen/system. Missing from this
list are the execl* funcs, but that's because they aren't exactly easy to
interpose with the structure of their variable arguments.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Rather than dump the QA static notice to stderr when trying to execute a
static binary, write directly to /dev/tty. This prevents breaking things
like testsuites that validate the exact stderr output.
URL: http://bugs.gentoo.org/261957
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Kent Fredric <kentfredric@gmail.com>
|
|
|
|
|
|
|
|
| |
Rather than just dumping the name of the static ELF, include the arguments
to the program as well. For common programs (that are known to be safe),
don't bother whining (like using the static ldso to verify binaries).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure we handle edge cases that involve symlinks and functions that
operate on symlinks. This includes newer style *at functions that can go
between operating on symlinks and operating on the linked files, and on
symlinks to files that live in explicitly denied paths.
URL: http://bugs.gentoo.org/254914
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Mike Auty <ikelos@gentoo.org>
|
|
|
|
|
|
|
| |
Minor optimization to not bother saving/restoring the errno if we don't
actually call another C library function.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
When glibc is compiled with optimization and higher _FORTIFY_SOURCE
levels, the headers redirect dynamic calls to the open*() functions to the
__open*_2() functions. The latter provides runtime checking. But this
means we also need to wrap the latter forms in order to get sandbox
checking on the open() functions.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
In case we want to access a standard function unwrapped, create hidden
functions that do just that. This creates a standard for most functions
of the form sb_unwrapped_foo().
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Remove some of the ugly indirection in the WRAPPER_PRE_CHECKS() defines so
it operates like a normal C function -- much easier to work with those.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
No point in saving/restoring the errno value if we don't make any C lib
function calls.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
The mknodat() symbol on glibc is rewritten to __xmknodat(), so we need to
wrap that and check for all of them in the check_access() code.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Use the public xxx_t types rather than the internal __xxx_t. The former
are more portable. With glibc systems, these are the same anyways.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Kill off string operations where unnecessary, and convert the sets of
prefixes to arrays that we can iterate over.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
Unify a lot of duplicated code in the wrapper-funcs handling.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Since all FUNCTION_SANDBOX_SAFE() need to pass up the func name, push the
usage into the macro itself rather than every wrapper file.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Some programs like `chmod -R` actually use the *at functions as designed, so
we have to handle things
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
make sure the file being executed is big enough for the static elf check
so we don't segfault by walking beyond the file map
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|