Commit message (Collapse)AuthorAgeFilesLines
* environ: add a new is_env_var helper for checking var namesMike Frysinger2013-02-241-8/+8
| | | | | | | This is laying the ground work for processing more vars in the future than just LD_PRELOAD. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: reject "" paths with *at funcs before checking the dirfd ↵Mike Frysinger2013-02-241-0/+34
| | | | | | | | | | | | | | [missing file] When it comes to processing errors, an empty path is checked before an invalid dirfd. Make sure sandbox matches that behavior for the random testsuites out there that look for this. Forgot to `git add` in the previous commit :/. URL: https://bugs.gentoo.org/346929 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: reject "" paths with *at funcs before checking the dirfdMike Frysinger2012-12-244-35/+16
| | | | | | | | | | When it comes to processing errors, an empty path is checked before an invalid dirfd. Make sure sandbox matches that behavior for the random testsuites out there that look for this. URL: https://bugs.gentoo.org/346929 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle open(O_NOFOLLOW)Mike Frysinger2012-12-243-1/+3
| | | | | | | | | We don't check for O_NOFOLLOW in the open wrappers, so we end up returning the wrong error when operating on broken symlinks. URL: https://bugs.gentoo.org/413441 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fall back to tracing set*id programsMike Frysinger2012-12-241-5/+18
| | | | | | | | | | | | | | If we are non-root and run a set*id program, the ldso will ignore our LD_PRELOAD (rightly so). Unfortunately, this opens up the ability to run set*id apps that modify things and sandbox cannot catch it. Instead, force ptracing of these ELFs. While the kernel will disallow the set*id aspect when running, for the most part, that shouldn't be a problem if it was already safe. URL: http://bugs.gentoo.org/442172 Reported-by: Nikoli <nikoli@lavabit.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add x32 ABI supportv2.6Mike Frysinger2012-07-031-2/+2
| | | | | | | | | | | We can trace x32 when the host is x86_64 or x32, but x32 cannot trace x86_64 due to limitations in the kernel interface -- all pointers get truncated to 32bits. We'll have to add external ptrace helpers in the future to make this work, but for now, we'll just let x86_64 code run unchecked :(. URL: https://bugs.gentoo.org/394179 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: do not leak file handles from tracing checksMike Frysinger2012-06-231-3/+7
| | | | | | | Make sure we use O_CLOEXEC, and clean things up before forking off a tracing process. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* significantly overhaul output helpersMike Frysinger2012-06-234-27/+18
| | | | | | | | | | | | | | | | | | | | There are a few major points we want to hit here: - have all output from libsandbox go through portage helpers when we are in the portage environment so that output is properly logged - convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style of other functions and cut down on confusion - move all abort/output helpers to libsbutil so it can be used in all source trees and not just by libsandbox - migrate all abort points to the centralized sb_ebort helper Unfortunately, it's not terribly easy to untangle these into separate patches, but hopefully this shouldn't be too messy as much of it is mechanical: move funcs between files, and change the name of funcs that get called. URL: http://bugs.gentoo.org/278761 Reported-by: Mounir Lamouri <volkmar@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: catch mktemp related funcsMike Frysinger2011-07-049-0/+89
| | | | | | URL: http://bugs.gentoo.org/374059 Reported-by: Nick Bowler <nbowler@draconx.ca> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix bug in previous dirfd unificationv2.4Mike Frysinger2010-11-233-3/+3
| | | | | | | | | | | | | | The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at prechecks) left a sizeof() in place but unfortunately no longer held the same meaning. In previous code, the function had access to the buffer decl and so could get the byte count. In the new code, the function has access to the pointer only. So sizeof() now wrongly returns the size of pointers rather than the length of the buffer. Extend the new helper function to take the length of the buffer it is given to fix this issue. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle dirfd in mkdir/open/unlink *at prechecksMike Frysinger2010-11-153-26/+68
| | | | | | | | | | Ignoring the dirfd hasn't been a problem in the past as people weren't really using it, but now that core packages are (like tar), we need to handle things properly. URL: http://bugs.gentoo.org/342983 Reported-by: Xake <xake@rymdraket.net> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: tempish mkdir hack for broken symlinksv2.3Mike Frysinger2010-08-161-1/+16
| | | | | | | | | | | | | Some gnulib tests that are bundled with multiple GNU packages stress the POSIX correctness of mkdir behavior across broken symlinks. While this specific behavior under ssandbox doesn't really matter (as packages don't create broken symlinks and then need this errno value), it isn't really feasible to patch all the random packages. So add a smallish hack for now to keep them happy until something better can be formulated. URL: http://bugs.gentoo.org/297026 Reported-by: Diego E. Pettenò <flameeyes@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: catch calls to remove()Mike Frysinger2009-12-201-0/+12
| | | | | | | | People rarely use this, but all it takes is one lame package. URL: http://bugs.gentoo.org/297684 Reported-by: Pacho Ramos <pacho@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix missing *at pre_checksMike Frysinger2009-08-251-0/+22
| | | | | | | For systems that lack *at() funcs, make sure we still include the pre-checks as we use these functions in the non-at version. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add pre checks to static tracingMike Frysinger2009-06-0416-167/+193
| | | | | | | | | | The normal wrapped functions go through some "pre checks" where certain normal conditions are not flagged as problematic. The static tracing lacked those pre checks though. URL: http://bugs.gentoo.org/265885 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Daniel Robbins <drobbins@funtoo.org>
* libsandbox: make sure fopen64 uses 64bit funcsMike Frysinger2009-06-022-1/+7
| | | | | | URL: http://bugs.gentoo.org/271260 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: T Chan <something-bz@sodium.serveirc.com>
* libsandbox: force lock sanity across forksMike Frysinger2009-04-051-0/+24
| | | | | | | | | | | Classic example of forks being used in multithreaded applications and causing havoc with shared state (locks in this case). Make sure that threads grabbing the sandbox lock don't screw up threads that do a fork and then exec. URL: http://bugs.gentoo.org/263657 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Ryan Hope <rmh3093@gmail.com>
* libsandbox: check binary we execute via $PATHMike Frysinger2009-04-051-5/+29
| | | | | | | | If an exec func is used that searches $PATH, we need to do the search as well so that we don't miss out on binaries or denied locations that are run without a full path. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: enable tracing for multiple personalitiesMike Frysinger2009-04-051-0/+1
| | | | | | | | | Initial support for tracing non-default personalities. For example, tracing a 32bit binary from a 64bit environment. URL: http://bugs.gentoo.org/264399 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Patrick Lauer <patrick@gentoo.org>
* libsandbox: initial support for tracing of static binaries via ptrace()Mike Frysinger2009-03-181-48/+2
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: shorten the sandbox wrapper func namesMike Frysinger2009-03-1839-39/+39
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add an eqawarn() funcMike Frysinger2009-03-181-21/+37
| | | | | | | | Break out most of the QA static ELF warning code into a new eqawarn() func. This way we can handle dynamic stuff like calling portage's eqawarn func to handle dirty details like logging. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: unify getcwd wrapper with common wrappersMike Frysinger2009-03-122-28/+13
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add debug output for all wrapper early-checksMike Frysinger2009-03-125-6/+31
| | | | | | | | If a wrapped function bails early due to some local logic, make sure we log this at the debug level. Having them silently return on us makes tracking down problems harder than it needs to be. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle unreadable dirs better as non-rootMike Frysinger2009-03-121-3/+6
| | | | | | | | | | | | | | If attempts to access the specified path fails, this is most likely due to funky perms being setup. Since this is really only an issue for non-root users when testing stuff (like the coreutils tests), we can let the real func do it's work when running as non-root. If the path contains links to some place we would normally deny, then attempt to dereference what little we can. If all else fails, the standard unix permissions will prevent damage from being done even if we are unable to log it. URL: http://bugs.gentoo.org/259876 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Ryan Hill <dirtyepic@gentoo.org>
* libsandbox: add more exec wrappersMike Frysinger2009-03-117-168/+321
| | | | | | | | | | | | | While the execvp() is a common entry point, the other ones are often used as well. While they don't take environ pointers directly, the env could have been modified before calling the exec function, which means we need to restore our LD_PRELOAD setting. So now we support execv/execve/fexecve/popen/system. Missing from this list are the execl* funcs, but that's because they aren't exactly easy to interpose with the structure of their variable arguments. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: dump exec QA static notice to /dev/ttyMike Frysinger2009-03-111-4/+15
| | | | | | | | | | Rather than dump the QA static notice to stderr when trying to execute a static binary, write directly to /dev/tty. This prevents breaking things like testsuites that validate the exact stderr output. URL: http://bugs.gentoo.org/261957 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Kent Fredric <kentfredric@gmail.com>
* libsandbox: improve static ELF noticeMike Frysinger2009-03-081-3/+23
| | | | | | | | Rather than just dumping the name of the static ELF, include the arguments to the program as well. For common programs (that are known to be safe), don't bother whining (like using the static ldso to verify binaries). Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle symlinks properlyMike Frysinger2009-03-0811-11/+11
| | | | | | | | | | | Make sure we handle edge cases that involve symlinks and functions that operate on symlinks. This includes newer style *at functions that can go between operating on symlinks and operating on the linked files, and on symlinks to files that live in explicitly denied paths. URL: http://bugs.gentoo.org/254914 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Mike Auty <ikelos@gentoo.org>
* libsandbox: push errno save/restore down in openat()Mike Frysinger2009-03-072-10/+10
| | | | | | | Minor optimization to not bother saving/restoring the errno if we don't actually call another C library function. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: unify openat and __wrapper_simpleMike Frysinger2009-02-202-35/+40
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: unify creat/creat64 wrappersMike Frysinger2009-02-201-21/+3
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use sb_unwrapped_open() in creat wrapperMike Frysinger2009-02-201-5/+2
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add wrappers for _FORTIFY_SOURCE funcsv1.3.8Mike Frysinger2009-02-204-0/+75
| | | | | | | | | | When glibc is compiled with optimization and higher _FORTIFY_SOURCE levels, the headers redirect dynamic calls to the open*() functions to the __open*_2() functions. The latter provides runtime checking. But this means we also need to wrap the latter forms in order to get sandbox checking on the open() functions. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: convert internal open func to sb_unwrapped_foo styleMike Frysinger2009-02-182-22/+39
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: convert internal getcwd func to sb_unwrapped_foo styleMike Frysinger2009-02-181-8/+16
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: create hidden targets for most functionsMike Frysinger2009-02-181-4/+13
| | | | | | | | In case we want to access a standard function unwrapped, create hidden functions that do just that. This creates a standard for most functions of the form sb_unwrapped_foo(). Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: simplify WRAPPER_PRE_CHECKS() a bitMike Frysinger2009-02-184-10/+13
| | | | | | | Remove some of the ugly indirection in the WRAPPER_PRE_CHECKS() defines so it operates like a normal C function -- much easier to work with those. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: tweak errno handling in fopen() wrapperMike Frysinger2009-02-181-2/+5
| | | | | | | No point in saving/restoring the errno value if we don't make any C lib function calls. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: update ENAMETOOLONG comments to match egetcwd() changesMike Frysinger2009-02-152-4/+2
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: convert more code to stdbool to simplify thingsMike Frysinger2009-02-151-2/+2
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: make sure all mknod symbols are wrappedMike Frysinger2009-02-151-0/+11
| | | | | | | The mknodat() symbol on glibc is rewritten to __xmknodat(), so we need to wrap that and check for all of them in the check_access() code. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use xxx_t types with __xmknodMike Frysinger2009-02-052-2/+2
| | | | | | | Use the public xxx_t types rather than the internal __xxx_t. The former are more portable. With glibc systems, these are the same anyways. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add _xmknod wrapper point for __xmknodMike Frysinger2009-02-051-0/+11
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: optimize!Mike Frysinger2008-12-311-2/+3
| | | | | | | Kill off string operations where unnecessary, and convert the sets of prefixes to arrays that we can iterate over. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: unify wrapper funcsMike Frysinger2008-12-3139-655/+246
| | | | | | Unify a lot of duplicated code in the wrapper-funcs handling. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: push STRING_NAME into libsandbox.hMike Frysinger2008-11-2936-38/+40
| | | | | | | Since all FUNCTION_SANDBOX_SAFE() need to pass up the func name, push the usage into the macro itself rather than every wrapper file. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: implement initial dirfd parsing for *at functionsMike Frysinger2008-11-161-3/+3
| | | | | | | Some programs like `chmod -R` actually use the *at functions as designed, so we have to handle things Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox/execve: fix crash with small filesMike Frysinger2008-11-161-0/+6
| | | | | | | make sure the file being executed is big enough for the static elf check so we don't segfault by walking beyond the file map Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* fix up one more old style SB_EERRORMike Frysinger2008-11-161-2/+1
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>