| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
This new flag needs us to unpack & pass down the mode rather than
always sending in the value of 0.
URL: http://bugs.gentoo.org/529044
Reported-by: Aidan Thornton <makosoft@googlemail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
The preprocessed output of gcc has changed a bit to retain more
whitespace, but this just confuses/breaks the scripts that parse
it. Add the -P flag to normalize things a bit.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While we took pains to preserve the LD_PRELOAD setting, this doesn't
help us too much in practice. If a process is going out of its way
to blow away LD_PRELOAD, chances are good it's blowing away all vars
it doesn't know about. That means all of our SANDBOX_XXX settings.
Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX
env vars, make sure we preserve those as well.
These changes also imply some behavioral differences from older
versions. Previously, you could `unset` a sandbox var in order
to disable it. That no longer works. If you wish to disable
things, you have to explicitly set it to "".
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, if a non-static app sets up a pipe (with cloexec enabled) and
executes a static app, the handle to that pipe is left open in the parent
process. This causes trouble when the parent is waiting for that to be
closed immediately.
Since none of the fds in the forked parent process matter to us, we can
just go ahead and clean up all fds before we start tracing the child.
URL: http://bugs.gentoo.org/364877
Reported-by: Victor Stinner <victor.stinner@haypocalc.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
In commit 5498907383c7f1654188b6a0d02d8b03112a28c3, we tried to fix
handling of ELFs that had their own constructors. Unfortunately,
this broke use cases like `env -i` that screw with the environment
before we get a chance to extract our settings.
URL: http://bugs.gentoo.org/404013
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is used whenever sandbox wants to display an informational message.
For example, early notification of a path violation, or debugging output.
We can't just pop open an fd and pass that around as apps consider that
leakage and will often break assumptions in terms of free fds. Or apps
that start up and cleanse all of their open fds.
So instead, we just pass around an env var that holds the full path to
the file we want will write to. Since these messages are infrequent
(compared to overall runtime), opening/writing/closing the path every
time is fine.
This also avoids all the problems associated with using external portage
helpers for writing messages.
A follow up commit will take care of the situation where apps (such as
scons) attempt to also cleanse the env before forking.
URL: http://bugs.gentoo.org/278761
URL: http://bugs.gentoo.org/431638
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
If we have a newer glibc built against/running on an older kernel, the
func return ENOSYS at runtime. Handle that.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
Nothing uses or cares about these vars, so punt them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
This is laying the ground work for processing more vars in the
future than just LD_PRELOAD.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[missing file]
When it comes to processing errors, an empty path is checked before
an invalid dirfd. Make sure sandbox matches that behavior for the
random testsuites out there that look for this.
Forgot to `git add` in the previous commit :/.
URL: https://bugs.gentoo.org/346929
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
When it comes to processing errors, an empty path is checked before
an invalid dirfd. Make sure sandbox matches that behavior for the
random testsuites out there that look for this.
URL: https://bugs.gentoo.org/346929
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
We don't check for O_NOFOLLOW in the open wrappers, so we end up
returning the wrong error when operating on broken symlinks.
URL: https://bugs.gentoo.org/413441
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we are non-root and run a set*id program, the ldso will ignore our
LD_PRELOAD (rightly so). Unfortunately, this opens up the ability to
run set*id apps that modify things and sandbox cannot catch it.
Instead, force ptracing of these ELFs. While the kernel will disallow
the set*id aspect when running, for the most part, that shouldn't be a
problem if it was already safe.
URL: http://bugs.gentoo.org/442172
Reported-by: Nikoli <nikoli@lavabit.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Since non-root users typically do not have write access to /var/log,
allow it to fallback to standard tmpdirs. This makes testing locally
a lot easier.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Should speed up loading of strings from remote processes as we only have
to do (usually) one syscall to extract the whole string in one shot.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: https://bugs.gentoo.org/425062
Reported-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
We can trace x32 when the host is x86_64 or x32, but x32 cannot trace
x86_64 due to limitations in the kernel interface -- all pointers get
truncated to 32bits. We'll have to add external ptrace helpers in the
future to make this work, but for now, we'll just let x86_64 code run
unchecked :(.
URL: https://bugs.gentoo.org/394179
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Newer ports (like x32) limit what is available via the peek/poke user
interface, and instead are pushing people to use the single get/set
regs interface. Since this also simplifies the code a bit (by forcing
all ports to use this), and cuts down on the number of syscalls that
we have to make, switch everyone over to it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Since all system headers are included by way of headers.h, we can
pre-compile this to speed up the build up a bit.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Make sure we use O_CLOEXEC, and clean things up before forking off a
tracing process.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
If you re-run configure with different settings, the trace headers might
be out of date. Have the generated headers depend on the Makefile so that
when this situation does come up, we force sanity. This step is fairly
quick, so shouldn't be a big deal.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
The mcheck/mtrace logic assumes we're using glibc's memory allocator,
but that hasn't been true for sometime (we use our own based on mmap
and such), so this code no longer serves a purpose. Punt it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few major points we want to hit here:
- have all output from libsandbox go through portage helpers when we are
in the portage environment so that output is properly logged
- convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style
of other functions and cut down on confusion
- move all abort/output helpers to libsbutil so it can be used in all
source trees and not just by libsandbox
- migrate all abort points to the centralized sb_ebort helper
Unfortunately, it's not terribly easy to untangle these into separate
patches, but hopefully this shouldn't be too messy as much of it is
mechanical: move funcs between files, and change the name of funcs
that get called.
URL: http://bugs.gentoo.org/278761
Reported-by: Mounir Lamouri <volkmar@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
Newer distcheck runs uninstall which is apparently broken.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
When we log a lot, we end up leaking fd's, so make sure to clean them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
We don't want to bleed these across forks/execs.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we kill the app, then the syscall that we flagged as a violation will
complete, and our entire purpose has failed -- to prevent modifications
to the protected paths.
Instead, set the syscall number to an invalid one, continue the syscall,
then set the syscall return value (which will become the errno) after the
syscall finishes. This way the bad syscall isn't actually executed, and
we let the app continue to run like normal.
URL: http://bugs.gentoo.org/406543
Reported-by: Marijn Schouten <hkbst@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since every consumer of sb_open gets a copy of the sbio_open data, push
the init of this into the .data section of the respective consumers to
avoid the runtime overhead.
This just leaves sandbox_lib setup in the constructor function, but that
is only needed by the execve wrapper, so push down init of that to the
existing sb_init logic which happens before our execve wrapper gets used.
URL: http://bugs.gentoo.org/404013
Reported-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Don't error out if we're missing trace_regs, but we don't ever
actually use it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
We only initialize debug_log_path if debug is set, so we need to check
debug first to avoid uninitialized warnings with debug_log_path.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Some gcc versions don't like the construct here where we modified a
variable in the middle of multiple checks.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/374059
Reported-by: Nick Bowler <nbowler@draconx.ca>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
We need to special case a NULL filename with futimesat just like we
already do with utimensat.
URL: http://bugs.gentoo.org/348640
Reported-by: Jeremy Olexa <darkside@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at
prechecks) unified some path checks while unifying the dirfd code, but
prevented valid NULL paths from also being handled. Make sure we still
handle that behavior, and add a test for it to prevent future regressions.
URL: http://bugs.gentoo.org/346815
Reported-by: Jake Todd <jaketodd422@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at
prechecks) left a sizeof() in place but unfortunately no longer held the
same meaning. In previous code, the function had access to the buffer
decl and so could get the byte count. In the new code, the function has
access to the pointer only. So sizeof() now wrongly returns the size of
pointers rather than the length of the buffer.
Extend the new helper function to take the length of the buffer it is
given to fix this issue.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous change for hardened users (libsandbox: avoid passing same
buffer to erealpath) made a change canonicalize() to fix the buffer
usage, but missed updating the actual call to erealpath to use the new
buffer set up just for it.
URL: http://bugs.gentoo.org/339157
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Ignoring the dirfd hasn't been a problem in the past as people weren't
really using it, but now that core packages are (like tar), we need to
handle things properly.
URL: http://bugs.gentoo.org/342983
Reported-by: Xake <xake@rymdraket.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some gnulib tests that are bundled with multiple GNU packages stress the
POSIX correctness of mkdir behavior across broken symlinks. While this
specific behavior under ssandbox doesn't really matter (as packages don't
create broken symlinks and then need this errno value), it isn't really
feasible to patch all the random packages. So add a smallish hack for
now to keep them happy until something better can be formulated.
URL: http://bugs.gentoo.org/297026
Reported-by: Diego E. Pettenò <flameeyes@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Doing rmdir(symlink) does not remove the dir the symlink points to, but
will operate on the symlink itself. While it will always fail (since it
is a link and not a dir), that isn't something we need worry about. Just
need to avoid doing permission checking on the target of the symlink.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The erealpath function modifies the storage buffer given to it in place
and can misbehave if both the source and destination buffers point to the
same storage in memory. So fix the one case where we were doing this in
the canonicalize() function and add some run time checks to make sure this
doesn't crop up again.
URL: http://bugs.gentoo.org/292050
Reported-by: Hongjiu Zhang <voidprayer@gmail.com>
Reported-by: Fredric Johansson <johansson_fredric@hotmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When tracing static processes, the original implementation included code
that would always swallow SIGCHLD. Much has changed since then, and it
doesn't seem to be needed anymore, and it is certainly breaking a few
packages. So drop it, add some tests, and if it causes a regression in
the future, we can look at it then (with an actual test case).
URL: http://bugs.gentoo.org/289963
Reported-by: Joeri Capens <joeri@capens.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/293632
Reported-by: Raúl Porcel <armin76@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
People rarely use this, but all it takes is one lame package.
URL: http://bugs.gentoo.org/297684
Reported-by: Pacho Ramos <pacho@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some packages that do library tricks like sandbox override the mmap()
symbols. If their implementation ends up calling functions that sandbox
has overridden, then we can easily hit an infinite loop.
sb-fopen -> sb-malloc -> external mmap -> sb-open -> whoops!
So for the internal memory functions, make sure we call directly to the
C library's mmap() functions. This way our internal memory implementation
should be free from external forces.
URL: http://bugs.gentoo.org/290249
Reported-by: Diego E. Pettenò <flameeyes@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit 0a539b142f24 tried to fix RTLD_NEXT issues seen under certain
kernel/glibc combos, but in reality all it did was force dlopening of the
C library for every symbol lookup. So rewrite the code to handle things
on the fly as needed -- if RTLD_NEXT returned a bum symbol, load the C
library and try again.
URL: http://bugs.gentoo.org/202765
URL: http://bugs.gentoo.org/206678
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
The ptrace code skipped one too many arguments when decoding the utimensat
syscall which caused random utils to fail with garbage paths.
URL: http://bugs.gentoo.org/288227
Reported-by: RB <aoz.syn@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When attempting to access anonymous pipes/sockets/etc..., we should let
the access go through rather than rejecting the patch because we aren't
able to access it. There is no backing file after all which means there
is nothing for sandbox to check against.
While this was noticed with an anonymous pipe, the logic applies to any
anonymous fd such as sockets or whatever the kernel throws at us.
URL: http://bugs.gentoo.org/288863
Reported-by: Marcin Mirosław <bug@mejor.pl>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|