| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Since all system headers are included by way of headers.h, we can
pre-compile this to speed up the build up a bit.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Make sure we use O_CLOEXEC, and clean things up before forking off a
tracing process.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
If you re-run configure with different settings, the trace headers might
be out of date. Have the generated headers depend on the Makefile so that
when this situation does come up, we force sanity. This step is fairly
quick, so shouldn't be a big deal.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
The mcheck/mtrace logic assumes we're using glibc's memory allocator,
but that hasn't been true for sometime (we use our own based on mmap
and such), so this code no longer serves a purpose. Punt it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few major points we want to hit here:
- have all output from libsandbox go through portage helpers when we are
in the portage environment so that output is properly logged
- convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style
of other functions and cut down on confusion
- move all abort/output helpers to libsbutil so it can be used in all
source trees and not just by libsandbox
- migrate all abort points to the centralized sb_ebort helper
Unfortunately, it's not terribly easy to untangle these into separate
patches, but hopefully this shouldn't be too messy as much of it is
mechanical: move funcs between files, and change the name of funcs
that get called.
URL: http://bugs.gentoo.org/278761
Reported-by: Mounir Lamouri <volkmar@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
Newer distcheck runs uninstall which is apparently broken.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
When we log a lot, we end up leaking fd's, so make sure to clean them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
We don't want to bleed these across forks/execs.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we kill the app, then the syscall that we flagged as a violation will
complete, and our entire purpose has failed -- to prevent modifications
to the protected paths.
Instead, set the syscall number to an invalid one, continue the syscall,
then set the syscall return value (which will become the errno) after the
syscall finishes. This way the bad syscall isn't actually executed, and
we let the app continue to run like normal.
URL: http://bugs.gentoo.org/406543
Reported-by: Marijn Schouten <hkbst@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since every consumer of sb_open gets a copy of the sbio_open data, push
the init of this into the .data section of the respective consumers to
avoid the runtime overhead.
This just leaves sandbox_lib setup in the constructor function, but that
is only needed by the execve wrapper, so push down init of that to the
existing sb_init logic which happens before our execve wrapper gets used.
URL: http://bugs.gentoo.org/404013
Reported-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Don't error out if we're missing trace_regs, but we don't ever
actually use it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
We only initialize debug_log_path if debug is set, so we need to check
debug first to avoid uninitialized warnings with debug_log_path.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Some gcc versions don't like the construct here where we modified a
variable in the middle of multiple checks.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/374059
Reported-by: Nick Bowler <nbowler@draconx.ca>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
We need to special case a NULL filename with futimesat just like we
already do with utimensat.
URL: http://bugs.gentoo.org/348640
Reported-by: Jeremy Olexa <darkside@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at
prechecks) unified some path checks while unifying the dirfd code, but
prevented valid NULL paths from also being handled. Make sure we still
handle that behavior, and add a test for it to prevent future regressions.
URL: http://bugs.gentoo.org/346815
Reported-by: Jake Todd <jaketodd422@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit (libsandbox: handle dirfd in mkdir/open/unlink *at
prechecks) left a sizeof() in place but unfortunately no longer held the
same meaning. In previous code, the function had access to the buffer
decl and so could get the byte count. In the new code, the function has
access to the pointer only. So sizeof() now wrongly returns the size of
pointers rather than the length of the buffer.
Extend the new helper function to take the length of the buffer it is
given to fix this issue.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous change for hardened users (libsandbox: avoid passing same
buffer to erealpath) made a change canonicalize() to fix the buffer
usage, but missed updating the actual call to erealpath to use the new
buffer set up just for it.
URL: http://bugs.gentoo.org/339157
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Ignoring the dirfd hasn't been a problem in the past as people weren't
really using it, but now that core packages are (like tar), we need to
handle things properly.
URL: http://bugs.gentoo.org/342983
Reported-by: Xake <xake@rymdraket.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some gnulib tests that are bundled with multiple GNU packages stress the
POSIX correctness of mkdir behavior across broken symlinks. While this
specific behavior under ssandbox doesn't really matter (as packages don't
create broken symlinks and then need this errno value), it isn't really
feasible to patch all the random packages. So add a smallish hack for
now to keep them happy until something better can be formulated.
URL: http://bugs.gentoo.org/297026
Reported-by: Diego E. Pettenò <flameeyes@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Doing rmdir(symlink) does not remove the dir the symlink points to, but
will operate on the symlink itself. While it will always fail (since it
is a link and not a dir), that isn't something we need worry about. Just
need to avoid doing permission checking on the target of the symlink.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The erealpath function modifies the storage buffer given to it in place
and can misbehave if both the source and destination buffers point to the
same storage in memory. So fix the one case where we were doing this in
the canonicalize() function and add some run time checks to make sure this
doesn't crop up again.
URL: http://bugs.gentoo.org/292050
Reported-by: Hongjiu Zhang <voidprayer@gmail.com>
Reported-by: Fredric Johansson <johansson_fredric@hotmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When tracing static processes, the original implementation included code
that would always swallow SIGCHLD. Much has changed since then, and it
doesn't seem to be needed anymore, and it is certainly breaking a few
packages. So drop it, add some tests, and if it causes a regression in
the future, we can look at it then (with an actual test case).
URL: http://bugs.gentoo.org/289963
Reported-by: Joeri Capens <joeri@capens.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/293632
Reported-by: Raúl Porcel <armin76@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
People rarely use this, but all it takes is one lame package.
URL: http://bugs.gentoo.org/297684
Reported-by: Pacho Ramos <pacho@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some packages that do library tricks like sandbox override the mmap()
symbols. If their implementation ends up calling functions that sandbox
has overridden, then we can easily hit an infinite loop.
sb-fopen -> sb-malloc -> external mmap -> sb-open -> whoops!
So for the internal memory functions, make sure we call directly to the
C library's mmap() functions. This way our internal memory implementation
should be free from external forces.
URL: http://bugs.gentoo.org/290249
Reported-by: Diego E. Pettenò <flameeyes@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit 0a539b142f24 tried to fix RTLD_NEXT issues seen under certain
kernel/glibc combos, but in reality all it did was force dlopening of the
C library for every symbol lookup. So rewrite the code to handle things
on the fly as needed -- if RTLD_NEXT returned a bum symbol, load the C
library and try again.
URL: http://bugs.gentoo.org/202765
URL: http://bugs.gentoo.org/206678
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
The ptrace code skipped one too many arguments when decoding the utimensat
syscall which caused random utils to fail with garbage paths.
URL: http://bugs.gentoo.org/288227
Reported-by: RB <aoz.syn@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When attempting to access anonymous pipes/sockets/etc..., we should let
the access go through rather than rejecting the patch because we aren't
able to access it. There is no backing file after all which means there
is nothing for sandbox to check against.
While this was noticed with an anonymous pipe, the logic applies to any
anonymous fd such as sockets or whatever the kernel throws at us.
URL: http://bugs.gentoo.org/288863
Reported-by: Marcin Mirosław <bug@mejor.pl>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
The SB_WRITE() macro makes using sb_write() confusing, so convert the two
small users and kill it off.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
The autotool build system already adds PIC where needed, so don't force
our own -D/-f options.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
For systems that lack *at() funcs, make sure we still include the
pre-checks as we use these functions in the non-at version.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
This should fix building on really on Linux systems.
URL: http://bugs.gentoo.org/255019
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Jeremy Olexa <darkside@gentoo.org>
|
|
|
|
|
|
|
| |
The code that tries to recover from unreadable paths relies on relative
access to the paths in question, and we can't rely on that when tracing.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
The utimensat() function can operate on file fd's directly when the path
is NULL, not just relative directory fd's. So tackle that use case.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
If the user has core dumping enabled, then we may get a dump notice from
the traced child. Since this is fine by us, let it go through.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
The normal wrapped functions go through some "pre checks" where certain
normal conditions are not flagged as problematic. The static tracing
lacked those pre checks though.
URL: http://bugs.gentoo.org/265885
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Daniel Robbins <drobbins@funtoo.org>
|
|
|
|
|
|
| |
URL: http://bugs.gentoo.org/271260
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: T Chan <something-bz@sodium.serveirc.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we receive a notice that the child got a signal we don't care about,
make sure we tell it to continue on with the signal info so we don't go
filtering all signals the child may receive. Otherwise we break test code
like that in glibc which exercises the ability of a child to catch and
process signals properly.
URL: http://bugs.gentoo.org/265072
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Nick Fortino <nfortino@gmail.com>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Some arches (like ia64) return ERANGE for too long path names, so accept
that as the same way we accept ENAMETOOLONG. The BSDs also seem to do
this, so they'll get fixed as well.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
No need to regen symbols.h every time a wrapper file is updated. Automake
will take care of dependencies and rebuild wrappers.c as needed.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
To keep with the x* conventions, the xstrdup() func should point to the
local strdup func. This is because glibc itself may define strdup() to
something that prevents us from wrapping it safely.
URL: http://bugs.gentoo.org/265098
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Stelian Ionescu <stelian.ionescu-zeus@poste.it>
|