| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Break out most of the QA static ELF warning code into a new eqawarn()
func. This way we can handle dynamic stuff like calling portage's eqawarn
func to handle dirty details like logging.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
If a wrapped function bails early due to some local logic, make sure we
log this at the debug level. Having them silently return on us makes
tracking down problems harder than it needs to be.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If attempts to access the specified path fails, this is most likely due to
funky perms being setup. Since this is really only an issue for non-root
users when testing stuff (like the coreutils tests), we can let the real
func do it's work when running as non-root. If the path contains links to
some place we would normally deny, then attempt to dereference what little
we can. If all else fails, the standard unix permissions will prevent
damage from being done even if we are unable to log it.
URL: http://bugs.gentoo.org/259876
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a path is too long, then attempting to read the fd link in /proc/*/fd/#
will fail with ENAMETOOLONG. In that case, we should restore errno and
let the normal function do its business. Chances are we wouldn't have
gotten this far in the first place if there was an actual deny in place.
This fixes some of the testcases in coreutils that create really long
paths and then test things.
URL: http://bugs.gentoo.org/259876
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
|
|
|
|
|
|
| |
Dump symbols before we abort and if SANDBOX_GDB is enabled in the env,
automatically launch & attach gdb to the crashing setup.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
If resolve_path() was unable to resolve things, then do not restore the
errno value as we use this to signal higher layers. This should make the
getcwd tests behave better.
URL: http://bugs.gentoo.org/261936
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the execvp() is a common entry point, the other ones are often used
as well. While they don't take environ pointers directly, the env could
have been modified before calling the exec function, which means we need
to restore our LD_PRELOAD setting.
So now we support execv/execve/fexecve/popen/system. Missing from this
list are the execl* funcs, but that's because they aren't exactly easy to
interpose with the structure of their variable arguments.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Rather than dump the QA static notice to stderr when trying to execute a
static binary, write directly to /dev/tty. This prevents breaking things
like testsuites that validate the exact stderr output.
URL: http://bugs.gentoo.org/261957
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Kent Fredric <kentfredric@gmail.com>
|
|
|
|
|
|
|
|
| |
Rather than just dumping the name of the static ELF, include the arguments
to the program as well. For common programs (that are known to be safe),
don't bother whining (like using the static ldso to verify binaries).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure we handle edge cases that involve symlinks and functions that
operate on symlinks. This includes newer style *at functions that can go
between operating on symlinks and operating on the linked files, and on
symlinks to files that live in explicitly denied paths.
URL: http://bugs.gentoo.org/254914
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Mike Auty <ikelos@gentoo.org>
|
|
|
|
|
|
|
| |
Minor optimization to not bother saving/restoring the errno if we don't
actually call another C library function.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Since hardened systems may return -1 in the case of an error, but this
isn't a "real" error, we need to save/restore errno. Otherwise we corrupt
the errno value of the caller. This is a regression on hardened systems
due to the recent commit bab59e2c which optimized symbol loading a bit.
URL: http://bugs.gentoo.org/260765
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Magnus Granberg <zorry@ume.nu>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
When glibc is compiled with optimization and higher _FORTIFY_SOURCE
levels, the headers redirect dynamic calls to the open*() functions to the
__open*_2() functions. The latter provides runtime checking. But this
means we also need to wrap the latter forms in order to get sandbox
checking on the open() functions.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Since the main sandbox code maintains state with global variables (like
sbcontext), make sure we use a pthread mutex to prevent multiple threads
from corrupting each other. In the non-threaded case this shouldn't be
a problem as the C library provides redirection stubs in its own code.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
In case we want to access a standard function unwrapped, create hidden
functions that do just that. This creates a standard for most functions
of the form sb_unwrapped_foo().
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Remove some of the ugly indirection in the WRAPPER_PRE_CHECKS() defines so
it operates like a normal C function -- much easier to work with those.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
No point in saving/restoring the errno value if we don't make any C lib
function calls.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
If the symbol lookup function failed, then we abort. If the lookup
worked, then errno is not touched. In either case, there is no need to
save/restore the errno value.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
The longest wrapped symbol name has hit the hard limit of 10 chars, so
rather than manually bump it up, calculate it on the fly with the awk
scripts.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
The mknodat() symbol on glibc is rewritten to __xmknodat(), so we need to
wrap that and check for all of them in the check_access() code.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
If lstat() worked, it won't clear errno for us, so we have to do it. Also
unify the error code paths.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
No point to allocating cached_env_vars dynamically since we allocate it
once during init and it's only 4 pointers. Stick it into the bss instead.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The core libsandbox code was checking for ENAMETOOLONG when working with
getcwd() and doing the right thing, but it never passed this error back up
to the caller. This would make some tests (like the getcwd tests in many
gnulib/autotool based packages like coreutils) to keep on trying since it
did not detect the expected failure conditions. So now when we hit the
ENAMETOOLONG error, we pass this specific error back up to the caller.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
As Maximilian points out, the internal memory funcs in libsandbox are
already called by the x*() type funcs which means error checking occurs at
the higher level. So we don't want to do it at the inner level either as
that will lose the real file/location where the memory allocation occured.
URL: http://bugs.gentoo.org/257179
Signed-off-by: Maximilian Grothusmann <maxi-gentoo@own-hero.de>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
Let real funcs do their magic even before predicted paths.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The optimize changes added after 1.3.2 were not entirely correct. The
sandbox /proc/self/fd check was changed to check for the dir itself rather
than allowing all paths that started with the dir. So let's comment more
about what's going on and fix it up.
URL: http://bugs.gentoo.org/257418
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
The optimize changes added after 1.3.2 were not entirely correct. The
sandbox log dir check was changed to check for the dir itself rather than
blacklisting all paths that started with the dir. So let's comment more
about what's going on and fix it up.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
A very common bug (apparently) is for .py[co] files to fall out of sync
with their .py source files. Rather than trigger a hard failure, let's
just whine about it. Once python itself gets sorted out, we can drop
this.
URL: http://bugs.gentoo.org/256953
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
The size argument to backtrace() is the number of elements, not the number
of bytes.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Ignore symbols that are not functions, or do not have the proper binding
and/or visibility for us to override.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
Support --version-script and -M flags for passing version scripts.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Use the public xxx_t types rather than the internal __xxx_t. The former
are more portable. With glibc systems, these are the same anyways.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no explicit deny exists on a path, and some leading components of the
path do not actually exist, pass the path on to the actual function when
we know said functions will fail. For example, many tests operate on some
kind of path where the leading components do not exist. Such as the m4
test that tries to do fopen("/none/such", "w") and the /none/ dir does not
actually exist. Since we know /none/ does not exist, let through funcs
that will fail in this case.
URL: http://bugs.gentoo.org/244396
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Since we don't care about library versioning (as we always just preload
the libsandbox.so file), don't bother including it in the SONAME.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|