Commit message (Collapse)AuthorAgeFilesLines
* libsandbox: handle dirfd in mkdir/open/unlink *at prechecksMike Frysinger2010-11-155-58/+123
| | | | | | | | | | Ignoring the dirfd hasn't been a problem in the past as people weren't really using it, but now that core packages are (like tar), we need to handle things properly. URL: http://bugs.gentoo.org/342983 Reported-by: Xake <xake@rymdraket.net> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: tempish mkdir hack for broken symlinksv2.3Mike Frysinger2010-08-161-1/+16
| | | | | | | | | | | | | Some gnulib tests that are bundled with multiple GNU packages stress the POSIX correctness of mkdir behavior across broken symlinks. While this specific behavior under ssandbox doesn't really matter (as packages don't create broken symlinks and then need this errno value), it isn't really feasible to patch all the random packages. So add a smallish hack for now to keep them happy until something better can be formulated. URL: http://bugs.gentoo.org/297026 Reported-by: Diego E. Pettenò <flameeyes@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: mark rmdir as working on symlinksMike Frysinger2010-08-161-0/+1
| | | | | | | | | Doing rmdir(symlink) does not remove the dir the symlink points to, but will operate on the symlink itself. While it will always fail (since it is a link and not a dir), that isn't something we need worry about. Just need to avoid doing permission checking on the target of the symlink. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: avoid passing same buffer to erealpathMike Frysinger2010-08-152-2/+17
| | | | | | | | | | | | | The erealpath function modifies the storage buffer given to it in place and can misbehave if both the source and destination buffers point to the same storage in memory. So fix the one case where we were doing this in the canonicalize() function and add some run time checks to make sure this doesn't crop up again. URL: http://bugs.gentoo.org/292050 Reported-by: Hongjiu Zhang <voidprayer@gmail.com> Reported-by: Fredric Johansson <johansson_fredric@hotmail.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: don't swallow SIGCHLD notificationsMike Frysinger2010-08-151-1/+0
| | | | | | | | | | | | When tracing static processes, the original implementation included code that would always swallow SIGCHLD. Much has changed since then, and it doesn't seem to be needed anymore, and it is certainly breaking a few packages. So drop it, add some tests, and if it causes a regression in the future, we can look at it then (with an actual test case). URL: http://bugs.gentoo.org/289963 Reported-by: Joeri Capens <joeri@capens.net> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: disable sparc ptrace until it can be debugged furtherMike Frysinger2010-08-151-0/+5
| | | | | | URL: http://bugs.gentoo.org/293632 Reported-by: Raúl Porcel <armin76@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: catch calls to remove()Mike Frysinger2009-12-203-0/+15
| | | | | | | | People rarely use this, but all it takes is one lame package. URL: http://bugs.gentoo.org/297684 Reported-by: Pacho Ramos <pacho@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use mmap directly for internal memoryMike Frysinger2009-10-263-1/+23
| | | | | | | | | | | | | | | Some packages that do library tricks like sandbox override the mmap() symbols. If their implementation ends up calling functions that sandbox has overridden, then we can easily hit an infinite loop. sb-fopen -> sb-malloc -> external mmap -> sb-open -> whoops! So for the internal memory functions, make sure we call directly to the C library's mmap() functions. This way our internal memory implementation should be free from external forces. URL: http://bugs.gentoo.org/290249 Reported-by: Diego E. Pettenò <flameeyes@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: rewrite RTLD_NEXT handlingMike Frysinger2009-10-261-21/+33
| | | | | | | | | | | | The commit 0a539b142f24 tried to fix RTLD_NEXT issues seen under certain kernel/glibc combos, but in reality all it did was force dlopening of the C library for every symbol lookup. So rewrite the code to handle things on the fly as needed -- if RTLD_NEXT returned a bum symbol, load the C library and try again. URL: http://bugs.gentoo.org/202765 URL: http://bugs.gentoo.org/206678 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix ptrace decode of utimensatMike Frysinger2009-10-251-1/+1
| | | | | | | | | The ptrace code skipped one too many arguments when decoding the utimensat syscall which caused random utils to fail with garbage paths. URL: http://bugs.gentoo.org/288227 Reported-by: RB <aoz.syn@gmail.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle fd's w/out files in proc fd/Mike Frysinger2009-10-251-0/+15
| | | | | | | | | | | | | | When attempting to access anonymous pipes/sockets/etc..., we should let the access go through rather than rejecting the patch because we aren't able to access it. There is no backing file after all which means there is nothing for sandbox to check against. While this was noticed with an anonymous pipe, the logic applies to any anonymous fd such as sockets or whatever the kernel throws at us. URL: http://bugs.gentoo.org/288863 Reported-by: Marcin Mirosław <bug@mejor.pl> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add support for tracing SPARC systemsMike Frysinger2009-10-254-15/+55
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsbutil: kill off confusing SB_WRITE macroMike Frysinger2009-08-251-7/+15
| | | | | | | The SB_WRITE() macro makes using sb_write() confusing, so convert the two small users and kill it off. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* drop force pic flagsMike Frysinger2009-08-251-2/+1
| | | | | | | The autotool build system already adds PIC where needed, so don't force our own -D/-f options. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix missing *at pre_checksMike Frysinger2009-08-251-0/+22
| | | | | | | For systems that lack *at() funcs, make sure we still include the pre-checks as we use these functions in the non-at version. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* drop accidental libsandbox.so additionMike Frysinger2009-08-251-0/+0
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* add -Wall to automake runs and fix falloutMike Frysinger2009-08-251-5/+3
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use PTRACE_SETOPTIONS only when definedMike Frysinger2009-06-041-1/+1
| | | | | | | | This should fix building on really on Linux systems. URL: http://bugs.gentoo.org/255019 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Jeremy Olexa <darkside@gentoo.org>
* libsandbox: disable corner case recover when tracingv2.0Mike Frysinger2009-06-041-0/+5
| | | | | | | The code that tries to recover from unreadable paths relies on relative access to the paths in question, and we can't rely on that when tracing. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: convert trace to waitpid()Mike Frysinger2009-06-041-6/+6
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle utimensat with NULL pathsMike Frysinger2009-06-042-8/+18
| | | | | | | The utimensat() function can operate on file fd's directly when the path is NULL, not just relative directory fd's. So tackle that use case. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: ignore core dumpsMike Frysinger2009-06-041-2/+7
| | | | | | | If the user has core dumping enabled, then we may get a dump notice from the traced child. Since this is fine by us, let it go through. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: make sure to punt the useless .la fileMike Frysinger2009-06-021-0/+3
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* use automake AM_V_GEN rather than custom SB_V_GENMike Frysinger2009-04-281-9/+5
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add pre checks to static tracingMike Frysinger2009-06-0420-219/+297
| | | | | | | | | | The normal wrapped functions go through some "pre checks" where certain normal conditions are not flagged as problematic. The static tracing lacked those pre checks though. URL: http://bugs.gentoo.org/265885 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Daniel Robbins <drobbins@funtoo.org>
* libsandbox: make sure fopen64 uses 64bit funcsMike Frysinger2009-06-022-1/+7
| | | | | | URL: http://bugs.gentoo.org/271260 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: T Chan <something-bz@sodium.serveirc.com>
* libsandbox: don't filter signals the traced pid receivesMike Frysinger2009-04-091-9/+21
| | | | | | | | | | | | If we receive a notice that the child got a signal we don't care about, make sure we tell it to continue on with the signal info so we don't go filtering all signals the child may receive. Otherwise we break test code like that in glibc which exercises the ability of a child to catch and process signals properly. URL: http://bugs.gentoo.org/265072 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Nick Fortino <nfortino@gmail.com>
* libsandbox: add support for tracing Blackfin/PARISC systemsMike Frysinger2009-04-086-8/+77
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: test for ERANGE like ENAMETOOLONGMike Frysinger2009-04-082-4/+6
| | | | | | | | Some arches (like ia64) return ERANGE for too long path names, so accept that as the same way we accept ENAMETOOLONG. The BSDs also seem to do this, so they'll get fixed as well. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: symbols.h does not care about wrapper filesMike Frysinger2009-04-081-1/+1
| | | | | | | No need to regen symbols.h every time a wrapper file is updated. Automake will take care of dependencies and rebuild wrappers.c as needed. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: make sure we use internal strdupMike Frysinger2009-04-082-7/+10
| | | | | | | | | | To keep with the x* conventions, the xstrdup() func should point to the local strdup func. This is because glibc itself may define strdup() to something that prevents us from wrapping it safely. URL: http://bugs.gentoo.org/265098 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Stelian Ionescu <stelian.ionescu-zeus@poste.it>
* libsandbox: dump command line whenever a backtrace is shownMike Frysinger2009-04-061-31/+32
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: decode signal details when falling over in traceMike Frysinger2009-04-061-3/+8
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: force lock sanity across forksMike Frysinger2009-04-056-10/+79
| | | | | | | | | | | Classic example of forks being used in multithreaded applications and causing havoc with shared state (locks in this case). Make sure that threads grabbing the sandbox lock don't screw up threads that do a fork and then exec. URL: http://bugs.gentoo.org/263657 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Ryan Hope <rmh3093@gmail.com>
* libsandbox: handle trace code when vforkingMike Frysinger2009-04-052-3/+16
| | | | | | | | | | The make program likes to vfork() when running programs, so if it vforks and runs a static binary, we need to make sure we clean up state in the child so as to not make the parent angry. URL: http://bugs.gentoo.org/264478 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Paul Mulders <info@mld.demon.nl>
* libsandbox: check binary we execute via $PATHMike Frysinger2009-04-051-5/+29
| | | | | | | | If an exec func is used that searches $PATH, we need to do the search as well so that we don't miss out on binaries or denied locations that are run without a full path. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add a helper func to copy files to fdsMike Frysinger2009-04-051-20/+32
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: bail when processes go away while tracingMike Frysinger2009-04-051-1/+7
| | | | | | | | | If we're tracing a proc and it dies while checking a func, just back out cleanly since it isn't like it can cause a violation at that point. URL: http://bugs.gentoo.org/264478 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Paul Mulders <info@mld.demon.nl>
* use newer automake featuresMike Frysinger2009-04-051-7/+10
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix slightly broken logic with ptrace() returnMike Frysinger2009-04-051-3/+10
| | | | | | | | The code attempted to account for the PEEK requests returning -1 in the normal case via errno, but the logic was incorrect. This ended up flagging some successful ptrace() calls when the data returned was -1. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: tweak /proc/.../cmdline check for hardenedMike Frysinger2009-04-051-1/+1
| | | | | | | | | Some hardened systems disable /proc/#/ access when the process in question is not owned by the current user. URL: http://bugs.gentoo.org/264476 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Andreas Westin <forsaken@forsaken.se>
* libsandbox: enable tracing for multiple personalitiesMike Frysinger2009-04-055-89/+238
| | | | | | | | | Initial support for tracing non-default personalities. For example, tracing a 32bit binary from a 64bit environment. URL: http://bugs.gentoo.org/264399 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Patrick Lauer <patrick@gentoo.org>
* libsandbox: sort system calls alphabeticallyMike Frysinger2009-03-311-25/+25
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix crash with unreadable pathsMike Frysinger2009-03-311-1/+2
| | | | | | | | | | | | When trying to deal with simple paths like ".." in an unreadable tree, the realpath code would scan back too far with pointers and crash. mkdir -p a/b cd a/b chmod a-rx .. ls .. <boom> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix regression during merge of tracing codeMike Frysinger2009-03-311-2/+2
| | | | | | Looks like I made a typo when adding support for ptrace. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: be nicer with unknown traced signalsMike Frysinger2009-03-311-1/+1
| | | | | | | | Ignore SIGCHLD (in case the static app made some children), and in the case of unknown signals, simply warn rather than aborting so more stuff "just works" (well, ignoring the additional warnings). Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle bad fds with *at() funcsMike Frysinger2009-03-311-0/+6
| | | | | | | | | Some code expect that when an *at() func is given a bad fd, the errno value be set to EBADF (like glibc). So convert some of the common errno values of failed readlink() to what would have gone down if we called the actual *at() function. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: declare cmdline const since it isMike Frysinger2009-03-311-1/+1
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle more *at functionsMike Frysinger2009-03-311-0/+5
| | | | | | | | Add some more *at functions to the main checking code. URL: http://bugs.gentoo.org/264320 Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reported-by: Harald van Dijk <truedfx@gentoo.org>
* libsandbox: detect /proc featuresMike Frysinger2009-03-181-9/+30
| | | | | | Handle /proc differences (fd/cmdline/etc...) across systems. Signed-off-by: Mike Frysinger <vapier@gentoo.org>