Commit message (Collapse)AuthorAgeFilesLines
* libsandbox: fix x86 tracing when schizo is activev2.11Mike Frysinger2016-03-291-0/+10
| | | | | | | | Commit 48520a35697aa39bed046b9668a3e3e5f8a8ba93 fixed the configure logic, but the build would fail to link for x86 systems as the syscall table was not actually set up. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: make check_syscall ISE a little more usefulMike Frysinger2016-03-291-2/+2
| | | | | | | | Showing just the resolved paths isn't too helpful when they're both NULL. Also include the failing func & original file path. URL: https://bugs.gentoo.org/553092 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use ptrace on apps that interpose their own allocatorMike Frysinger2016-02-163-42/+158
| | | | | | | | | | | | | | | | | | | | | | | If an app installs its own memory allocator by overriding the internal glibc symbols, then we can easily hit a loop that cannot be broken: the dlsym functions can attempt to allocate memory, and sandbox relies on them to find the "real" functions. So when someone calls a symbol that the sandbox protects, we call dlsym, and that calls malloc, which calls back into the app, and their allocator might use another symbol such as open ... which is protected by the sandbox. So we hit the loop like: -> open -> libsandbox:open -> dlsym -> malloc -> open -> libsandbox:open -> dlsym -> malloc -> ... Change the exec checking logic to scan the ELF instead. If it exports these glibc symbols, then we have to assume it can trigger a loop, so scrub the sandbox environment to prevent us from being loaded. Then we use the out-of-process tracer (i.e. ptrace). This should generally be as robust anyways ... if it's not, that's a bug we want to fix as this is the same code used for static apps. URL: http://crbug.com/586444 Reported-by: Ryo Hashimoto <hashimoto@chromium.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add wrappers for execveat & execvpeMike Frysinger2015-12-223-0/+27
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix alpha ptrace error settingMike Frysinger2015-12-201-1/+6
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new ia64 ptrace portMike Frysinger2015-12-203-0/+84
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new powerpc ptrace portMike Frysinger2015-12-202-0/+32
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new alpha ptrace portMike Frysinger2015-12-202-0/+60
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new arm ptrace portMike Frysinger2015-12-202-0/+24
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new s390/s390x ptrace portMike Frysinger2015-12-202-0/+97
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: improve sparc trace code a bit moreMike Frysinger2015-12-201-8/+26
| | | | | | | This gets most of the tests passing, but syscall canceling still does not work. Need to talk to upstream to figure it out. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: avoid mixing stderr & output pipesMike Frysinger2015-12-202-4/+4
| | | | | | | | | | | | The various debug helpers were changed to write out to a dedicated message path, but some of the trace code still uses stderr directly. When mixing these methods, the direct prints would sometimes be lost. Convert the few users to a new raw print function so they all route through the same file. We might want to extract this a bit more out in the future so it's easier to write to them, but this should be fine for now. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: switch to PTRACE_O_TRACEEXECMike Frysinger2015-12-192-47/+29
| | | | | | | | | | Rather than try to deal with the inconsistent cross-arch behavior when it comes to tracking exec behavior, use the PTRACE_O_TRACEEXEC option. This means we only support ptrace on linux-2.6+ systems, but that's fine as we have been requiring that for a long time now. It also means the code is much simpler and stable across arches. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: tweak edge cases of realloc a bitMike Frysinger2015-12-191-1/+5
| | | | | | | | | | | | We need to return NULL when passed a size of 0 as the API requires the return value be usable w/free, but we just freed the pointer so the ret will cause memory corruption later on. When we go to preserve the old content, we don't need the MIN check as we already verified that a few lines up. But leave it for defensive purposes as gcc already optimizes it out for us. Just comment things. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix old_malloc_size check on reallocDenis Lisov2015-12-191-2/+3
| | | | | | | | | | Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size, while it is really the mmap size, which is greater. Thus it may fail to reallocate even if required. URL: https://bugs.gentoo.org/568714 Signed-off-by: Denis Lisov <dennis.lissov@gmail.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix memory alignmentv2.10Mike Frysinger2015-12-191-3/+6
| | | | | | | | | | | Some targets (like sparc32) have higher alignment requirements for 64-bit values than size_t (which is 4 bytes on sparc32). If we happen to return 4 byte aligned memory which is used to hold a 64-bit, we get bus errors. Use the same algorithm that dlmalloc does. URL: https://bugs.gentoo.org/565630 Reported-by: Denis Kaganovich <mahatma@eu.by> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: do not unnecessarily dereference symlinksMike Frysinger2015-09-281-3/+12
| | | | | | | | | | | When the target uses a func that operates on a symlink, we should not dereference that symlink when trying to validate the call. It's both a waste of time and it subtly breaks code that checks atime updates. The act of reading symlinks is enough to cause their atime to change. URL: https://bugs.gentoo.org/415475 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: do not abort when the target uses bad pointersMike Frysinger2015-09-201-0/+14
| | | | | | | | | | | If the target passes a bad pointer to the kernel, then trying to extract the data via ptrace will also throw an error. The tracing code should not abort though as there's no valid address to check, and kernel itself will return an error for us. Simply return and move on. URL: https://bugs.gentoo.org/560396 Reported-by: Jeroen Roovers <jer@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix process_vm_readv addresses/lengthsMike Frysinger2015-09-201-14/+14
| | | | | | | | | | | | | The current logic calculates the lengths/base addresses incorrectly leading to some kernels/mappings to reject accesses. Make sure we calculate the initial length properly, and then increment the base by that value later on. With those fixes in place, we can clean up the warning/exit paths. URL: https://bugs.gentoo.org/560396 Reported-by: Jeroen Roovers <jer@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use memchr to speed up NUL byte searchMike Frysinger2015-09-201-3/+2
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: rework abi syscall header generationMike Frysinger2015-09-202-7/+18
| | | | | | | | | | Probe the availability of multilib headers at configure time so that we can show the status more cleanly. This allows the header generation to be done in parallel and not output confusing warning messages to users. URL: https://bugs.gentoo.org/536582 Reported-by: cmue81@gmx.de Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: work around process_vm_readv EFAULTsv2.8Mike Frysinger2015-09-201-2/+15
| | | | | | | | | | | Some people are seeing this call fail, but it's not clear why. Include more debugging output so as to improve the reports, and let the code fall back to the existing ptrace logic since that seems to work. This will at least unblock people's builds. URL: https://bugs.gentoo.org/560396 Reported-by: Jeroen Roovers <jer@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: improve debugging output a bitMike Frysinger2015-09-201-2/+4
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix handling of dangling symlinksMike Frysinger2015-09-201-5/+18
| | | | | | | | | | | | | | | | | Make sure we properly check the target of symlinks even when the target does not exist. This caused problems in two ways: (1) It allowed code to bypass checks by writing through a symlink that was in a good location but pointed to a bad (non-existent) location. (2) It caused code to be wrongly rejected when it tried writing to a symlink in a bad location but pointed to a good location. In order to get this behavior, we need to use the new gnulib helpers added in the previous commit. They include functions which can look up the targets of symlinks even when the final path doesn't exist. URL: https://bugs.gentoo.org/540828 Reported-by: Rick Farina <zerochaos@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: egetcwd: fix handling of NULL inputsMike Frysinger2015-09-201-4/+16
| | | | | | | | | We don't want to let the C library do the memory allocation for us when buf==NULL as it won't use our memory functions, so when we try to call our free on it, we get corruption. Handle the automatic allocation in the code directly. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: avoid leaking memory when extracting stringsMike Frysinger2015-09-151-2/+3
| | | | | | | | | If userland supports process_vm_readv, but the kernel does not (newer kernel headers & C lib than kernel), then we leak a bit of memory when we fallback to the ptrace code. Do not re-allocate the ret buffer if the code does fallback. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle open's O_TMPFILE flagv2.7Mike Frysinger2015-09-111-1/+1
| | | | | | | | | This new flag needs us to unpack & pass down the mode rather than always sending in the value of 0. URL: http://bugs.gentoo.org/529044 Reported-by: Aidan Thornton <makosoft@googlemail.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix building w/gcc-5Mike Frysinger2015-04-151-1/+1
| | | | | | | | The preprocessed output of gcc has changed a bit to retain more whitespace, but this just confuses/breaks the scripts that parse it. Add the -P flag to normalize things a bit. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: preserve more SANDBOX env varsMike Frysinger2013-02-233-132/+238
| | | | | | | | | | | | | | | | | While we took pains to preserve the LD_PRELOAD setting, this doesn't help us too much in practice. If a process is going out of its way to blow away LD_PRELOAD, chances are good it's blowing away all vars it doesn't know about. That means all of our SANDBOX_XXX settings. Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX env vars, make sure we preserve those as well. These changes also imply some behavioral differences from older versions. Previously, you could `unset` a sandbox var in order to disable it. That no longer works. If you wish to disable things, you have to explicitly set it to "". Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: clean up open file handles in parent tracing processMike Frysinger2012-06-231-1/+2
| | | | | | | | | | | | | | Currently, if a non-static app sets up a pipe (with cloexec enabled) and executes a static app, the handle to that pipe is left open in the parent process. This causes trouble when the parent is waiting for that to be closed immediately. Since none of the fds in the forked parent process matter to us, we can just go ahead and clean up all fds before we start tracing the child. URL: http://bugs.gentoo.org/364877 Reported-by: Victor Stinner <victor.stinner@haypocalc.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix early var initMike Frysinger2013-02-241-8/+25
| | | | | | | | | | In commit 5498907383c7f1654188b6a0d02d8b03112a28c3, we tried to fix handling of ELFs that had their own constructors. Unfortunately, this broke use cases like `env -i` that screw with the environment before we get a chance to extract our settings. URL: http://bugs.gentoo.org/404013 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* add a new message env varMike Frysinger2013-02-241-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | This is used whenever sandbox wants to display an informational message. For example, early notification of a path violation, or debugging output. We can't just pop open an fd and pass that around as apps consider that leakage and will often break assumptions in terms of free fds. Or apps that start up and cleanse all of their open fds. So instead, we just pass around an env var that holds the full path to the file we want will write to. Since these messages are infrequent (compared to overall runtime), opening/writing/closing the path every time is fine. This also avoids all the problems associated with using external portage helpers for writing messages. A follow up commit will take care of the situation where apps (such as scons) attempt to also cleanse the env before forking. URL: http://bugs.gentoo.org/278761 URL: http://bugs.gentoo.org/431638 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle ENOSYS w/process_vm_readvMike Frysinger2013-02-241-1/+6
| | | | | | | If we have a newer glibc built against/running on an older kernel, the func return ENOSYS at runtime. Handle that. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* delete unused sandbox env varsMike Frysinger2013-02-241-3/+0
| | | | | | Nothing uses or cares about these vars, so punt them. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* environ: add a new is_env_var helper for checking var namesMike Frysinger2013-02-241-8/+8
| | | | | | | This is laying the ground work for processing more vars in the future than just LD_PRELOAD. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add some likely/unlikely settingsMike Frysinger2013-02-241-7/+5
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: reject "" paths with *at funcs before checking the dirfd ↵Mike Frysinger2013-02-241-0/+34
| | | | | | | | | | | | | | [missing file] When it comes to processing errors, an empty path is checked before an invalid dirfd. Make sure sandbox matches that behavior for the random testsuites out there that look for this. Forgot to `git add` in the previous commit :/. URL: https://bugs.gentoo.org/346929 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: reject "" paths with *at funcs before checking the dirfdMike Frysinger2012-12-245-35/+18
| | | | | | | | | | When it comes to processing errors, an empty path is checked before an invalid dirfd. Make sure sandbox matches that behavior for the random testsuites out there that look for this. URL: https://bugs.gentoo.org/346929 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: handle open(O_NOFOLLOW)Mike Frysinger2012-12-243-1/+3
| | | | | | | | | We don't check for O_NOFOLLOW in the open wrappers, so we end up returning the wrong error when operating on broken symlinks. URL: https://bugs.gentoo.org/413441 Reported-by: Marien Zwart <marienz@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fall back to tracing set*id programsMike Frysinger2012-12-241-5/+18
| | | | | | | | | | | | | | If we are non-root and run a set*id program, the ldso will ignore our LD_PRELOAD (rightly so). Unfortunately, this opens up the ability to run set*id apps that modify things and sandbox cannot catch it. Instead, force ptracing of these ELFs. While the kernel will disallow the set*id aspect when running, for the most part, that shouldn't be a problem if it was already safe. URL: http://bugs.gentoo.org/442172 Reported-by: Nikoli <nikoli@lavabit.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* sandbox: allow log files to fallback to tmpdirMike Frysinger2012-12-241-2/+2
| | | | | | | | Since non-root users typically do not have write access to /var/log, allow it to fallback to standard tmpdirs. This makes testing locally a lot easier. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use process_vm_readv if availableMike Frysinger2012-08-121-0/+26
| | | | | | | Should speed up loading of strings from remote processes as we only have to do (usually) one syscall to extract the whole string in one shot. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix hppa trace codeMike Frysinger2012-07-061-2/+2
| | | | | | URL: https://bugs.gentoo.org/425062 Reported-by: Jeroen Roovers <jer@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add x32 ABI supportv2.6Mike Frysinger2012-07-035-9/+75
| | | | | | | | | | | We can trace x32 when the host is x86_64 or x32, but x32 cannot trace x86_64 due to limitations in the kernel interface -- all pointers get truncated to 32bits. We'll have to add external ptrace helpers in the future to make this work, but for now, we'll just let x86_64 code run unchecked :(. URL: https://bugs.gentoo.org/394179 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: migrate to get/set regs interface for everyoneMike Frysinger2012-07-039-103/+80
| | | | | | | | | | Newer ports (like x32) limit what is available via the peek/poke user interface, and instead are pushing people to use the single get/set regs interface. Since this also simplifies the code a bit (by forcing all ports to use this), and cuts down on the number of syscalls that we have to make, switch everyone over to it. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* precompile headers.h to speed up build slightlyMike Frysinger2012-07-033-8/+2
| | | | | | | Since all system headers are included by way of headers.h, we can pre-compile this to speed up the build up a bit. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: do not leak file handles from tracing checksMike Frysinger2012-06-231-3/+7
| | | | | | | Make sure we use O_CLOEXEC, and clean things up before forking off a tracing process. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: regenerate trace headers when autotools changeMike Frysinger2012-06-231-1/+1
| | | | | | | | | If you re-run configure with different settings, the trace headers might be out of date. Have the generated headers depend on the Makefile so that when this situation does come up, we force sanity. This step is fairly quick, so shouldn't be a big deal. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: kill off SB_MEM_DEBUGMike Frysinger2012-06-231-17/+0
| | | | | | | | The mcheck/mtrace logic assumes we're using glibc's memory allocator, but that hasn't been true for sometime (we use our own based on mmap and such), so this code no longer serves a purpose. Punt it. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* significantly overhaul output helpersMike Frysinger2012-06-2312-237/+74
| | | | | | | | | | | | | | | | | | | | There are a few major points we want to hit here: - have all output from libsandbox go through portage helpers when we are in the portage environment so that output is properly logged - convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style of other functions and cut down on confusion - move all abort/output helpers to libsbutil so it can be used in all source trees and not just by libsandbox - migrate all abort points to the centralized sb_ebort helper Unfortunately, it's not terribly easy to untangle these into separate patches, but hopefully this shouldn't be too messy as much of it is mechanical: move funcs between files, and change the name of funcs that get called. URL: http://bugs.gentoo.org/278761 Reported-by: Mounir Lamouri <volkmar@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>