| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
The various debug helpers were changed to write out to a dedicated message
path, but some of the trace code still uses stderr directly. When mixing
these methods, the direct prints would sometimes be lost. Convert the few
users to a new raw print function so they all route through the same file.
We might want to extract this a bit more out in the future so it's easier
to write to them, but this should be fine for now.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
All sandbox settings thus far have been for libsandbox.so to process.
With newer features though, we have settings that might only apply to
the main sandbox program. Add some helper functions for parsing out
those settings (which a later commit will utilize).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lays the groundwork for fixing handling of broken symlinks. The
gnulib code is hand imported because using the gnulib tool imports a
ton of code we do not want. Only the bare minimum is imported so we
can use the canonicalize_filename_mode function.
This function is needed to canonicalize symlinks that are ultimately
broken. The current sandbox/C library code only supports two modes:
(1) dereference a single symlink
(2) dereference *all* symlinks, but only if all links are valid
For sandbox, we need to know the final path a symlink points to even
if that path doesn't (yet) exist.
Note: This commit doesn't actually fix the bug, just brings in the
functions we need to do so.
URL: https://bugs.gentoo.org/540828
Reported-by: Rick Farina <zerochaos@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By allowing the SANDBOX_MESSAGE_PATH var to be stored in the shell
environment and then modified on the fly, we run into a fun edge
case with the PM. When a phase has finished running, it saves the
current environment. When the next phase runs, it loads the env
from the previous run. Since the message path var can contain a
pid, the previous run will no longer be valid.
Since we want this to simply be a way for the active sandbox to
pass information to the active libsandbox.so's, there's no need
to use an env var that the shell can save/reload. As such, use a
variable name that the shell will skip. Non-shell programs have
no problem with this.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, if a non-static app sets up a pipe (with cloexec enabled) and
executes a static app, the handle to that pipe is left open in the parent
process. This causes trouble when the parent is waiting for that to be
closed immediately.
Since none of the fds in the forked parent process matter to us, we can
just go ahead and clean up all fds before we start tracing the child.
URL: http://bugs.gentoo.org/364877
Reported-by: Victor Stinner <victor.stinner@haypocalc.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
In some situations, we want to know the tristate of "is on", "is off", and
"is set" instead of just lumping the "is not set" case in with "is off".
Add some helpers for that.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is used whenever sandbox wants to display an informational message.
For example, early notification of a path violation, or debugging output.
We can't just pop open an fd and pass that around as apps consider that
leakage and will often break assumptions in terms of free fds. Or apps
that start up and cleanse all of their open fds.
So instead, we just pass around an env var that holds the full path to
the file we want will write to. Since these messages are infrequent
(compared to overall runtime), opening/writing/closing the path every
time is fine.
This also avoids all the problems associated with using external portage
helpers for writing messages.
A follow up commit will take care of the situation where apps (such as
scons) attempt to also cleanse the env before forking.
URL: http://bugs.gentoo.org/278761
URL: http://bugs.gentoo.org/431638
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
Nothing uses or cares about these vars, so punt them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
This is laying the ground work for processing more vars in the
future than just LD_PRELOAD.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a dedicated entry point for connecting gdb to make it easy to connect
gdb at arbitrary points (ala printf style debugging).
This also smooths a lot of the common steps when automatically launching
gdb such as making sure the process is closer to the crash point when the
user takes over control of gdb.
Finally, switch to using clone rather than fork since the latter relies
on the C lib's fork which implicitly can grab locks. If we're crashing
in the middle of a func that already holds those locks, the fork call
will hang indefinitely on us.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Since non-root users typically do not have write access to /var/log,
allow it to fallback to standard tmpdirs. This makes testing locally
a lot easier.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few major points we want to hit here:
- have all output from libsandbox go through portage helpers when we are
in the portage environment so that output is properly logged
- convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style
of other functions and cut down on confusion
- move all abort/output helpers to libsbutil so it can be used in all
source trees and not just by libsandbox
- migrate all abort points to the centralized sb_ebort helper
Unfortunately, it's not terribly easy to untangle these into separate
patches, but hopefully this shouldn't be too messy as much of it is
mechanical: move funcs between files, and change the name of funcs
that get called.
URL: http://bugs.gentoo.org/278761
Reported-by: Mounir Lamouri <volkmar@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Almost no one has beep support turned on anymore, and ebeep in the main
tree has been deprecated (meaning it wasn't found useful while building
packages). So punt support for it from sandbox too.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since every consumer of sb_open gets a copy of the sbio_open data, push
the init of this into the .data section of the respective consumers to
avoid the runtime overhead.
This just leaves sandbox_lib setup in the constructor function, but that
is only needed by the execve wrapper, so push down init of that to the
existing sb_init logic which happens before our execve wrapper gets used.
URL: http://bugs.gentoo.org/404013
Reported-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
The SB_WRITE() macro makes using sb_write() confusing, so convert the two
small users and kill it off.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Always use local sandbox.d copy to avoid random /etc/sandbox.d issues like
it doesn't exist, or has permission problems, or anything else.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
The very old method of loading sandbox was via ld.so.preload, so it was
added to default deny list. However, that's long dead, and since it does
not conflict with LD_PRELOAD, no point in preventing access.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Break out most of the QA static ELF warning code into a new eqawarn()
func. This way we can handle dynamic stuff like calling portage's eqawarn
func to handle dirty details like logging.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Rather than dump the QA static notice to stderr when trying to execute a
static binary, write directly to /dev/tty. This prevents breaking things
like testsuites that validate the exact stderr output.
URL: http://bugs.gentoo.org/261957
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Kent Fredric <kentfredric@gmail.com>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
We don't want people to bypass normal mechanisms with the testing var, so
zero out the name when installing the sandbox binary.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Make sure we source the local sandbox.{bashrc,conf} and we always make the
helper functions available when testing even if we aren't interactive. Now
we can run `make check` and test the local version of sandbox even when we
are running under another sandbox env.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Kill off string operations where unnecessary, and convert the sets of
prefixes to arrays that we can iterate over.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Pull the x* memory functions out of rcscripts and into libsbutil and change
their style to match the rest of sbutil. Also add xzalloc() and xstrdup(),
and convert pointless strndup() usage to strdup().
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
All output (even "normal" messages) have to go to stderr so we don't
inadvertently break shell scripts that are being passed via stdout.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
sb_printf function
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
| |
libsbutil.
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
|
|
|
|
| |
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
|
|
|
|
| |
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
|
|
to have all the internal functions static, and thus we can break
things out a bit and make the source layout more sane. Start by
moving librcutil to libsbutil, and adding all the defines and
helper functions needed by both libsandbox and sandbox.
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
|