| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
If the target passes a bad pointer to the kernel, then trying to extract
the data via ptrace will also throw an error. The tracing code should not
abort though as there's no valid address to check, and kernel itself will
return an error for us. Simply return and move on.
URL: https://bugs.gentoo.org/560396
Reported-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure we properly check the target of symlinks even when the target
does not exist. This caused problems in two ways:
(1) It allowed code to bypass checks by writing through a symlink that
was in a good location but pointed to a bad (non-existent) location.
(2) It caused code to be wrongly rejected when it tried writing to a
symlink in a bad location but pointed to a good location.
In order to get this behavior, we need to use the new gnulib helpers
added in the previous commit. They include functions which can look
up the targets of symlinks even when the final path doesn't exist.
URL: https://bugs.gentoo.org/540828
Reported-by: Rick Farina <zerochaos@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While we took pains to preserve the LD_PRELOAD setting, this doesn't
help us too much in practice. If a process is going out of its way
to blow away LD_PRELOAD, chances are good it's blowing away all vars
it doesn't know about. That means all of our SANDBOX_XXX settings.
Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX
env vars, make sure we preserve those as well.
These changes also imply some behavioral differences from older
versions. Previously, you could `unset` a sandbox var in order
to disable it. That no longer works. If you wish to disable
things, you have to explicitly set it to "".
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, if a non-static app sets up a pipe (with cloexec enabled) and
executes a static app, the handle to that pipe is left open in the parent
process. This causes trouble when the parent is waiting for that to be
closed immediately.
Since none of the fds in the forked parent process matter to us, we can
just go ahead and clean up all fds before we start tracing the child.
URL: http://bugs.gentoo.org/364877
Reported-by: Victor Stinner <victor.stinner@haypocalc.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When tracing static processes, the original implementation included code
that would always swallow SIGCHLD. Much has changed since then, and it
doesn't seem to be needed anymore, and it is certainly breaking a few
packages. So drop it, add some tests, and if it causes a regression in
the future, we can look at it then (with an actual test case).
URL: http://bugs.gentoo.org/289963
Reported-by: Joeri Capens <joeri@capens.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When attempting to access anonymous pipes/sockets/etc..., we should let
the access go through rather than rejecting the patch because we aren't
able to access it. There is no backing file after all which means there
is nothing for sandbox to check against.
While this was noticed with an anonymous pipe, the logic applies to any
anonymous fd such as sockets or whatever the kernel throws at us.
URL: http://bugs.gentoo.org/288863
Reported-by: Marcin Mirosław <bug@mejor.pl>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
If the command sandbox was instructed to execute failed, make sure we pass
that exact exit status back up instead of normalizing everything to 0/1.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
If resolve_path() was unable to resolve things, then do not restore the
errno value as we use this to signal higher layers. This should make the
getcwd tests behave better.
URL: http://bugs.gentoo.org/261936
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ryan Hill <dirtyepic@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the execvp() is a common entry point, the other ones are often used
as well. While they don't take environ pointers directly, the env could
have been modified before calling the exec function, which means we need
to restore our LD_PRELOAD setting.
So now we support execv/execve/fexecve/popen/system. Missing from this
list are the execl* funcs, but that's because they aren't exactly easy to
interpose with the structure of their variable arguments.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Convert the `touch` test to use our `open-0` util so we get fine grained
control over the test and so we don't have to worry about localization
issues or about system-specific messages.
This also extends the test framework to start parsing symbolic open()
flags as well as errno values (and add support for checking them).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
| |
Add test cases for symlink behavior and unify some of the test code to
make adding more test cases even easier.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Also fix common script execution code to remove debug "moo" string and
disable pointless sleep code in sandbox.
URL: http://bugs.gentoo.org/139591
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ciaran McCreesh <ciaran.mccreesh@googlemail.com>
|
|
Make sure we source the local sandbox.{bashrc,conf} and we always make the
helper functions available when testing even if we aren't interactive. Now
we can run `make check` and test the local version of sandbox even when we
are running under another sandbox env.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|