Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/security.c
Commit message (Collapse)AuthorAgeFilesLines
* update copyright headersMike Frysinger2024-01-011-2/+2
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* Fix fuzz-dumpelf testAliaksei Urbanski2023-11-231-0/+4
| | | | | | | | | | | | | | Not sure why, but the dumpelf.fuzz fuzzer fails when it's calling prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...) at security_init. So I suggest disabling seccomp for fuzzy testing. Also, in order to not run indefinitely, the fuzzer must be executed with some reasonable options. https://releases.llvm.org/14.0.0/docs/LibFuzzer.html#options Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com> Closes: https://github.com/gentoo/pax-utils/pull/13 Signed-off-by: Sam James <sam@gentoo.org>
* Undo IWYU fixesSam James2023-01-291-13/+0
| | | | | | | | | | | | I wasn't paying enough attention, it's better to just fold the needed bits into porting.h. This reverts commit ffedc60fa41d307bda28fd108e6ff1b8da1fc2ee. This reverts commit f8287200aec0ca33ef07fafcdd5aef0aa6eb1306. This reverts commit aa907a42d89ddfd5a7e64d8182a1da35277f2f6e. Bug: https://github.com/gentoo/pax-utils/pull/11#issuecomment-1407566344 Signed-off-by: Sam James <sam@gentoo.org>
* *: IWYU fixesSam James2023-01-281-0/+13
| | | | | | | Separate from the first commit as this one was done programmatically with dev-util/include-what-you-use. Signed-off-by: Sam James <sam@gentoo.org>
* security.h: suppress unused argument warning on allow_forkingArsen Arsenović2022-07-121-0/+1
| | | | | Signed-off-by: Arsen Arsenović <arsen@aarsen.me> Signed-off-by: Sam James <sam@gentoo.org>
* security: pregen seccomp bpf programsv1.3Mike Frysinger2021-04-171-190/+24
| | | | | | | | Since the bpf programs are the same across runs, generate it ahead of time. This way we don't have to link against libseccomp and run the library calls at runtime which helps cut out most overhead. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* security.c: allow faccessat2 syscall in seccomt filters (take 2)v1.2.9Sergei Trofimovich2021-02-031-0/+5
| | | | | | | | | | | Under glibc-2.33 sandox uses faccessat2 to stat symlinks. Unfortunately libseccomp does not yet provide syscall definition for faccessat2. Define it locally. Reported-by: Cănărău Constantin Bug: https://bugs.gentoo.org/768435 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* Revert "security.c: allow faccessat2 syscall in seccomt filters"Sergei Trofimovich2021-02-031-1/+0
| | | | | | | | | | libseccomp does not yet provide faccessat2. I tested the commit without seccomp enabled. This reverts commit e2378b8c6bef5d94805444797e7fe35c07f54783. Bug: https://bugs.gentoo.org/768435 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* security.c: allow faccessat2 syscall in seccomt filtersSergei Trofimovich2021-02-031-0/+1
| | | | | | | | Under glibc-2.33 sandox uses faccessat2 to stat symlinks. Reported-by: Cănărău Constantin Bug: https://bugs.gentoo.org/768435 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* security.c: allow 'statx' in seccomp sandbox (musl-1.1.24)v1.2.6Sergei Trofimovich2020-04-131-0/+1
| | | | | | | | | | | | | | musl-1.1.24 starting from dfc81828f7ab41da08f744c "implement fstatat with SYS_statx, conditional on undersized kstat time" changed fstatat() to use statx(). This caused scanelf to crash under seccomp sandbox. The change whitelists 'statx' syscall. Bug: https://bugs.gentoo.org/717300 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* security.c: allow 'semtimedop' in seccomp sandbox (glibc-2.31)Sergei Trofimovich2020-02-161-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | glibc-2.31 switched semop() libc implementation from semop() to semtimedop() in https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=765cdd0bffd77960a ("sysvipc: Implement semop based on semtimedop") This caused pax-utils to fail under fakeroot as: ``` $ fakeroot scanelf -yqRBF '#k%F' -k '.symtab' /bin/bash .../usr/bin/fakeroot: line 178: 103268 Bad system call ... Program terminated with signal SIGSYS, Bad system call. 33 ../sysdeps/unix/sysv/linux/semtimedop.c: No such file or directory. (gdb) bt (gdb) ``` The change whitelists 'semtimedop' syscall. Reported-by: Patrick McLean Bug: https://bugs.gentoo.org/709794 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* security.c: whitelist ipc() syscall for fakeroot on ppc64 and friendsv1.2.4Sergei Trofimovich2019-01-141-0/+6
| | | | | | | | | | | | | | | | | | On amd64 and friends msgget() and similar syscalls are standalone syscalls. On i386 and friends msgget() is a subcall of ipc() syscall. This makes fakechroot break 'scanelf' as: $ LANG=C fakeroot scanelf -t /bin/bash /usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped) The change whitelists ipc() call which allows all sysv syscalls, namely: - semop, semget, semctl, semtimedop - msgsnd, msgrcv, msgget, msgctl - shmat, shmdt, shmget, shmctl Reported-and-fixed-by: Samuel Holland Bug: https://bugs.gentoo.org/675378 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* security: fix building on much older systemsv1.2Mike Frysinger2017-01-211-1/+24
| | | | | | Basically wrap all defines in ifdefs or add fallback stubs. URL: https://bugs.gentoo.org/606184
* security: whitelist readlinkatv1.1.6Mike Frysinger2016-03-031-0/+1
| | | | | | Newer arches omit readlink entirely (like aarch64). Reported-by: Steev Klimaszewski <steev@gentoo.org>
* security: allow more read/write syscallsMike Frysinger2016-02-101-0/+5
| | | | | | | | | Some C libraries might use these functions in different ways. Since they are fairly harmless to use, just whitelist all the read/write variants. URL: https://bugs.gentoo.org/571128 Reported-by: Vladimir Lushnikov <vladimir@vladimir.lu> Reported-by: Mias van Klei <miasvanklei@gmail.com>
* security: whitelist the getcwd syscallv1.1.4Mike Frysinger2015-10-261-0/+1
| | | | | | | This might be run by the sandbox. Reported-by: Markus Oehme <oehme.markus@gmx.de> URL: https://bugs.gentoo.org/562206
* security: fix build on systems w/out si_syscallv1.1.3Mike Frysinger2015-09-191-1/+4
| | | | | | Make sure we do not try to use si_syscall when it isn't available. URL: https://bugs.gentoo.org/560098
* security: whitelist the futex syscallMike Frysinger2015-09-191-0/+3
| | | | | | | | | | | When building with openmp, often libpthread is linked in and code automatically generated using it. That means lower mutexes end up calling the futex syscall. This isn't just when pax-utils is built with openmp, but it also applies when libraries it links with are built with openmp. Reported-by: florianmey@gmx.de URL: https://bugs.gentoo.org/559814
* security: whitelist dup syscallsv1.1.2Mike Frysinger2015-09-111-0/+3
| | | | | These are used by freopen internally, so whitelist them all. They're pretty benign at any rate.
* security: do not warn when seccomp is disabled in the kernelv1.1.1Mike Frysinger2015-08-271-2/+5
| | | | | | | | | | If the seccomp feature is disabled in the kernel, we'll get back EINVAL from the prctl call. There's no simple way to differentiate between a real EINVAL (bad filter args), so we'll just assume that libseccomp knows what it is doing. Reported-by: Piotr Karbowski <piotr.karbowski@gmail.com> URL: https://bugs.gentoo.org/558414
* security: whitelist fakeroot syscallsMike Frysinger2015-08-261-0/+7
| | | | | | | Until we get a bit more dynamic here, whitelist the IPC syscalls that fakeroot uses since it is available via portage FEATURES. URL: https://bugs.gentoo.org/558482
* security: add a debug handler for seccompMike Frysinger2015-08-241-1/+26
| | | | | | | If a bad syscall is hit, it can be hard to track down. Add a debug mode that people can enable to get useful error messages showing the failure. URL: https://bugs.gentoo.org/558482
* security: clean up syscall ifdefsMike Frysinger2015-08-241-18/+0
| | | | | | We don't need to check for ifdefs on syscalls as libseccomp handles stubs for us. They make sure the SCMP_SYS macros are a superset across all of the supported architectures.
* security: use seccomp to lock ourselves downv1.1Mike Frysinger2015-08-201-0/+147
| | | | | This has a minor speed hit (a few milliseconds), but otherwise provides a decent balance.
* security: lock down privs a bit via prctlMike Frysinger2015-08-201-0/+9
| | | | Should prevent accidentally running set*id programs less of a problem.
* security: leverage namespaces to restrict the runtime a bitMike Frysinger2015-08-201-0/+89
In practice this isn't terribly useful as people aren't attacking these tools, but might as well be paranoid. It'd be nice to use mount & net namespaces too, but they're way too slow.