diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2021-10-18 02:47:59 -0400 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2021-10-18 02:47:59 -0400 |
| commit | c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2 (patch) | |
| tree | 17cba0cfb546f72d1657d1380e30c5c88027d8b6 /libsandbox | |
| parent | libsbutil: add assert to testing code path (diff) | |
| download | sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.tar.gz sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.tar.bz2 sandbox-c4bf07615cd2e2ec25a16420d8ddee2efec6f8d2.zip | |
libsandbox: add SANDBOX_METHOD setting
This allows people to disable use of ptrace if their configuration
does not support it. This forces older sandbox behavior where we
cannot protect against static or set*id programs.
Bug: https://bugs.gentoo.org/648516
Bug: https://bugs.gentoo.org/771360
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'libsandbox')
| -rw-r--r-- | libsandbox/libsandbox.c | 10 | ||||
| -rw-r--r-- | libsandbox/libsandbox.h | 1 | ||||
| -rw-r--r-- | libsandbox/wrapper-funcs/__wrapper_exec.c | 4 |
3 files changed, 15 insertions, 0 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 758c0dc..02f5ef2 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -29,6 +29,7 @@ char sandbox_lib[SB_PATH_MAX]; typedef struct { bool show_access_violation, on, active, testing, verbose, debug; + sandbox_method_t method; char *ld_library_path; char **prefixes[5]; int num_prefixes[5]; @@ -94,6 +95,7 @@ void libsb_init(void) sbcontext.verbose = is_env_on(ENV_SANDBOX_VERBOSE); sbcontext.debug = is_env_on(ENV_SANDBOX_DEBUG); sbcontext.testing = is_env_on(ENV_SANDBOX_TESTING); + sbcontext.method = get_sandbox_method(); if (sbcontext.testing) { const char *ldpath = getenv("LD_LIBRARY_PATH"); if (ldpath) @@ -101,6 +103,11 @@ void libsb_init(void) } } +sandbox_method_t get_sandbox_method(void) +{ + return parse_sandbox_method(getenv(ENV_SANDBOX_METHOD)); +} + /* resolve_dirfd_path - get the path relative to a dirfd * * return value: @@ -1170,6 +1177,7 @@ struct sb_envp_ctx sb_new_envp(char **envp, bool insert) ENV_PAIR(11, ENV_SANDBOX_DEBUG, NULL), ENV_PAIR(12, "LD_LIBRARY_PATH", NULL), ENV_PAIR(13, ENV_SANDBOX_TESTING, NULL), + ENV_PAIR(14, ENV_SANDBOX_METHOD, NULL), }; size_t num_vars = ARRAY_SIZE(vars); char *found_vars[num_vars]; @@ -1242,6 +1250,8 @@ struct sb_envp_ctx sb_new_envp(char **envp, bool insert) vars[12].value = sbcontext.ld_library_path; vars[13].value = "1"; } + if (sbcontext.method != SANDBOX_METHOD_ANY) + vars[14].value = str_sandbox_method(sbcontext.method); char ** my_env = NULL; if (!insert) { diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h index 70fc422..96bb7c1 100644 --- a/libsandbox/libsandbox.h +++ b/libsandbox/libsandbox.h @@ -51,6 +51,7 @@ bool before_syscall(int, int, const char *, const char *, int); bool before_syscall_access(int, int, const char *, const char *, int); bool before_syscall_open_int(int, int, const char *, const char *, int); bool before_syscall_open_char(int, int, const char *, const char *, const char *); +enum sandbox_method_t get_sandbox_method(void); void *get_dlsym(const char *symname, const char *symver); diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c index 766245a..5174d2f 100644 --- a/libsandbox/wrapper-funcs/__wrapper_exec.c +++ b/libsandbox/wrapper-funcs/__wrapper_exec.c @@ -30,6 +30,10 @@ static bool sb_check_exec(const char *filename, char *const argv[]) struct stat st; bool do_trace = false; bool run_in_process = true; + sandbox_method_t method = get_sandbox_method(); + + if (unlikely(method == SANDBOX_METHOD_PRELOAD)) + return true; fd = sb_unwrapped_open_DEFAULT(filename, O_RDONLY|O_CLOEXEC, 0); if (fd == -1) |