libsandbox: fix ptracing children

The ptrace logic was largely built around the assumption of execing a
single static binary and that's it.  But there's nothing stopping it
from also forking & creating children.  Today, that means children do
not get tracked for problems.

One major known issue is that the sandbox env is frozen upon launch.
So once we switch to ptrace mode, it's not possible for traced code
to disable sandboxing or otherwise reconfigure it.  Currently that
shouldn't be a big deal as we assume the main execution environment
(i.e. bash) is dynamic, and that's where the env will be tweaked,
but we'll have to address this before we can deploy ptrace more.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>

2 files changed, 10 insertions, 0 deletions

diff --git a/libsbutil/sb_efuncs.c b/libsbutil/sb_efuncs.c
index 7ded90d..1283784 100644
--- a/libsbutil/sb_efuncs.c
+++ b/libsbutil/sb_efuncs.c
@@ -52,6 +52,7 @@ static void sb_vefunc(const char *prog, const char *color, const char *format, v
 		sb_fdprintf(fd, " %s*%s ", color, COLOR_NORMAL);
 	sb_vfdprintf(fd, format, args);
 
+	fsync(fd);
 	if (opened)
 		close(fd);
 }
diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h
index d81543b..267f717 100644
--- a/libsbutil/sbutil.h
+++ b/libsbutil/sbutil.h
@@ -169,6 +169,15 @@ char *__xstrndup(const char *str, size_t size, const char *file, const char *fun
 #define restore_errno() errno = old_errno;
 #define saved_errno     old_errno
 
+#define RETRY_EINTR(call) \
+({ \
+	long result; \
+	do { \
+		result = (call); \
+	} while (result == -1 && errno == EINTR); \
+	result; \
+})
+
 #include "gnulib/canonicalize.h"
 
 #endif /* __SBUTIL_H__ */