| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
sbio_faccessat allows libsbutil to access the unwrapped version of
faccessat when called from libsandbox.
Using faccessat in place of fstatat seems to give a small boost in
performance.
Pass AT_EACCESS faccessat to enable a faster path if uid != euid.
Bug: https://bugs.gentoo.org/910273
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
| |
faccessat appears to perform quite poorly under certain conditions.
Go back to using fstatat until this can be debugged.
Bug: https://bugs.gentoo.org/910273
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
This provides a central place to work around a bug on musl where
faccessat sets errno to EINVAL when the kernel does not support
faccessat2.
Bug: https://bugs.gentoo.org/908765
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Make sure we use 64-bit FS interfaces when accessing the FS. This
is needed not only to stat or open large files, but even files with
64-bit inodes.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since this is only used by sandbox, and is not usable by libsandbox,
move it out of libsbutil. Leave a note behind for possible future
macros too.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This is faster than using stat since it doesn't have to gather all
the metadata, and should avoid LFS issues as a result.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 19c215f245faf9a453e7171bddccc690c03f7b72.
We do not want different LFS interfaces being used in different modules
as it makes debugging a nightmare when different functions think basic
structures have different layouts & sizes.
This also doesn't address the LFS issues sandbox has when code still
crashes in libsandbox itself when checking accesses.
Bug: https://bugs.gentoo.org/681892
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
I incorrectly dropped this as unused a while back, but the bashrc hook
definitely still relies on it for checking portage settings. I think
I got confused by the interaction with SANDBOX_TESTING.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
This works around problems when a 64bit qemu is emulating a 32bit
architecture.
LFS has been present since glibc-2.2 and kernel 2.4.
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This was added as part of running multiple tracers in parallel in the
hopes (hack) it would make logs less intermingled. Unfortunately, it
didn't really accomplish that, and it upsets `file` when verbose output
is enabled due to file's own seccomp filter (which doesn't have fsync).
We could add this to file's seccomp filter (since it's a pretty benign
syscall), but easier to just drop it at this point since it's not all
that useful.
Bug: https://bugs.gentoo.org/821403
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ptrace logic was largely built around the assumption of execing a
single static binary and that's it. But there's nothing stopping it
from also forking & creating children. Today, that means children do
not get tracked for problems.
One major known issue is that the sandbox env is frozen upon launch.
So once we switch to ptrace mode, it's not possible for traced code
to disable sandboxing or otherwise reconfigure it. Currently that
shouldn't be a big deal as we assume the main execution environment
(i.e. bash) is dynamic, and that's where the env will be tweaked,
but we'll have to address this before we can deploy ptrace more.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
When setting up sandbox on a new system for development, it helps to
be able to build the new sandbox checkout in the same way as it is
currently installed in the system. Add a command line option for
this explicitly to speed up development.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Every subdir sets this var this way, so might as well unify it.
We keep very few files in here, so shouldn't be a future problem.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This reverts commit 53ffbaeb24f6ee22a2dcd70fad29c86a4dd863c2.
These files are supposed to be in here.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
| |
These dirs have -I paths to the top-level, so these redirects aren't
that useful anymore.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This makes it easy to quickly compile all the tools without actually
running the testsuite.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Provides a bit of a speed up.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
This allows people to disable use of ptrace if their configuration
does not support it. This forces older sandbox behavior where we
cannot protect against static or set*id programs.
Bug: https://bugs.gentoo.org/648516
Bug: https://bugs.gentoo.org/771360
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
This makes it more obvious when the env is (incorrectly) partially setup.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since sb_maybe_gdb is set up as a stub macro, make sure we don't define
the function either to cut down on size and build failures (when the
macro tries to expand the function prototype).
URL: https://bugs.gentoo.org/600550
|
| |
|
|
|
|
|
| |
In commit 7a923f646ce10b7dec3c7ae5fe2079c10aa21752, we dropped the same.h
header, but the build still listed it. Drop it from the distdir list.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
We don't provide same_name because the one caller we don't use, but it
relies on gc-sections to avoid link errors. That flag doesn't work on
ia64 though, so we need to hand delete the one caller. Ugh.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The various debug helpers were changed to write out to a dedicated message
path, but some of the trace code still uses stderr directly. When mixing
these methods, the direct prints would sometimes be lost. Convert the few
users to a new raw print function so they all route through the same file.
We might want to extract this a bit more out in the future so it's easier
to write to them, but this should be fine for now.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
We were setting up a FILE* from a file descriptor to pass to sb_fprintf
which is a simple macro that calls fileno(fp) to pass the fd down. We
can call the fd funcs directly and avoid the whole stdio business.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
All sandbox settings thus far have been for libsandbox.so to process.
With newer features though, we have settings that might only apply to
the main sandbox program. Add some helper functions for parsing out
those settings (which a later commit will utilize).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Rather than use gnu inline where gcc can create external references
(which we don't provide), just always inline the xgetcwd func. This
fixes building at -O0 optimization levels.
URL: https://bugs.gentoo.org/561342
Reported-by: Pryka <pryka.iluvatar@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lays the groundwork for fixing handling of broken symlinks. The
gnulib code is hand imported because using the gnulib tool imports a
ton of code we do not want. Only the bare minimum is imported so we
can use the canonicalize_filename_mode function.
This function is needed to canonicalize symlinks that are ultimately
broken. The current sandbox/C library code only supports two modes:
(1) dereference a single symlink
(2) dereference *all* symlinks, but only if all links are valid
For sandbox, we need to know the final path a symlink points to even
if that path doesn't (yet) exist.
Note: This commit doesn't actually fix the bug, just brings in the
functions we need to do so.
URL: https://bugs.gentoo.org/540828
Reported-by: Rick Farina <zerochaos@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Sometimes the C library will redirect a call to strdup to __strdup which
breaks when we're using the libsandbox memory allocator. This was fixed
in libsandbox in commit d7801453aced46a6f31d8455877edeb31a5211cc, but we
didn't notice in libsbutil as no calls to strdup happened to come up.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By allowing the SANDBOX_MESSAGE_PATH var to be stored in the shell
environment and then modified on the fly, we run into a fun edge
case with the PM. When a phase has finished running, it saves the
current environment. When the next phase runs, it loads the env
from the previous run. Since the message path var can contain a
pid, the previous run will no longer be valid.
Since we want this to simply be a way for the active sandbox to
pass information to the active libsandbox.so's, there's no need
to use an env var that the shell can save/reload. As such, use a
variable name that the shell will skip. Non-shell programs have
no problem with this.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox
with portage. It changed how the sandbox log env var was accessed by
moving from getenv() to get_sandbox_log(). The latter has path checking
and will kick out values that contain a slash. That means every time a
new process starts, a new sandbox log path will be generated, and when a
program triggers a violation, it'll write to the new file. Meanwhile,
portage itself watches the original one which never gets updated.
This code has been around forever w/out documentation, and I can't think
of a reason we need it. So punt it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Forgot to assign the fallback open to the fd. Whee.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, if a non-static app sets up a pipe (with cloexec enabled) and
executes a static app, the handle to that pipe is left open in the parent
process. This causes trouble when the parent is waiting for that to be
closed immediately.
Since none of the fds in the forked parent process matter to us, we can
just go ahead and clean up all fds before we start tracing the child.
URL: http://bugs.gentoo.org/364877
Reported-by: Victor Stinner <victor.stinner@haypocalc.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
In some situations, we want to know the tristate of "is on", "is off", and
"is set" instead of just lumping the "is not set" case in with "is off".
Add some helpers for that.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is used whenever sandbox wants to display an informational message.
For example, early notification of a path violation, or debugging output.
We can't just pop open an fd and pass that around as apps consider that
leakage and will often break assumptions in terms of free fds. Or apps
that start up and cleanse all of their open fds.
So instead, we just pass around an env var that holds the full path to
the file we want will write to. Since these messages are infrequent
(compared to overall runtime), opening/writing/closing the path every
time is fine.
This also avoids all the problems associated with using external portage
helpers for writing messages.
A follow up commit will take care of the situation where apps (such as
scons) attempt to also cleanse the env before forking.
URL: http://bugs.gentoo.org/278761
URL: http://bugs.gentoo.org/431638
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Nothing uses or cares about these vars, so punt them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This is laying the ground work for processing more vars in the
future than just LD_PRELOAD.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Start a centralized place for environment related helper funcs.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a dedicated entry point for connecting gdb to make it easy to connect
gdb at arbitrary points (ala printf style debugging).
This also smooths a lot of the common steps when automatically launching
gdb such as making sure the process is closer to the crash point when the
user takes over control of gdb.
Finally, switch to using clone rather than fork since the latter relies
on the C lib's fork which implicitly can grab locks. If we're crashing
in the middle of a func that already holds those locks, the fork call
will hang indefinitely on us.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous change forgot to actually enable the portage helpers. This
meant violation output would always get sent to /dev/tty rather than to
portage's logging facilities.
Enable the helper logic while also fixing a logic error with va_args
(you can't re-use the same va_args).
Also, in order to use these with code that watches over SIGCHLD via
sigaction, we need to use sigaction ourselves to ignore that signal.
This might be racy with threaded apps that fork & watch SIGCHLD.
Testing in the larger world will show whether we need to revisit
how we communicate with the PM.
URL: http://bugs.gentoo.org/431638
Reported-by: Michael Weiser <michael@weiser.dinsnail.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since non-root users typically do not have write access to /var/log,
allow it to fallback to standard tmpdirs. This makes testing locally
a lot easier.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Completely unused. GOOD BYE.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Need to set the colors to "" rather than NULL so we don't print out
"(null)" where the colors normally would be.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Since all system headers are included by way of headers.h, we can
pre-compile this to speed up the build up a bit.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
This adds support for signed ll, unsigned z, l, and ll, hex l, and ll,
ignores the # for hex output since this is what we do implicitly already.
As for testing, looks like during the autogeneration of testsuite.list.at,
the sb_printf test was lost. Restore it so it gets run again.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few major points we want to hit here:
- have all output from libsandbox go through portage helpers when we are
in the portage environment so that output is properly logged
- convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style
of other functions and cut down on confusion
- move all abort/output helpers to libsbutil so it can be used in all
source trees and not just by libsandbox
- migrate all abort points to the centralized sb_ebort helper
Unfortunately, it's not terribly easy to untangle these into separate
patches, but hopefully this shouldn't be too messy as much of it is
mechanical: move funcs between files, and change the name of funcs
that get called.
URL: http://bugs.gentoo.org/278761
Reported-by: Mounir Lamouri <volkmar@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Almost no one has beep support turned on anymore, and ebeep in the main
tree has been deprecated (meaning it wasn't found useful while building
packages). So punt support for it from sandbox too.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since every consumer of sb_open gets a copy of the sbio_open data, push
the init of this into the .data section of the respective consumers to
avoid the runtime overhead.
This just leaves sandbox_lib setup in the constructor function, but that
is only needed by the execve wrapper, so push down init of that to the
existing sb_init logic which happens before our execve wrapper gets used.
URL: http://bugs.gentoo.org/404013
Reported-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Sam James
Mike Gilbert
Mike Frysinger
Andreas K. Hüttel
Michał Górny
Guenther Brunthaler
GitWeb