From 87f753cf677137f8d6c06c56ee6cc4db11ec71b0 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Sat, 23 Feb 2013 00:28:42 -0500 Subject: libsandbox: preserve more SANDBOX env vars While we took pains to preserve the LD_PRELOAD setting, this doesn't help us too much in practice. If a process is going out of its way to blow away LD_PRELOAD, chances are good it's blowing away all vars it doesn't know about. That means all of our SANDBOX_XXX settings. Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX env vars, make sure we preserve those as well. These changes also imply some behavioral differences from older versions. Previously, you could `unset` a sandbox var in order to disable it. That no longer works. If you wish to disable things, you have to explicitly set it to "". Signed-off-by: Mike Frysinger --- tests/Makefile.am | 2 +- tests/mkdir-3.sh | 2 +- tests/script-10.sh | 21 +++++++++++++++++++++ tests/script.at | 1 + 4 files changed, 24 insertions(+), 2 deletions(-) create mode 100755 tests/script-10.sh (limited to 'tests') diff --git a/tests/Makefile.am b/tests/Makefile.am index 1d32e2e..0f0c249 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -79,7 +79,7 @@ check_PROGRAMS = \ sigsuspend-zsh_static_tst dist_check_SCRIPTS = \ - $(wildcard $(srcdir)/*-?.sh) \ + $(wildcard $(srcdir)/*-[0-9]*.sh) \ script-0 \ trace-0 diff --git a/tests/mkdir-3.sh b/tests/mkdir-3.sh index 10e8723..e5b7899 100755 --- a/tests/mkdir-3.sh +++ b/tests/mkdir-3.sh @@ -18,7 +18,7 @@ chmod a-rx .. ln -s / root # this should trigger a sb violation -unset SANDBOX_PREDICT +SANDBOX_PREDICT="" (mkdir-0 -1 root/aksdfjasdfjaskdfjasdfla 0777) chmod a+rx .. diff --git a/tests/script-10.sh b/tests/script-10.sh new file mode 100755 index 0000000..801730e --- /dev/null +++ b/tests/script-10.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# make sure all the SANDBOX env vars make it back in. +[ "${at_xfail}" = "yes" ] && exit 77 # see script-0 + +ret=0 + +out=$(env -i env) +for var in LOG DEBUG_LOG MESSAGE_PATH DENY READ WRITE PREDICT ON ACTIVE ; do + var="SANDBOX_${var}" + oval=$(env | grep "^${var}=" | sed 's:^[^=]*=::') + + nval=$(echo "${out}" | sed -n "/^${var}=/s:[^=]*=::p") + + [ "${nval}" != "${oval}" ] && echo "!!! MISMATCH !!!" && ret=1 + echo "env [${var}]='${oval}'" + echo "env-i[${var}]='${nval}'" + [ "${nval}" != "${oval}" ] && echo "!!! MISMATCH !!!" + echo +done + +exit ${ret} diff --git a/tests/script.at b/tests/script.at index b095ce1..93e370a 100644 --- a/tests/script.at +++ b/tests/script.at @@ -7,3 +7,4 @@ SB_CHECK(6,,,8) SB_CHECK(7) SB_CHECK(8) SB_CHECK(9, [wait errpipe... done OK!]) +SB_CHECK(10) -- cgit v1.2.3-65-gdbad