FL-576: sandbox update

funtoo · Jun 11, 2013 · c00eea4 · c00eea4
1 parent 6089e96
commit c00eea4
Show file tree

Hide file tree

Showing 9 changed files with 606 additions and 2 deletions.
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
@@ -1,2 +1,2 @@
-DIST sandbox-2.5.tar.xz 355680 RMD160 f6eb0d681d5280c6ced5cd6bfd4da74e25ce129f SHA1 bfa2456d3a8b9f35b460f733b97a1fe7f00c5ca5 SHA256 c0e98767fb70750d79591a6d08f81d5c2f13ce783bf94bd90677022e9103878a
-DIST sandbox-2.6.tar.xz 366356 RMD160 6e8040c95a74112759241c46bd112594996a28d3 SHA1 b795c68212d0d38f99b1ba26584b550755802319 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d
+DIST sandbox-2.5.tar.xz 355680 SHA256 c0e98767fb70750d79591a6d08f81d5c2f13ce783bf94bd90677022e9103878a
+DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d
diff --git a/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch b/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch
@@ -0,0 +1,37 @@
+http://bugs.gentoo.org/263657
+
+disable pthread locks ... this is how stable has always worked, so there
+wont be any regressions ...
+
+diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
+index 034d0e7..595d17f 100644
+--- a/libsandbox/libsandbox.c
++++ b/libsandbox/libsandbox.c
+@@ -814,9 +814,6 @@
+ 	return result;
+ }
+
+-/* Need to protect the global sbcontext structure */
+-static pthread_mutex_t sb_syscall_lock = PTHREAD_MUTEX_INITIALIZER;
+-
+ bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, int flags)
+ {
+ 	int old_errno = errno;
+@@ -843,8 +840,6 @@
+ 		file = at_file_buf;
+ 	}
+
+-	pthread_mutex_lock(&sb_syscall_lock);
+-
+ 	if (!sb_init) {
+ 		init_context(&sbcontext);
+ 		sb_init = true;
+@@ -885,8 +880,6 @@
+
+ 	result = check_syscall(&sbcontext, sb_nr, func, file, flags);
+
+-	pthread_mutex_unlock(&sb_syscall_lock);
+-
+ 	if (0 == result) {
+ 		if ((NULL != getenv(ENV_SANDBOX_PID)) && (is_env_on(ENV_SANDBOX_ABORT)))
+
diff --git a/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch b/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch
@@ -0,0 +1,13 @@
+sandbox-1.7 traces static apps so disable the qa notice as it just scares
+users ... dont want scary stuff in stable!
+
+--- libsandbox/wrapper-funcs/__wrapper_exec.c
++++ libsandbox/wrapper-funcs/__wrapper_exec.c
+@@ -221,7 +221,6 @@
+ 		if (!FUNCTION_SANDBOX_SAFE(path))
+ 			return result;
+
+-		sb_check_exec(path, argv);
+ 	}
+ #endif
+
diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
@@ -0,0 +1,201 @@
+From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 24 Dec 2012 19:41:49 -0500
+Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before
+ checking the dirfd
+
+When it comes to processing errors, an empty path is checked before
+an invalid dirfd.  Make sure sandbox matches that behavior for the
+random testsuites out there that look for this.
+
+URL: https://bugs.gentoo.org/346929
+Reported-by: Marien Zwart <marienz@gentoo.org>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/wrapper-funcs/__pre_check.c        |  2 ++
+ libsandbox/wrapper-funcs/mkdirat_pre_check.c  | 17 +++++------------
+ libsandbox/wrapper-funcs/openat_pre_check.c   | 15 ++++-----------
+ libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------
+ libsandbox/wrappers.h                         |  2 ++
+ tests/mkdirat-3.sh                            |  7 +++++++
+ tests/mkdirat.at                              |  1 +
+ tests/openat-2.sh                             |  9 +++++++++
+ tests/openat.at                               |  1 +
+ tests/unlinkat-4.sh                           |  7 +++++++
+ tests/unlinkat.at                             |  1 +
+ 11 files changed, 44 insertions(+), 35 deletions(-)
+ create mode 100755 tests/mkdirat-3.sh
+ create mode 100755 tests/openat-2.sh
+ create mode 100755 tests/unlinkat-4.sh
+
+diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c
+index 2d5711f..28ad91f 100644
+--- a/libsandbox/wrapper-funcs/__pre_check.c
++++ b/libsandbox/wrapper-funcs/__pre_check.c
+@@ -20,3 +20,5 @@
+ #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
+ # include "unlinkat_pre_check.c"
+ #endif
++
++#include "__pre_at_check.c"
+diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
+index 77a65df..0b48d1f 100644
+--- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c
++++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
+@@ -1,20 +1,13 @@
+ bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
+ {
+ 	char canonic[SB_PATH_MAX];
+-	char dirfd_path[SB_PATH_MAX];
+
+ 	save_errno();
+
+-	/* Expand the dirfd path first */
+-	switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
+-		case -1:
+-			sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
+-				func, pathname, strerror(errno));
+-			return false;
+-		case 0:
+-			pathname = dirfd_path;
+-			break;
+-	}
++	/* Check incoming args against common *at issues */
++	char dirfd_path[SB_PATH_MAX];
++	if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
++		return false;
+
+ 	/* Then break down any relative/symlink paths */
+ 	if (-1 == canonicalize(pathname, canonic))
+diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
+index 0127708..5fd5eaa 100644
+--- a/libsandbox/wrapper-funcs/openat_pre_check.c
++++ b/libsandbox/wrapper-funcs/openat_pre_check.c
+@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
+
+ 	save_errno();
+
+-	/* Expand the dirfd path first */
++	/* Check incoming args against common *at issues */
+ 	char dirfd_path[SB_PATH_MAX];
+-	switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
+-		case -1:
+-			sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
+-				func, pathname, strerror(errno));
+-			return false;
+-		case 0:
+-			pathname = dirfd_path;
+-			break;
+-	}
++	if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
++		return false;
+
+ 	/* Doesn't exist -> skip permission checks */
+ 	struct stat st;
+diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
+index 9f5e7d7..c004d15 100644
+--- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c
++++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
+@@ -1,20 +1,13 @@
+ bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd)
+ {
+ 	char canonic[SB_PATH_MAX];
+-	char dirfd_path[SB_PATH_MAX];
+
+ 	save_errno();
+
+-	/* Expand the dirfd path first */
+-	switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
+-		case -1:
+-			sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
+-				func, pathname, strerror(errno));
+-			return false;
+-		case 0:
+-			pathname = dirfd_path;
+-			break;
+-	}
++	/* Check incoming args against common *at issues */
++	char dirfd_path[SB_PATH_MAX];
++	if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
++		return false;
+
+ 	/* Then break down any relative/symlink paths */
+ 	if (-1 == canonicalize(pathname, canonic))
+diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
+index 5b97787..0aa58bb 100644
+--- a/libsandbox/wrappers.h
++++ b/libsandbox/wrappers.h
+@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check  (const char *func, const char *pathn
+ attribute_hidden bool sb_openat_pre_check   (const char *func, const char *pathname, int dirfd, int flags);
+ attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
+ attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
++attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
++                                             char *dirfd_path, size_t dirfd_path_len);
+
+ #endif
+-- 
+1.8.1.2
+
+From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 24 Dec 2012 19:41:49 -0500
+Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before
+ checking the dirfd [missing file]
+
+When it comes to processing errors, an empty path is checked before
+an invalid dirfd.  Make sure sandbox matches that behavior for the
+random testsuites out there that look for this.
+
+Forgot to `git add` in the previous commit :/.
+
+URL: https://bugs.gentoo.org/346929
+Reported-by: Marien Zwart <marienz@gentoo.org>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+ create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c
+
+diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c
+new file mode 100644
+index 0000000..f72c40c
+--- /dev/null
++++ b/libsandbox/wrapper-funcs/__pre_at_check.c
+@@ -0,0 +1,34 @@
++/*
++ * common *at() pre-checks.
++ *
++ * Copyright 1999-2012 Gentoo Foundation
++ * Licensed under the GPL-2
++ */
++
++/* We assume the parent has nested use with save/restore errno */
++bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
++                            char *dirfd_path, size_t dirfd_path_len)
++{
++	/* the empty path name should fail with ENOENT before any dirfd
++	 * checks get a chance to run #346929
++	 */
++	if (*pathname && *pathname[0] == '\0') {
++		errno = ENOENT;
++		sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
++			func, *pathname, strerror(errno));
++		return false;
++	}
++
++	/* Expand the dirfd path first */
++	switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) {
++		case -1:
++			sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
++				func, *pathname, strerror(errno));
++			return false;
++		case 0:
++			*pathname = dirfd_path;
++			break;
++	}
++
++	return true;
++}
+-- 
+1.8.1.2
+
diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
@@ -0,0 +1,30 @@
+From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 17 Nov 2012 14:14:26 -0500
+Subject: [PATCH] sandbox.desktop: drop .svg from Icon field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+URL: http://bugs.gentoo.org/443672
+Reported-by: Petteri Räty <betelgeuse@gentoo.org>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ data/sandbox.desktop | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/data/sandbox.desktop b/data/sandbox.desktop
+index 5b5b576..27a887e 100644
+--- a/data/sandbox.desktop
++++ b/data/sandbox.desktop
+@@ -5,6 +5,6 @@ Type=Application
+ Comment=launch a sandboxed shell ... useful for debugging ebuilds
+ Exec=sandbox
+ TryExec=sandbox
+-Icon=sandbox.svg
++Icon=sandbox
+ Categories=Development;
+ Terminal=true
+-- 
+1.8.1.2
+
diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
@@ -0,0 +1,51 @@
+From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sun, 3 Mar 2013 05:34:09 -0500
+Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values
+
+Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox
+with portage.  It changed how the sandbox log env var was accessed by
+moving from getenv() to get_sandbox_log().  The latter has path checking
+and will kick out values that contain a slash.  That means every time a
+new process starts, a new sandbox log path will be generated, and when a
+program triggers a violation, it'll write to the new file.  Meanwhile,
+portage itself watches the original one which never gets updated.
+
+This code has been around forever w/out documentation, and I can't think
+of a reason we need it.  So punt it.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsbutil/get_sandbox_log.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c
+index a79b399..bdb4278 100644
+--- a/libsbutil/get_sandbox_log.c
++++ b/libsbutil/get_sandbox_log.c
+@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c
+
+ 	sandbox_log_env = getenv(env);
+
+-	if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) {
+-		/* When testing, just use what the env says to */
++	if (sandbox_log_env) {
++		/* If the env is viable, roll with it.  We aren't really
++		 * about people breaking the security of the sandbox by
++		 * exporting SANDBOX_LOG=/dev/null.
++		 */
+ 		strncpy(path, sandbox_log_env, SB_PATH_MAX);
+ 	} else {
+-		/* THIS CHUNK BREAK THINGS BY DOING THIS:
+-		 * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log
+-		 */
+-		if ((NULL != sandbox_log_env) &&
+-		    (NULL != strchr(sandbox_log_env, '/')))
+-		    sandbox_log_env = NULL;
+-
+ 		snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s",
+ 			SANDBOX_LOG_LOCATION, prefix,
+ 			(sandbox_log_env == NULL ? "" : sandbox_log_env),
+-- 
+1.8.1.2
+
diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
@@ -0,0 +1,54 @@
+From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 24 Dec 2012 18:46:29 -0500
+Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW)
+
+We don't check for O_NOFOLLOW in the open wrappers, so we end up
+returning the wrong error when operating on broken symlinks.
+
+URL: https://bugs.gentoo.org/413441
+Reported-by: Marien Zwart <marienz@gentoo.org>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/wrapper-funcs/__64_post.h        |  1 +
+ libsandbox/wrapper-funcs/__64_pre.h         |  1 +
+ libsandbox/wrapper-funcs/openat_pre_check.c |  2 +-
+ tests/open-2.sh                             | 10 ++++++++++
+ tests/open.at                               |  1 +
+ 5 files changed, 14 insertions(+), 1 deletion(-)
+ create mode 100755 tests/open-2.sh
+
+diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h
+index 2fd2182..82d2a16 100644
+--- a/libsandbox/wrapper-funcs/__64_post.h
++++ b/libsandbox/wrapper-funcs/__64_post.h
+@@ -1,3 +1,4 @@
+ #undef SB64
+ #undef stat
++#undef lstat
+ #undef off_t
+diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h
+index 2132110..0b34b25 100644
+--- a/libsandbox/wrapper-funcs/__64_pre.h
++++ b/libsandbox/wrapper-funcs/__64_pre.h
+@@ -1,3 +1,4 @@
+ #define SB64
+ #define stat stat64
++#define lstat lstat64
+ #define off_t off64_t
+diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
+index c827ee6..0127708 100644
+--- a/libsandbox/wrapper-funcs/openat_pre_check.c
++++ b/libsandbox/wrapper-funcs/openat_pre_check.c
+@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
+
+ 	/* Doesn't exist -> skip permission checks */
+ 	struct stat st;
+-	if (-1 == stat(pathname, &st)) {
++	if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) {
+ 		sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
+ 			func, pathname, strerror(errno));
+ 		return false;
+-- 
+1.8.1.2
+