Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Oleg Vinichenko
committed
Jun 11, 2013
1 parent
6089e96
commit c00eea4
Showing
9 changed files
with
606 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
DIST sandbox-2.5.tar.xz 355680 RMD160 f6eb0d681d5280c6ced5cd6bfd4da74e25ce129f SHA1 bfa2456d3a8b9f35b460f733b97a1fe7f00c5ca5 SHA256 c0e98767fb70750d79591a6d08f81d5c2f13ce783bf94bd90677022e9103878a | ||
DIST sandbox-2.6.tar.xz 366356 RMD160 6e8040c95a74112759241c46bd112594996a28d3 SHA1 b795c68212d0d38f99b1ba26584b550755802319 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d | ||
DIST sandbox-2.5.tar.xz 355680 SHA256 c0e98767fb70750d79591a6d08f81d5c2f13ce783bf94bd90677022e9103878a | ||
DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
http://bugs.gentoo.org/263657 | ||
|
||
disable pthread locks ... this is how stable has always worked, so there | ||
wont be any regressions ... | ||
|
||
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c | ||
index 034d0e7..595d17f 100644 | ||
--- a/libsandbox/libsandbox.c | ||
+++ b/libsandbox/libsandbox.c | ||
@@ -814,9 +814,6 @@ | ||
return result; | ||
} | ||
|
||
-/* Need to protect the global sbcontext structure */ | ||
-static pthread_mutex_t sb_syscall_lock = PTHREAD_MUTEX_INITIALIZER; | ||
- | ||
bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, int flags) | ||
{ | ||
int old_errno = errno; | ||
@@ -843,8 +840,6 @@ | ||
file = at_file_buf; | ||
} | ||
|
||
- pthread_mutex_lock(&sb_syscall_lock); | ||
- | ||
if (!sb_init) { | ||
init_context(&sbcontext); | ||
sb_init = true; | ||
@@ -885,8 +880,6 @@ | ||
|
||
result = check_syscall(&sbcontext, sb_nr, func, file, flags); | ||
|
||
- pthread_mutex_unlock(&sb_syscall_lock); | ||
- | ||
if (0 == result) { | ||
if ((NULL != getenv(ENV_SANDBOX_PID)) && (is_env_on(ENV_SANDBOX_ABORT))) | ||
|
13 changes: 13 additions & 0 deletions
13
sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
sandbox-1.7 traces static apps so disable the qa notice as it just scares | ||
users ... dont want scary stuff in stable! | ||
|
||
--- libsandbox/wrapper-funcs/__wrapper_exec.c | ||
+++ libsandbox/wrapper-funcs/__wrapper_exec.c | ||
@@ -221,7 +221,6 @@ | ||
if (!FUNCTION_SANDBOX_SAFE(path)) | ||
return result; | ||
|
||
- sb_check_exec(path, argv); | ||
} | ||
#endif | ||
|
201 changes: 201 additions & 0 deletions
201
sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,201 @@ | ||
From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001 | ||
From: Mike Frysinger <vapier@gentoo.org> | ||
Date: Mon, 24 Dec 2012 19:41:49 -0500 | ||
Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before | ||
checking the dirfd | ||
|
||
When it comes to processing errors, an empty path is checked before | ||
an invalid dirfd. Make sure sandbox matches that behavior for the | ||
random testsuites out there that look for this. | ||
|
||
URL: https://bugs.gentoo.org/346929 | ||
Reported-by: Marien Zwart <marienz@gentoo.org> | ||
Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
--- | ||
libsandbox/wrapper-funcs/__pre_check.c | 2 ++ | ||
libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------ | ||
libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++----------- | ||
libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------ | ||
libsandbox/wrappers.h | 2 ++ | ||
tests/mkdirat-3.sh | 7 +++++++ | ||
tests/mkdirat.at | 1 + | ||
tests/openat-2.sh | 9 +++++++++ | ||
tests/openat.at | 1 + | ||
tests/unlinkat-4.sh | 7 +++++++ | ||
tests/unlinkat.at | 1 + | ||
11 files changed, 44 insertions(+), 35 deletions(-) | ||
create mode 100755 tests/mkdirat-3.sh | ||
create mode 100755 tests/openat-2.sh | ||
create mode 100755 tests/unlinkat-4.sh | ||
|
||
diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c | ||
index 2d5711f..28ad91f 100644 | ||
--- a/libsandbox/wrapper-funcs/__pre_check.c | ||
+++ b/libsandbox/wrapper-funcs/__pre_check.c | ||
@@ -20,3 +20,5 @@ | ||
#if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF | ||
# include "unlinkat_pre_check.c" | ||
#endif | ||
+ | ||
+#include "__pre_at_check.c" | ||
diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c | ||
index 77a65df..0b48d1f 100644 | ||
--- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c | ||
+++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c | ||
@@ -1,20 +1,13 @@ | ||
bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) | ||
{ | ||
char canonic[SB_PATH_MAX]; | ||
- char dirfd_path[SB_PATH_MAX]; | ||
|
||
save_errno(); | ||
|
||
- /* Expand the dirfd path first */ | ||
- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { | ||
- case -1: | ||
- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", | ||
- func, pathname, strerror(errno)); | ||
- return false; | ||
- case 0: | ||
- pathname = dirfd_path; | ||
- break; | ||
- } | ||
+ /* Check incoming args against common *at issues */ | ||
+ char dirfd_path[SB_PATH_MAX]; | ||
+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) | ||
+ return false; | ||
|
||
/* Then break down any relative/symlink paths */ | ||
if (-1 == canonicalize(pathname, canonic)) | ||
diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c | ||
index 0127708..5fd5eaa 100644 | ||
--- a/libsandbox/wrapper-funcs/openat_pre_check.c | ||
+++ b/libsandbox/wrapper-funcs/openat_pre_check.c | ||
@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int | ||
|
||
save_errno(); | ||
|
||
- /* Expand the dirfd path first */ | ||
+ /* Check incoming args against common *at issues */ | ||
char dirfd_path[SB_PATH_MAX]; | ||
- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { | ||
- case -1: | ||
- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", | ||
- func, pathname, strerror(errno)); | ||
- return false; | ||
- case 0: | ||
- pathname = dirfd_path; | ||
- break; | ||
- } | ||
+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) | ||
+ return false; | ||
|
||
/* Doesn't exist -> skip permission checks */ | ||
struct stat st; | ||
diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c | ||
index 9f5e7d7..c004d15 100644 | ||
--- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c | ||
+++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c | ||
@@ -1,20 +1,13 @@ | ||
bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd) | ||
{ | ||
char canonic[SB_PATH_MAX]; | ||
- char dirfd_path[SB_PATH_MAX]; | ||
|
||
save_errno(); | ||
|
||
- /* Expand the dirfd path first */ | ||
- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { | ||
- case -1: | ||
- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", | ||
- func, pathname, strerror(errno)); | ||
- return false; | ||
- case 0: | ||
- pathname = dirfd_path; | ||
- break; | ||
- } | ||
+ /* Check incoming args against common *at issues */ | ||
+ char dirfd_path[SB_PATH_MAX]; | ||
+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) | ||
+ return false; | ||
|
||
/* Then break down any relative/symlink paths */ | ||
if (-1 == canonicalize(pathname, canonic)) | ||
diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h | ||
index 5b97787..0aa58bb 100644 | ||
--- a/libsandbox/wrappers.h | ||
+++ b/libsandbox/wrappers.h | ||
@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn | ||
attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags); | ||
attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags); | ||
attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd); | ||
+attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, | ||
+ char *dirfd_path, size_t dirfd_path_len); | ||
|
||
#endif | ||
-- | ||
1.8.1.2 | ||
|
||
From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001 | ||
From: Mike Frysinger <vapier@gentoo.org> | ||
Date: Mon, 24 Dec 2012 19:41:49 -0500 | ||
Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before | ||
checking the dirfd [missing file] | ||
|
||
When it comes to processing errors, an empty path is checked before | ||
an invalid dirfd. Make sure sandbox matches that behavior for the | ||
random testsuites out there that look for this. | ||
|
||
Forgot to `git add` in the previous commit :/. | ||
|
||
URL: https://bugs.gentoo.org/346929 | ||
Reported-by: Marien Zwart <marienz@gentoo.org> | ||
Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
--- | ||
libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++ | ||
1 file changed, 34 insertions(+) | ||
create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c | ||
|
||
diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c | ||
new file mode 100644 | ||
index 0000000..f72c40c | ||
--- /dev/null | ||
+++ b/libsandbox/wrapper-funcs/__pre_at_check.c | ||
@@ -0,0 +1,34 @@ | ||
+/* | ||
+ * common *at() pre-checks. | ||
+ * | ||
+ * Copyright 1999-2012 Gentoo Foundation | ||
+ * Licensed under the GPL-2 | ||
+ */ | ||
+ | ||
+/* We assume the parent has nested use with save/restore errno */ | ||
+bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, | ||
+ char *dirfd_path, size_t dirfd_path_len) | ||
+{ | ||
+ /* the empty path name should fail with ENOENT before any dirfd | ||
+ * checks get a chance to run #346929 | ||
+ */ | ||
+ if (*pathname && *pathname[0] == '\0') { | ||
+ errno = ENOENT; | ||
+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", | ||
+ func, *pathname, strerror(errno)); | ||
+ return false; | ||
+ } | ||
+ | ||
+ /* Expand the dirfd path first */ | ||
+ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) { | ||
+ case -1: | ||
+ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", | ||
+ func, *pathname, strerror(errno)); | ||
+ return false; | ||
+ case 0: | ||
+ *pathname = dirfd_path; | ||
+ break; | ||
+ } | ||
+ | ||
+ return true; | ||
+} | ||
-- | ||
1.8.1.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001 | ||
From: Mike Frysinger <vapier@gentoo.org> | ||
Date: Sat, 17 Nov 2012 14:14:26 -0500 | ||
Subject: [PATCH] sandbox.desktop: drop .svg from Icon field | ||
MIME-Version: 1.0 | ||
Content-Type: text/plain; charset=UTF-8 | ||
Content-Transfer-Encoding: 8bit | ||
|
||
URL: http://bugs.gentoo.org/443672 | ||
Reported-by: Petteri Räty <betelgeuse@gentoo.org> | ||
Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
--- | ||
data/sandbox.desktop | 2 +- | ||
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
diff --git a/data/sandbox.desktop b/data/sandbox.desktop | ||
index 5b5b576..27a887e 100644 | ||
--- a/data/sandbox.desktop | ||
+++ b/data/sandbox.desktop | ||
@@ -5,6 +5,6 @@ Type=Application | ||
Comment=launch a sandboxed shell ... useful for debugging ebuilds | ||
Exec=sandbox | ||
TryExec=sandbox | ||
-Icon=sandbox.svg | ||
+Icon=sandbox | ||
Categories=Development; | ||
Terminal=true | ||
-- | ||
1.8.1.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001 | ||
From: Mike Frysinger <vapier@gentoo.org> | ||
Date: Sun, 3 Mar 2013 05:34:09 -0500 | ||
Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values | ||
|
||
Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox | ||
with portage. It changed how the sandbox log env var was accessed by | ||
moving from getenv() to get_sandbox_log(). The latter has path checking | ||
and will kick out values that contain a slash. That means every time a | ||
new process starts, a new sandbox log path will be generated, and when a | ||
program triggers a violation, it'll write to the new file. Meanwhile, | ||
portage itself watches the original one which never gets updated. | ||
|
||
This code has been around forever w/out documentation, and I can't think | ||
of a reason we need it. So punt it. | ||
|
||
Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
--- | ||
libsbutil/get_sandbox_log.c | 14 +++++--------- | ||
1 file changed, 5 insertions(+), 9 deletions(-) | ||
|
||
diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c | ||
index a79b399..bdb4278 100644 | ||
--- a/libsbutil/get_sandbox_log.c | ||
+++ b/libsbutil/get_sandbox_log.c | ||
@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c | ||
|
||
sandbox_log_env = getenv(env); | ||
|
||
- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) { | ||
- /* When testing, just use what the env says to */ | ||
+ if (sandbox_log_env) { | ||
+ /* If the env is viable, roll with it. We aren't really | ||
+ * about people breaking the security of the sandbox by | ||
+ * exporting SANDBOX_LOG=/dev/null. | ||
+ */ | ||
strncpy(path, sandbox_log_env, SB_PATH_MAX); | ||
} else { | ||
- /* THIS CHUNK BREAK THINGS BY DOING THIS: | ||
- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log | ||
- */ | ||
- if ((NULL != sandbox_log_env) && | ||
- (NULL != strchr(sandbox_log_env, '/'))) | ||
- sandbox_log_env = NULL; | ||
- | ||
snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s", | ||
SANDBOX_LOG_LOCATION, prefix, | ||
(sandbox_log_env == NULL ? "" : sandbox_log_env), | ||
-- | ||
1.8.1.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001 | ||
From: Mike Frysinger <vapier@gentoo.org> | ||
Date: Mon, 24 Dec 2012 18:46:29 -0500 | ||
Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW) | ||
|
||
We don't check for O_NOFOLLOW in the open wrappers, so we end up | ||
returning the wrong error when operating on broken symlinks. | ||
|
||
URL: https://bugs.gentoo.org/413441 | ||
Reported-by: Marien Zwart <marienz@gentoo.org> | ||
Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
--- | ||
libsandbox/wrapper-funcs/__64_post.h | 1 + | ||
libsandbox/wrapper-funcs/__64_pre.h | 1 + | ||
libsandbox/wrapper-funcs/openat_pre_check.c | 2 +- | ||
tests/open-2.sh | 10 ++++++++++ | ||
tests/open.at | 1 + | ||
5 files changed, 14 insertions(+), 1 deletion(-) | ||
create mode 100755 tests/open-2.sh | ||
|
||
diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h | ||
index 2fd2182..82d2a16 100644 | ||
--- a/libsandbox/wrapper-funcs/__64_post.h | ||
+++ b/libsandbox/wrapper-funcs/__64_post.h | ||
@@ -1,3 +1,4 @@ | ||
#undef SB64 | ||
#undef stat | ||
+#undef lstat | ||
#undef off_t | ||
diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h | ||
index 2132110..0b34b25 100644 | ||
--- a/libsandbox/wrapper-funcs/__64_pre.h | ||
+++ b/libsandbox/wrapper-funcs/__64_pre.h | ||
@@ -1,3 +1,4 @@ | ||
#define SB64 | ||
#define stat stat64 | ||
+#define lstat lstat64 | ||
#define off_t off64_t | ||
diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c | ||
index c827ee6..0127708 100644 | ||
--- a/libsandbox/wrapper-funcs/openat_pre_check.c | ||
+++ b/libsandbox/wrapper-funcs/openat_pre_check.c | ||
@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int | ||
|
||
/* Doesn't exist -> skip permission checks */ | ||
struct stat st; | ||
- if (-1 == stat(pathname, &st)) { | ||
+ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) { | ||
sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", | ||
func, pathname, strerror(errno)); | ||
return false; | ||
-- | ||
1.8.1.2 | ||
|
Oops, something went wrong.