[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: 83b7d3141d66f2b5a2613b677e4673a51a3e9654 Author: Sv. Lockal gmail com> AuthorDate: Sat Jan 27 10:44:55 2024 + Commit: Mike Gilbert gentoo org> CommitDate: Sat Jan 27 18:05:22 2024 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=83b7d314 Fix SIGSEGV in gtest death tests due to small stack In https://github.com/google/googletest/blob/v1.14.0/googletest/src/gtest-death-test.cc#L1307 on x86-64 gtest sallocates 8192 bytes for `clone`: ``` static pid_t ExecDeathTestSpawnChild(char* const* argv, int close_fd) { const auto stack_size = static_cast(getpagesize() * 2); ... child_pid = clone(, stack_top, SIGCHLD, ); ``` After that attempt to call execv is intercepted by libsandbox.so, which allocates 8192 + more bytes multiple times on stack, causing SIGSEGV (instead of expected types of crashes). This PR moves all allocations for related function to heap, so now call path fits `getpagesize() * 2` with large margin. Bug: https://bugs.gentoo.org/923013 Closes: https://github.com/gentoo/sandbox/pull/26 Signed-off-by: Sv. Lockal gmail.com> Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 1f7d3654498e17e0a91c83f57e6265e08628d5fe) libsandbox/libsandbox.c | 34 +- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 6a7368c..e0928bb 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -132,7 +132,8 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, save_errno(); - char fd_path[SB_PATH_MAX]; + char *fd_path = xmalloc(SB_PATH_MAX * sizeof(char)); + size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0); if (trace_pid) { sprintf(fd_path, "/proc/%i/fd/%i", trace_pid, dirfd); @@ -148,12 +149,14 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, /* see comments at end of check_syscall() */ if (errno_is_too_long()) { restore_errno(); + free(fd_path); return 2; } sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", fd_path, strerror(errno)); /* If the fd isn't found, some guys (glibc) expect errno */ if (errno == ENOENT) errno = EBADF; + free(fd_path); return -1; } resolved_path[ret] = '/'; @@ -162,6 +165,7 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, strcat(resolved_path, path); restore_errno(); + free(fd_path); return 0; } @@ -286,7 +290,7 @@ static char *resolve_path(const char *path, int follow_link) } if (!ret) { - char tmp_str1[SB_PATH_MAX]; + char *tmp_str1 = xmalloc(SB_PATH_MAX * sizeof(char)); snprintf(tmp_str1, SB_PATH_MAX, "%s", path); dname = dirname(tmp_str1); @@ -304,7 +308,7 @@ static char *resolve_path(const char *path, int follow_link) filtered_path = NULL; } } else { - char tmp_str2[SB_PATH_MAX]; + char *tmp_str2 = xmalloc(SB_PATH_MAX * sizeof(char)); /* OK, now add the basename to keep our access * checking happy (don't want '/usr/lib' if we * tried to do something with non-existing @@ -316,7 +320,10 @@ static char *resolve_path(const char *path, int follow_link) snprintf(filtered_path + len, SB_PATH_MAX - len, "%s%s", (filtered_path[len - 1] != '/') ? "/" : "", bname); + free(tmp_str2); } + + free(tmp_str1); } } @@ -1034,10 +1041,24 @@ bool is_sandbox_on(void) return result; } +static int resolve_dirfd_path_alloc(int dirfd, const char *path, char **resolved_path) +{ + size_t resolved_path_size = SB_PATH_MAX * sizeof(char); + *resolved_path = xmalloc(resolved_path_size); + int result = resolve_dirfd_path(dirfd, path, *resolved_path, resolved_path_size); + + if (result) { + free(*resolved_path); + *resolved_path = NULL; + } + + return result; +} + bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, int flags) { int result; - char at_file_buf[SB_PATH_MAX]; + char *at_file_buf; /* Some funcs operate on a fd directly and so filename is NULL, but * the rest should
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: f7d02c04b2a8e395f478bda03306fb68fb44ba4c Author: Mike Gilbert gentoo org> AuthorDate: Mon Jan 8 19:59:35 2024 + Commit: Mike Gilbert gentoo org> CommitDate: Mon Jan 22 21:41:13 2024 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f7d02c04 libsandbox: stat the original path for EEXIST hackaround Resolves an issue that can occur with paths that contain parent directory references (/../). If part of the path does not exist, the sandboxed program should get ENOENT, not EEXIST. If we use the canonicalized path, intermediate paths will be eliminated and we produce the wrong result. Bug: https://bugs.gentoo.org/921581 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit ef9208bea4e0f0dff5abf358002565f36e4d7a8d) libsandbox/pre_check_mkdirat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsandbox/pre_check_mkdirat.c b/libsandbox/pre_check_mkdirat.c index b1e86cf..49c382a 100644 --- a/libsandbox/pre_check_mkdirat.c +++ b/libsandbox/pre_check_mkdirat.c @@ -37,7 +37,7 @@ bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) * will trigger a sandbox violation. */ struct stat64 st; - if (0 == lstat64(canonic, )) { + if (0 == lstat64(pathname, )) { int new_errno; sb_debug_dyn("EARLY FAIL: %s(%s[%s]) @ lstat: %s\n", func, pathname, canonic, strerror(errno));
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: 0d063e31d575fb0a94b56219cafb0a198215b7aa Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:11:58 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:52 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=0d063e31 erealpath: drop unused path_max variable The SB_PATH_MAX macro is always defined, so this variable was pointless. Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 128d5b32b301a552299feff7cc64e5f8f7c4fee7) libsandbox/canonicalize.c | 26 +- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c index f742ed4..f282bdd 100644 --- a/libsandbox/canonicalize.c +++ b/libsandbox/canonicalize.c @@ -49,7 +49,6 @@ erealpath(const char *name, char *resolved) { char *rpath, *dest, *recover; const char *start, *end, *rpath_limit; - long int path_max; if (name == NULL) { /* As per Single Unix Specification V2 we must return an error if @@ -66,16 +65,9 @@ erealpath(const char *name, char *resolved) __set_errno(ENOENT); return NULL; } -#ifdef SB_PATH_MAX - path_max = SB_PATH_MAX; -#else - path_max = pathconf(name, _PC_PATH_MAX); - if (path_max <= 0) - path_max = 1024; -#endif if (resolved == NULL) { - rpath = xmalloc(path_max); + rpath = xmalloc(SB_PATH_MAX); } else { /* We can't handle resolving a buffer inline, so demand * separate read and write strings. @@ -83,11 +75,11 @@ erealpath(const char *name, char *resolved) sb_assert(name != resolved); rpath = resolved; } - rpath_limit = rpath + path_max; + rpath_limit = rpath + SB_PATH_MAX; recover = NULL; if (name[0] != '/') { - if (!egetcwd(rpath, path_max)) { + if (!egetcwd(rpath, SB_PATH_MAX)) { rpath[0] = '\0'; goto error; } @@ -110,16 +102,16 @@ erealpath(const char *name, char *resolved) if (lstat64(rpath, )) break; if (S_ISLNK(st.st_mode)) { - ssize_t cnt = readlink(rpath, rpath, path_max); + ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX); if (cnt == -1) break; rpath[cnt] = '\0'; if (p) { size_t bytes_left = strlen(p); - if (bytes_left >= path_max) + if (bytes_left >= SB_PATH_MAX) break; strncat(rpath, name + (p - rpath + 1), - path_max - bytes_left - 1); + SB_PATH_MAX - bytes_left - 1); } /* Ok, we have a chance at something better. If @@ -187,10 +179,10 @@ erealpath(const char *name, char *resolved) goto error; } new_size = rpath_limit - rpath; - if (end - start + 1 > path_max) + if (end - start + 1 > SB_PATH_MAX) new_size += end - start + 1; else - new_size += path_max; + new_size += SB_PATH_MAX; new_rpath = (char *) xrealloc(rpath, new_size); rpath = new_rpath; rpath_limit = rpath + new_size; @@ -213,7 +205,7 @@ erealpath(const char *name, char *resolved) error: if (resolved) - snprintf(resolved, path_max, "%s", rpath); + snprintf(resolved, SB_PATH_MAX, "%s", rpath); else free(rpath); free(recover);
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: c2f63554e729401f8ef44dbf3eb67ecc12ece58c Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:14:09 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:52 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=c2f63554 erealpath: leave space for a trailing '\0' in readlink's buffer Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 1c9a17d40de6dd3ea5b7aacaa76878357350881b) libsandbox/canonicalize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c index f282bdd..6c9a2d6 100644 --- a/libsandbox/canonicalize.c +++ b/libsandbox/canonicalize.c @@ -102,7 +102,7 @@ erealpath(const char *name, char *resolved) if (lstat64(rpath, )) break; if (S_ISLNK(st.st_mode)) { - ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX); + ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX - 1); if (cnt == -1) break; rpath[cnt] = '\0';
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: e4f9687b0517a691a82693c3bd772516fee01762 Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:18:53 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:53 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=e4f9687b erealpath: use separate buffer for readlink Fixes a compiler warning: ``` warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict] ``` Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 8c3bc21729c3ad13295b586cd185b2b5da686731) libsandbox/canonicalize.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c index 6c9a2d6..f8d32f0 100644 --- a/libsandbox/canonicalize.c +++ b/libsandbox/canonicalize.c @@ -102,10 +102,12 @@ erealpath(const char *name, char *resolved) if (lstat64(rpath, )) break; if (S_ISLNK(st.st_mode)) { - ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX - 1); + char buffer[SB_PATH_MAX]; + ssize_t cnt = readlink(rpath, buffer, SB_PATH_MAX - 1); if (cnt == -1) break; - rpath[cnt] = '\0'; + buffer[cnt] = '\0'; + strcpy(rpath, buffer); if (p) { size_t bytes_left = strlen(p); if (bytes_left >= SB_PATH_MAX)
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: ae2cb037f024a2bd417c6a241d907390876ecc8a Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:39:21 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:53 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ae2cb037 resolve_dirfd_path: use separate buffer for readlink Fixes a compile warning: ``` warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict] ``` Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 4b27824ee27013c672f75bce2066c950a71280d2) libsandbox/libsandbox.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 4edcf60..6a7368c 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -132,24 +132,25 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, save_errno(); + char fd_path[SB_PATH_MAX]; size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0); if (trace_pid) { - sprintf(resolved_path, "/proc/%i/fd/%i", trace_pid, dirfd); + sprintf(fd_path, "/proc/%i/fd/%i", trace_pid, dirfd); } else { /* If /proc was mounted by a process in a different pid namespace, * getpid cannot be used to create a valid /proc/ path. Instead * use sb_get_fd_dir() which works in any case. */ - sprintf(resolved_path, "%s/%i", sb_get_fd_dir(), dirfd); + sprintf(fd_path, "%s/%i", sb_get_fd_dir(), dirfd); } - ssize_t ret = readlink(resolved_path, resolved_path, at_len); + ssize_t ret = readlink(fd_path, resolved_path, at_len); if (ret == -1) { /* see comments at end of check_syscall() */ if (errno_is_too_long()) { restore_errno(); return 2; } - sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", resolved_path, strerror(errno)); + sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", fd_path, strerror(errno)); /* If the fd isn't found, some guys (glibc) expect errno */ if (errno == ENOENT) errno = EBADF;
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/trace/, libsandbox/, libsandbox/trace/linux/, /, src/
commit: 9a5171e20f695cb18f7c860ba443d0839df6d4a3 Author: Sam James gentoo org> AuthorDate: Fri Jul 21 14:57:05 2023 + Commit: Sam James gentoo org> CommitDate: Sat Aug 5 04:32:37 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9a5171e2 Rename multiple personalities feature "schizo" isn't a particularly sensitive term, and it's not very clear what it means to non-native English speakers anyway. Name it after what the feature really does: multiple (Linux) personality support using ptrace. Signed-off-by: Sam James gentoo.org> (cherry picked from commit f342efa52fb54c55f009b694af1899e431300629) configure.ac| 50 - libsandbox/local.mk | 8 +++ libsandbox/trace/common.c | 2 +- libsandbox/trace/linux/i386.c | 2 +- libsandbox/trace/linux/s390.c | 6 ++--- libsandbox/trace/linux/sparc.c | 6 ++--- libsandbox/trace/linux/x86_64.c | 8 +++ src/options.c | 6 ++--- 8 files changed, 44 insertions(+), 44 deletions(-) diff --git a/configure.ac b/configure.ac index de0dc2b..8eb60a4 100644 --- a/configure.ac +++ b/configure.ac @@ -47,12 +47,12 @@ AC_PREFIX_DEFAULT([/usr]) dnl multiple personality support (x86 & x86_64: multilib) AC_MSG_CHECKING([for multiple personalities]) -AC_ARG_ENABLE([schizo], - [AS_HELP_STRING([--enable-schizo],[Support multiple personalities])], - [],[enable_schizo="auto"]) -AC_MSG_RESULT([$enable_schizo]) -SB_SCHIZO_SETTINGS= -AC_DEFUN([SB_CHECK_SCHIZO],[dnl +AC_ARG_ENABLE([personalities], + [AS_HELP_STRING([--enable-personalities],[Support multiple Linux personalities using ptrace])], + [],[enable_personalities="auto"]) +AC_MSG_RESULT([$enable_personalities]) +SB_PERSONALITIES_SETTINGS= +AC_DEFUN([SB_CHECK_PERSONALITIES],[dnl AC_MSG_CHECKING([checking for $1/$2 compiler support]) ac_save_CFLAGS=$CFLAGS CFLAGS="$CFLAGS $2" @@ -61,42 +61,42 @@ AC_DEFUN([SB_CHECK_SCHIZO],[dnl ], [ return 0 ], [ - enable_schizo=yes - AS_VAR_APPEND([SB_SCHIZO_SETTINGS], " $1:$2") - AS_VAR_APPEND([SB_SCHIZO_HEADERS], " libsandbox/trace_syscalls_$1.h") + enable_personalities=yes + AS_VAR_APPEND([SB_PERSONALITIES_SETTINGS], " $1:$2") + AS_VAR_APPEND([SB_PERSONALITIES_HEADERS], " libsandbox/trace_syscalls_$1.h") AC_MSG_RESULT([yes]) - AC_DEFINE_UNQUOTED([SB_SCHIZO_$1], 1, [Support for $1/$2 is available]) + AC_DEFINE_UNQUOTED([SB_PERSONALITIES_$1], 1, [Support for $1/$2 is available]) ], [ AC_MSG_RESULT([no]) ]) CFLAGS=$ac_save_CFLAGS ]) -if test "x$enable_schizo" != "xno" ; then - enable_schizo=no +if test "x$enable_personalities" != "xno" ; then + enable_personalities=no case $host in i686*linux*|\ x86_64*linux*) - SB_CHECK_SCHIZO([x86_64], [-m64]) - SB_CHECK_SCHIZO([x86], [-m32]) - SB_CHECK_SCHIZO([x32], [-mx32]) + SB_CHECK_PERSONALITIES([x86_64], [-m64]) + SB_CHECK_PERSONALITIES([x86], [-m32]) + SB_CHECK_PERSONALITIES([x32], [-mx32]) ;; s390*linux*) - SB_CHECK_SCHIZO([s390x], [-m64]) - SB_CHECK_SCHIZO([s390], [-m31]) + SB_CHECK_PERSONALITIES([s390x], [-m64]) + SB_CHECK_PERSONALITIES([s390], [-m31]) ;; sparc*linux*) - SB_CHECK_SCHIZO([sparc64], [-m64]) - SB_CHECK_SCHIZO([sparc], [-m32]) + SB_CHECK_PERSONALITIES([sparc64], [-m64]) + SB_CHECK_PERSONALITIES([sparc], [-m32]) ;; esac - SB_SCHIZO_SETTINGS=${SB_SCHIZO_SETTINGS# } - if test "x$enable_schizo" != "xno" ; then - AC_DEFINE_UNQUOTED([SB_SCHIZO], ["$SB_SCHIZO_SETTINGS"], [Enable multiple personalities support]) + SB_PERSONALITIES_SETTINGS=${SB_PERSONALITIES_SETTINGS# } + if test "x$enable_personalities" != "xno" ; then + AC_DEFINE_UNQUOTED([SB_PERSONALITIES], ["$SB_PERSONALITIES_SETTINGS"], [Enable multiple personalities support]) fi fi -AC_SUBST(SB_SCHIZO_SETTINGS) -AC_SUBST(SB_SCHIZO_HEADERS) -AM_CONDITIONAL([SB_SCHIZO], [test "x$enable_schizo" != "xno"]) +AC_SUBST(SB_PERSONALITIES_SETTINGS) +AC_SUBST(SB_PERSONALITIES_HEADERS) +AM_CONDITIONAL([SB_PERSONALITIES], [test "x$enable_personalities" != "xno"]) dnl this test fills up the stack and then triggers a segfault ... dnl but it's hard to wrap things without a stack, so let's ignore diff --git a/libsandbox/local.mk b/libsandbox/local.mk index 50bc54d..dd78a76 100644 ---
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: 143e5fd3b50fa7085c9c4eb66c103e3c6d1b64c7 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 17 14:55:27 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Aug 4 00:26:27 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=143e5fd3 libsandbox: skip checking access() without W_OK or R_OK mode If access/faccessat is called with F_OK or X_OK in the mode argument, there is no need to check the path. Bug: https://bugs.gentoo.org/910273 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 8d6a4839ebd909903691e4a71d6a94b3809adc82) libsandbox/libsandbox.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index e5f6d38..08b85ce 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -1095,8 +1095,11 @@ bool before_syscall_access(int dirfd, int sb_nr, const char *func, const char *f const char *ext_func; if (flags & W_OK) sb_nr = SB_NR_ACCESS_WR, ext_func = "access_wr"; - else + else if (flags & R_OK) sb_nr = SB_NR_ACCESS_RD, ext_func = "access_rd"; + else + /* Must be F_OK or X_OK; we do not need to check either. */ + return true; return before_syscall(dirfd, sb_nr, ext_func, file, flags); }
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: f3c48c3262edab7db3fc95d87ac1511a97ad930e Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 31 15:39:40 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Tue Aug 1 14:15:12 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f3c48c32 libsandbox: always permit access to '/memfd:' For memfd objects, the kernel populates the target for symlinks under /proc/$PID/fd as "/memfd:name". Said target does not actually exist. It is unfortunate that the kernel includes the leading slash, but we will just have to work around it. Bug: https://bugs.gentoo.org/910561 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 27232d52fee4abecd5f709acc616fa1296e0464f) libsandbox/libsandbox.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 847b4e2..e5f6d38 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, /* Fall in a read/write denied path, Deny Access */ goto out; + if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) { + /* Allow operations on memfd objects #910561 */ + result = 1; + goto out; + } + if (!sym_func) { retval = check_prefixes(sbcontext->deny_prefixes, sbcontext->num_deny_prefixes, resolv_path);
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/trace/linux/
commit: 1b3255175804af8743c9b264e4709cd6a3e8f353 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 10 15:11:41 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Mon Jul 10 15:52:35 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=1b325517 libsandbox/trace: cast NT_ARM_SYSTEM_CALL to avoid warnings Bug: https://bugs.gentoo.org/910195 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 12c24e7f990dec058563ca1ef954bfd8264f2f96) libsandbox/trace/linux/aarch64.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsandbox/trace/linux/aarch64.c b/libsandbox/trace/linux/aarch64.c index 8f32912..82e829c 100644 --- a/libsandbox/trace/linux/aarch64.c +++ b/libsandbox/trace/linux/aarch64.c @@ -36,7 +36,7 @@ static int trace_get_sysnum(void *vregs) .iov_base = , .iov_len = sizeof(nr), }; - do_ptrace(PTRACE_GETREGSET, NT_ARM_SYSTEM_CALL, _nr); + do_ptrace(PTRACE_GETREGSET, (void *)(uintptr_t)NT_ARM_SYSTEM_CALL, _nr); return nr; } @@ -46,5 +46,5 @@ static void trace_set_sysnum(void *vregs, int nr) .iov_base = , .iov_len = sizeof(nr), }; - do_ptrace(PTRACE_SETREGSET, NT_ARM_SYSTEM_CALL, _nr); + do_ptrace(PTRACE_SETREGSET, (void *)(uintptr_t)NT_ARM_SYSTEM_CALL, _nr); }
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/trace/linux/
commit: 879cfbd1ec96b8690b70430b7d8b4b6ccd9ce7d8 Author: Mike Gilbert gentoo org> AuthorDate: Sat Jul 8 02:50:02 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sat Jul 8 03:07:44 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=879cfbd1 libsandbox/trace: fix syscall cancellation on arm64 arm64 has a dedicated regset to manipulate the system call number. See kernel commit 766a85d7bc5d7f1ddd6de28bdb844eae45ec63b0. Bug: https://bugs.gentoo.org/909416 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit f4c6bf434459d2d7b57c003e4eab81f2f8c21f51) libsandbox/trace/linux/aarch64.c | 21 - 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/libsandbox/trace/linux/aarch64.c b/libsandbox/trace/linux/aarch64.c index d056259..8f32912 100644 --- a/libsandbox/trace/linux/aarch64.c +++ b/libsandbox/trace/linux/aarch64.c @@ -1,5 +1,4 @@ #define trace_reg_ret regs[0] /* x0 */ -#define trace_reg_sysnum regs[8] /* w0 */ #undef trace_get_regs static long trace_get_regs(void *vregs) @@ -29,3 +28,23 @@ static unsigned long trace_arg(void *vregs, int num) else return -1; } + +static int trace_get_sysnum(void *vregs) +{ + int nr; + struct iovec iov_nr = { + .iov_base = , + .iov_len = sizeof(nr), + }; + do_ptrace(PTRACE_GETREGSET, NT_ARM_SYSTEM_CALL, _nr); + return nr; +} + +static void trace_set_sysnum(void *vregs, int nr) +{ + struct iovec iov_nr = { + .iov_base = , + .iov_len = sizeof(nr), + }; + do_ptrace(PTRACE_SETREGSET, NT_ARM_SYSTEM_CALL, _nr); +}
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/, libsandbox/wrapper-funcs/
commit: 3e1725e56f0edb4e7d88aa08a9f9cdcbca08d713 Author: Mike Gilbert gentoo org> AuthorDate: Thu Jun 22 17:41:09 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Jun 23 14:25:22 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=3e1725e5 libsandbox: wrap musl time64 functions musl uses different names from glibc for the time64 symbols. Add them to symbols.h, and use symlinks for the wrapper-func files. Bug: https://bugs.gentoo.org/908970 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 2911fdc0d72e37e99cac6609b4799ee06b29cd31) libsandbox/symbols.h.in | 4 libsandbox/wrapper-funcs/__futimesat_time64.c | 1 + libsandbox/wrapper-funcs/__lutimes_time64.c | 1 + libsandbox/wrapper-funcs/__utimensat_time64.c | 1 + libsandbox/wrapper-funcs/__utimes_time64.c| 1 + 5 files changed, 8 insertions(+) diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in index 297c13a..5805592 100644 --- a/libsandbox/symbols.h.in +++ b/libsandbox/symbols.h.in @@ -79,11 +79,15 @@ utime __utime64 utimes __utimes64 +__utimes_time64 utimensat __utimensat64 utimensat_time64 +__utimensat_time64 futimesat __futimesat64 +__futimesat_time64 lutimes __lutimes64 +__lutimes_time64 fork vfork diff --git a/libsandbox/wrapper-funcs/__futimesat_time64.c b/libsandbox/wrapper-funcs/__futimesat_time64.c new file mode 12 index 000..c3a9b23 --- /dev/null +++ b/libsandbox/wrapper-funcs/__futimesat_time64.c @@ -0,0 +1 @@ +__futimesat64.c \ No newline at end of file diff --git a/libsandbox/wrapper-funcs/__lutimes_time64.c b/libsandbox/wrapper-funcs/__lutimes_time64.c new file mode 12 index 000..1819ce7 --- /dev/null +++ b/libsandbox/wrapper-funcs/__lutimes_time64.c @@ -0,0 +1 @@ +__lutimes64.c \ No newline at end of file diff --git a/libsandbox/wrapper-funcs/__utimensat_time64.c b/libsandbox/wrapper-funcs/__utimensat_time64.c new file mode 12 index 000..2dceb14 --- /dev/null +++ b/libsandbox/wrapper-funcs/__utimensat_time64.c @@ -0,0 +1 @@ +__utimensat64.c \ No newline at end of file diff --git a/libsandbox/wrapper-funcs/__utimes_time64.c b/libsandbox/wrapper-funcs/__utimes_time64.c new file mode 12 index 000..3dea445 --- /dev/null +++ b/libsandbox/wrapper-funcs/__utimes_time64.c @@ -0,0 +1 @@ +__utimes64.c \ No newline at end of file
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/, libsandbox/wrapper-funcs/
commit: 45a8321f5015b19e706b8a3a1e2203bba900f24d Author: Michael Orlitzky orlitzky com> AuthorDate: Tue Jun 20 21:58:57 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Thu Jun 22 13:55:26 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=45a8321f libsandbox: add support for fchown/fchmod on linux The fchown/fchmod functions use a file descriptor obtained from open(), and the sandbox relies on its open() wrapper for safety. But it turns out that fchown/fchmod can operate on a descriptor opened O_RDONLY, which the open() wrapper is happy to give you. Oops. This is bug 599706. There's no POSIX way to map the descriptor to a path once you've got it, but on linux you can use the magic path "/proc/self/fd/%i" which should be a symlink pointing to the path passed to open(). Once we have that path, we can use the existing "is this path safe" machinery in the sandbox. There is precedent for this approach in sandbox, and the SANDBOX_PROC_SELF_FD macro already exists to indicate that the feature is available. Bug: https://bugs.gentoo.org/599706 Signed-off-by: Michael Orlitzky gentoo.org> Signed-off-by: Mike Gilbert gentoo.org> libsandbox/libsandbox.c | 17 + libsandbox/libsandbox.h | 7 +++ libsandbox/symbols.h.in | 2 ++ libsandbox/trace.c| 14 ++ libsandbox/wrapper-funcs/fchmod.c | 11 +++ libsandbox/wrapper-funcs/fchown.c | 11 +++ 6 files changed, 62 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index b9ef52e..847b4e2 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -766,7 +766,9 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, sb_nr == SB_NR_CHOWN || sb_nr == SB_NR_CREAT || sb_nr == SB_NR_CREAT64 || + sb_nr == SB_NR_FCHMOD || sb_nr == SB_NR_FCHMODAT|| + sb_nr == SB_NR_FCHOWN || sb_nr == SB_NR_FCHOWNAT|| /*sb_nr == SB_NR_FTRUNCATE || sb_nr == SB_NR_FTRUNCATE64 ||*/ @@ -1102,6 +1104,21 @@ bool before_syscall_open_int(int dirfd, int sb_nr, const char *func, const char return before_syscall(dirfd, sb_nr, ext_func, file, flags); } +bool before_syscall_fd(int sb_nr, const char *func, int fd) { +#ifdef SANDBOX_PROC_SELF_FD + /* We only know how to handle e.g. fchmod() and fchown() on +* linux, where it's possible to (eventually) get a path out +* of the given file descriptor. The "64" below accounts for +* the length of an integer string, and is probably +* overkill. */ + char path[sizeof("/proc/self/fd/") + 64]; + snprintf(path, sizeof("/proc/self/fd/") + 64, "/proc/self/fd/%i", fd); + return before_syscall(AT_FDCWD, sb_nr, func, path, 0); +#else + return true; +#endif +} + bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char *file, const char *mode) { if (NULL == mode) diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h index 206c506..01a4c6c 100644 --- a/libsandbox/libsandbox.h +++ b/libsandbox/libsandbox.h @@ -46,6 +46,11 @@ #define SB_SAFE_OPEN_CHAR(_path, _mode) \ SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode) +#define _SB_SAFE_FD(_nr, _name, _fd) \ +__SB_SAFE(before_syscall_fd(_nr, _name, fd)) +#define SB_SAFE_FD(_fd) \ + _SB_SAFE_FD(WRAPPER_NR, STRING_NAME, _fd) + /* Symbols that don't exist in the C library will be <= this value. */ #define SB_NR_UNDEF -9 #define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF) @@ -55,6 +60,8 @@ bool before_syscall(int, int, const char *, const char *, int); bool before_syscall_access(int, int, const char *, const char *, int); bool before_syscall_open_int(int, int, const char *, const char *, int); bool before_syscall_open_char(int, int, const char *, const char *, const char *); +bool before_syscall_fd(int, const char *, int); + enum sandbox_method_t get_sandbox_method(void); void *get_dlsym(const char *symname, const char *symver); diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in index ecf141c..297c13a 100644 --- a/libsandbox/symbols.h.in +++ b/libsandbox/symbols.h.in @@ -7,8 +7,10 @@ # before 'creat()' as 'creat()' uses 'open()' ... chmod +fchmod fchmodat chown +fchown fchownat open __open_2 diff --git a/libsandbox/trace.c b/libsandbox/trace.c index 4ae58aa..7ac4b5d 100644 --- a/libsandbox/trace.c +++ b/libsandbox/trace.c @@ -390,8 +390,22 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs) ret = 1; free(path); return ret; + + } else if (nr == SB_NR_FCHMOD) { + int fd = trace_arg(regs, 1); + mode_t mode = trace_arg(regs, 2); + __sb_debug("(%i, %o)", fd, mode); + return
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/, tests/
commit: a96f5a62b05f7895acb0990cd65f7842f0b1ff7a Author: Mike Gilbert gentoo org> AuthorDate: Mon Jun 12 14:58:39 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Tue Jun 13 17:22:48 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=a96f5a62 libsandbox: add lutimes to symlink_func lutimes operates on symlinks, so we should not check for access against the symlink target. Bug: https://bugs.gentoo.org/908105 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit cdc89a00ac0bc3170d4ca7bfc77bc2572ce076b0) libsandbox/libsandbox.c | 1 + tests/lutimes-1.sh | 9 + tests/lutimes.at| 1 + 3 files changed, 11 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 0ca2bc9..b9ef52e 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -679,6 +679,7 @@ static bool symlink_func(int sb_nr, int flags) sb_nr == SB_NR_LCHOWN || sb_nr == SB_NR_LREMOVEXATTR || sb_nr == SB_NR_LSETXATTR|| + sb_nr == SB_NR_LUTIMES || sb_nr == SB_NR_REMOVE || sb_nr == SB_NR_RENAME || sb_nr == SB_NR_RENAMEAT || diff --git a/tests/lutimes-1.sh b/tests/lutimes-1.sh new file mode 100755 index 000..8638bb2 --- /dev/null +++ b/tests/lutimes-1.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +addwrite "${PWD}" + +sym="lutimes-1.sym" +ln -s /bad/path "${sym}" + +lutimes-0 0 "${sym}" NULL || exit 1 +lutimes-0 -1,EACCES /bin/sh NULL || exit 1 diff --git a/tests/lutimes.at b/tests/lutimes.at new file mode 100644 index 000..081d7d2 --- /dev/null +++ b/tests/lutimes.at @@ -0,0 +1 @@ +SB_CHECK(1)