| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
These changes revert f7d02c04 that aimed to resolve 921581 and
fix it in a way that doesn't cause unwanted sandbox violations.
Bug: https://bugs.gentoo.org/921581
Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In https://github.com/google/googletest/blob/v1.14.0/googletest/src/gtest-death-test.cc#L1307
on x86-64 gtest sallocates 8192 bytes for `clone`:
```
static pid_t ExecDeathTestSpawnChild(char* const* argv, int close_fd) {
const auto stack_size = static_cast<size_t>(getpagesize() * 2);
...
child_pid = clone(&ExecDeathTestChildMain, stack_top, SIGCHLD, &args);
```
After that attempt to call execv is intercepted by libsandbox.so, which
allocates 8192 + more bytes multiple times on stack, causing SIGSEGV
(instead of expected types of crashes).
This PR moves all allocations for related function to heap, so now
call path fits `getpagesize() * 2` with large margin.
Bug: https://bugs.gentoo.org/923013
Closes: https://github.com/gentoo/sandbox/pull/26
Signed-off-by: Sv. Lockal <lockalsash@gmail.com>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Resolves an issue that can occur with paths that contain parent
directory references (/../).
If part of the path does not exist, the sandboxed program should get ENOENT,
not EEXIST. If we use the canonicalized path, intermediate paths will be
eliminated and we produce the wrong result.
Bug: https://bugs.gentoo.org/921581
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
Closes: https://github.com/gentoo/sandbox/pull/23
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Ensure all potentially 21 chars + NUL from "/proc/%i/cwd" fit in its
buffer
- Use snprintf(3) instead of sprintf(3) to fill in the buffer
- readlink(2) does not add a NUL terminator, so ensure it only writes up
to the allocated length - 1
- Use a more descriptive name for the return value of readlink(2)
Signed-off-by: Oskari Pirhonen <xxc3ncoredxx@gmail.com>
Closes: https://github.com/gentoo/sandbox/pull/24
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Fixes a compile warning:
```
warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict]
```
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Fixes a compiler warning:
```
warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict]
```
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
The SB_PATH_MAX macro is always defined, so this variable was pointless.
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes a compiler warning:
```
src/environ.c:211:19: warning: the comparison will always evaluate as ‘true’ for the address of ‘work_dir’ will never be NULL [-Waddress]
```
Bug: https://bugs.gentoo.org/906234
Signed-off-by: gto2023 <gto7052@mailbox.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: gto2023 <gto7052@mailbox.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
| |
"schizo" isn't a particularly sensitive term, and it's not very clear what it
means to non-native English speakers anyway. Name it after what the feature
really does: multiple (Linux) personality support using ptrace.
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
sbio_faccessat allows libsbutil to access the unwrapped version of
faccessat when called from libsandbox.
Using faccessat in place of fstatat seems to give a small boost in
performance.
Pass AT_EACCESS faccessat to enable a faster path if uid != euid.
Bug: https://bugs.gentoo.org/910273
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
| |
If access/faccessat is called with F_OK or X_OK in the mode argument,
there is no need to check the path.
Bug: https://bugs.gentoo.org/910273
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
For memfd objects, the kernel populates the target for symlinks under
/proc/$PID/fd as "/memfd:name". Said target does not actually exist.
It is unfortunate that the kernel includes the leading slash, but we
will just have to work around it.
Bug: https://bugs.gentoo.org/910561
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
| |
faccessat appears to perform quite poorly under certain conditions.
Go back to using fstatat until this can be debugged.
Bug: https://bugs.gentoo.org/910273
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
| |
Bug: https://bugs.gentoo.org/910195
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
| |
arm64 has a dedicated regset to manipulate the system call number.
See kernel commit 766a85d7bc5d7f1ddd6de28bdb844eae45ec63b0.
Bug: https://bugs.gentoo.org/909416
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running the test suite under portage, the entire build directory
will be writable because portage adds PORTAGE_TMPDIR to SANDBOX_WRITE
(thanks floppym). This breaks the tests for these two wrappers, since
they expect to fail when trying to write above $PWD.
To avoid that, we create a new file to call fchown/fchmod on, and then
explicitly deny access to it.
Closes: https://bugs.gentoo.org/909445
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
On Alpine, libc's SONAME is 'libc.musl-x86_64.so.1'.
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
| |
musl uses different names from glibc for the time64 symbols.
Add them to symbols.h, and use symlinks for the wrapper-func files.
Bug: https://bugs.gentoo.org/908970
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
Closes: https://bugs.gentoo.org/599706
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
Bug: https://bugs.gentoo.org/599706
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fchown/fchmod functions use a file descriptor obtained from
open(), and the sandbox relies on its open() wrapper for safety. But
it turns out that fchown/fchmod can operate on a descriptor opened
O_RDONLY, which the open() wrapper is happy to give you. Oops. This is
bug 599706.
There's no POSIX way to map the descriptor to a path once you've got
it, but on linux you can use the magic path "/proc/self/fd/%i" which
should be a symlink pointing to the path passed to open(). Once we
have that path, we can use the existing "is this path safe" machinery
in the sandbox. There is precedent for this approach in sandbox, and
the SANDBOX_PROC_SELF_FD macro already exists to indicate that the
feature is available.
Bug: https://bugs.gentoo.org/599706
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
This provides a central place to work around a bug on musl where
faccessat sets errno to EINVAL when the kernel does not support
faccessat2.
Bug: https://bugs.gentoo.org/908765
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
| |
lutimes operates on symlinks, so we should not check for access against
the symlink target.
Bug: https://bugs.gentoo.org/908105
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bfd, gold, lld, and mold all support `-Wl,--trace`, which has cleaner
output than `-Wl,--verbose`. mold doesn't output anything with the
latter, so the test didn't support that until now. The only difference
between them now is that mold prefixes its output with `trace: ` whereas
the others do not.
I checked the Solaris linker, but that does not support `-Wl,--trace`.
Bug: https://bugs.gentoo.org/830463
Signed-off-by: James Le Cuirot <chewi@gentoo.org>
Closes: https://github.com/gentoo/sandbox/pull/5
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we use 64-bit stat & lstat explicitly everywhere, we don't
need these dynamic redirects for 64-bit wrappers. The off_t define
is only used by one file anymore too, but we can inline that.
That leaves the SB64 define which we use inconsistently in places.
In some 64-bit modules that include the 32-bit, we use SB64 to switch
between the 64-bit & 32-bit APIs. In other places, the 64-bit file
is responsible for redefining the few relevant APIs. Let's switch
all the files away from SB64 and to defining the single thing that
the 64-bit module needs directly. It's either the same or fewer LOC
this way, and doesn't seem any more or less difficult to maintain.
The __64_{pre,post}.h & SB64 define weren't easily discoverable.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Make sure we use 64-bit FS interfaces when accessing the FS. This
is needed not only to stat or open large files, but even files with
64-bit inodes.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Realistically we aren't even testing with older than C11 compilers,
but one thing at a time.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Only copy in files that define the macros we need and not ones that
reference the macros. This avoids copying a lot unused files in.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
We don't need to support glibc versions that predate Linux-2.6.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since this is only used by sandbox, and is not usable by libsandbox,
move it out of libsbutil. Leave a note behind for possible future
macros too.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This is faster than using stat since it doesn't have to gather all
the metadata, and should avoid LFS issues as a result.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 19c215f245faf9a453e7171bddccc690c03f7b72.
We do not want different LFS interfaces being used in different modules
as it makes debugging a nightmare when different functions think basic
structures have different layouts & sizes.
This also doesn't address the LFS issues sandbox has when code still
crashes in libsandbox itself when checking accesses.
Bug: https://bugs.gentoo.org/681892
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Current versions of portage don't write these variables to the env
file, so manually set them up ourselves.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
These messages aren't super useful to most people, nor are needed on
every invocation, so put them behind a debug knob to reduce log spam.x
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
I incorrectly dropped this as unused a while back, but the bashrc hook
definitely still relies on it for checking portage settings. I think
I got confused by the interaction with SANDBOX_TESTING.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
This works around problems when a 64bit qemu is emulating a 32bit
architecture.
LFS has been present since glibc-2.2 and kernel 2.4.
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since we can't trace static children under certain YAMA ptrace_scope
settings, skip tests that rely on that functionality.
Closes: https://bugs.gentoo.org/821418
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Aliaksei Urbanski
Sam James
Sv. Lockal
Mike Gilbert
Oskari Pirhonen
gto2023
Michael Orlitzky
Michael Orlitzky
James Le Cuirot
Mike Frysinger
Andreas K. Hüttel
GitWeb