commit: 94f5df1e61d1b6159a32f020e1780427fba6d98c Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Fri Mar 10 18:49:39 2017 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Fri Mar 10 18:50:54 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94f5df1e
sys-apps/sandbox: fix handling of symlinks w/symlinkat/renameat #612202 .../files/sandbox-2.11-symlinkat-renameat.patch | 124 +++++++++++++++++++++ sys-apps/sandbox/sandbox-2.10-r4.ebuild | 85 ++++++++++++++ sys-apps/sandbox/sandbox-2.11-r5.ebuild | 86 ++++++++++++++ 3 files changed, 295 insertions(+) diff --git a/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch new file mode 100644 index 00000000000..e33011f7495 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch @@ -0,0 +1,124 @@ +From 4c47cfa22802fd8201586bef233d8161df4ff61b Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vap...@gentoo.org> +Date: Fri, 10 Mar 2017 10:15:50 -0800 +Subject: [PATCH] libsandbox: whitelist renameat/symlinkat as symlink funcs + +These funcs don't deref their path args, so flag them as such. + +URL: https://bugs.gentoo.org/612202 +Signed-off-by: Mike Frysinger <vap...@gentoo.org> +--- + libsandbox/libsandbox.c | 4 +++- + tests/renameat-2.sh | 12 ++++++++++++ + tests/renameat-3.sh | 11 +++++++++++ + tests/renameat.at | 2 ++ + tests/symlinkat-2.sh | 10 ++++++++++ + tests/symlinkat-3.sh | 9 +++++++++ + tests/symlinkat.at | 2 ++ + 7 files changed, 49 insertions(+), 1 deletion(-) + create mode 100755 tests/renameat-2.sh + create mode 100755 tests/renameat-3.sh + create mode 100755 tests/symlinkat-2.sh + create mode 100755 tests/symlinkat-3.sh + +diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c +index e809308d717d..de48bd79ba53 100644 +--- a/libsandbox/libsandbox.c ++++ b/libsandbox/libsandbox.c +@@ -650,8 +650,10 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path) + sb_nr == SB_NR_LCHOWN || + sb_nr == SB_NR_REMOVE || + sb_nr == SB_NR_RENAME || ++ sb_nr == SB_NR_RENAMEAT || + sb_nr == SB_NR_RMDIR || +- sb_nr == SB_NR_SYMLINK)) ++ sb_nr == SB_NR_SYMLINK || ++ sb_nr == SB_NR_SYMLINKAT)) + { + /* These funcs sometimes operate on symlinks */ + if (!((sb_nr == SB_NR_FCHOWNAT || +diff --git a/tests/renameat-2.sh b/tests/renameat-2.sh +new file mode 100755 +index 000000000000..d0fbe8ae4574 +--- /dev/null ++++ b/tests/renameat-2.sh +@@ -0,0 +1,12 @@ ++#!/bin/sh ++# make sure we can clobber symlinks #612202 ++ ++addwrite $PWD ++ ++ln -s /asdf sym || exit 1 ++touch file ++renameat-0 0 AT_FDCWD file AT_FDCWD sym || exit 1 ++[ ! -e file ] ++[ ! -L sym ] ++[ -e sym ] ++test ! -s "${SANDBOX_LOG}" +diff --git a/tests/renameat-3.sh b/tests/renameat-3.sh +new file mode 100755 +index 000000000000..9ae5c9a6511a +--- /dev/null ++++ b/tests/renameat-3.sh +@@ -0,0 +1,11 @@ ++#!/bin/sh ++# make sure we reject bad renames #612202 ++ ++addwrite $PWD ++mkdir deny ++adddeny $PWD/deny ++ ++touch file ++renameat-0 -1,EACCES AT_FDCWD file AT_FDCWD deny/file || exit 1 ++[ -e file ] ++test -s "${SANDBOX_LOG}" +diff --git a/tests/renameat.at b/tests/renameat.at +index 081d7d20277e..eec4638deeaa 100644 +--- a/tests/renameat.at ++++ b/tests/renameat.at +@@ -1 +1,3 @@ + SB_CHECK(1) ++SB_CHECK(2) ++SB_CHECK(3) +diff --git a/tests/symlinkat-2.sh b/tests/symlinkat-2.sh +new file mode 100755 +index 000000000000..168362e8806f +--- /dev/null ++++ b/tests/symlinkat-2.sh +@@ -0,0 +1,10 @@ ++#!/bin/sh ++# make sure we can clobber symlinks #612202 ++ ++addwrite $PWD ++ ++symlinkat-0 0 /asdf AT_FDCWD ./sym || exit 1 ++[ -L sym ] ++symlinkat-0 -1,EEXIST /asdf AT_FDCWD ./sym || exit 1 ++[ -L sym ] ++test ! -s "${SANDBOX_LOG}" +diff --git a/tests/symlinkat-3.sh b/tests/symlinkat-3.sh +new file mode 100755 +index 000000000000..a01c750dd2b6 +--- /dev/null ++++ b/tests/symlinkat-3.sh +@@ -0,0 +1,9 @@ ++#!/bin/sh ++# make sure we reject bad symlinks #612202 ++ ++addwrite $PWD ++mkdir deny ++adddeny $PWD/deny ++ ++symlinkat-0 -1,EACCES ./ AT_FDCWD deny/sym || exit 1 ++test -s "${SANDBOX_LOG}" +diff --git a/tests/symlinkat.at b/tests/symlinkat.at +index 081d7d20277e..eec4638deeaa 100644 +--- a/tests/symlinkat.at ++++ b/tests/symlinkat.at +@@ -1 +1,3 @@ + SB_CHECK(1) ++SB_CHECK(2) ++SB_CHECK(3) +-- +2.12.0 + diff --git a/sys-apps/sandbox/sandbox-2.10-r4.ebuild b/sys-apps/sandbox/sandbox-2.10-r4.ebuild new file mode 100644 index 00000000000..0f792910204 --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.10-r4.ebuild @@ -0,0 +1,85 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +EAPI="5" + +inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + https://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" +} + +src_prepare() { + epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714 + epatch "${FILESDIR}"/${P}-disable-same.patch + epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092 + epatch "${FILESDIR}"/${PN}-2.11-symlinkat-renameat.patch #612202 + epatch_user +} + +multilib_src_configure() { + filter-lfs-flags #90228 + + local myconf=() + host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092 + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" +} + +multilib_src_test() { + # Default sandbox build will run with --jobs set to # cpus. + emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" +} + +multilib_src_install_all() { + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${ED}"/var/log/sandbox + chmod 0770 "${ED}"/var/log/sandbox + + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete + fi + fi +} + +pkg_postinst() { + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + chmod 0755 "${EROOT}"/etc/sandbox.d #265376 + fi +} diff --git a/sys-apps/sandbox/sandbox-2.11-r5.ebuild b/sys-apps/sandbox/sandbox-2.11-r5.ebuild new file mode 100644 index 00000000000..48dd1a7ad99 --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.11-r5.ebuild @@ -0,0 +1,86 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +EAPI="5" + +inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + https://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" +} + +src_prepare() { + epatch "${FILESDIR}"/${P}-execvpe.patch #578516 + epatch "${FILESDIR}"/${P}-exec-hash.patch #578524 + epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894 + epatch "${FILESDIR}"/${PN}-2.10-fix-opendir.patch #553092 + epatch "${FILESDIR}"/${P}-symlinkat-renameat.patch #612202 + epatch_user +} + +multilib_src_configure() { + filter-lfs-flags #90228 + + local myconf=() + host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092 + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" +} + +multilib_src_test() { + # Default sandbox build will run with --jobs set to # cpus. + emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" +} + +multilib_src_install_all() { + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${ED}"/var/log/sandbox + chmod 0770 "${ED}"/var/log/sandbox + + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete + fi + fi +} + +pkg_postinst() { + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + chmod 0755 "${EROOT}"/etc/sandbox.d #265376 + fi +}