[gentoo-commits] proj/sandbox:master commit in: libsandbox/

Tue, 07 Sep 2021 08:35:25 -0700 

commit:     96374d9bff64bcee64340f6572cca9f1cc3f696d
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Tue Jun  8 15:08:54 2021 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Sep  7 15:31:07 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=96374d9b

libsandbox: adjust hard-coded denial for /var/log/sandbox

Move this hack after the read checks, but before the write checks. This
allows processes to read the log directory, but not write to it.

This is helpful in case a process does something like this:

  find /var/log -name system.journal

Bug: https://bugs.gentoo.org/794949
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
Closes: https://bugs.gentoo.org/794949
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>

 libsandbox/libsandbox.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 3d55dd7..758c0dc 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -714,15 +714,6 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, 
const char *func,
                        goto out;
        }
 
-       /* Hardcode denying write to the whole log dir.  While this is a
-        * parial match and so rejects paths that also start with this
-        * string, that isn't going to happen in real life so live with
-        * it.  We can't append a slash to this path either as that would
-        * allow people to open the dir itself for writing.
-        */
-       if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, 
strlen(SANDBOX_LOG_LOCATION)))
-               goto out;
-
        if (sbcontext->read_prefixes &&
            (sb_nr == SB_NR_ACCESS_RD ||
             sb_nr == SB_NR_OPEN_RD   ||
@@ -754,6 +745,15 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, 
const char *func,
                }
        }
 
+       /* Hardcode denying write to the whole log dir.  While this is a
+        * parial match and so rejects paths that also start with this
+        * string, that isn't going to happen in real life so live with
+        * it.  We can't append a slash to this path either as that would
+        * allow people to open the dir itself for writing.
+        */
+       if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, 
strlen(SANDBOX_LOG_LOCATION)))
+               goto out;
+
        if (sb_nr == SB_NR_ACCESS_WR   ||
            sb_nr == SB_NR_CHMOD       ||
            sb_nr == SB_NR_CHOWN       ||

Reply via email to