[gentoo-commits] proj/sandbox:master commit in: libsandbox/, scripts/, libsandbox/wrapper-funcs/

Mike Frysinger Sat, 23 Oct 2021 15:19:56 -0700

commit:     1db325a29ffd8f764b9142fdf41b9933de547658
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 23 10:17:38 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Oct 23 22:18:03 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=1db325a2


libsandbox: tweak how undefined symbols are declared

Rather than always set undefined symbols to the same constant, expand
it to a range of constants, and give every symbol a unique value.  For
dynamic symbol processing, this isn't a big deal as such symbols will
never show up, but when handling syscalls that don't have a matching C
library symbol, we need to make sure that we have unique entries.

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 libsandbox/libsandbox.h                | 4 ++++
 libsandbox/trace.c                     | 4 ++--
 libsandbox/wrapper-funcs/__pre_check.c | 8 ++++----
 scripts/gen_symbol_header.awk          | 3 +--
 4 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h
index 96bb7c1..fbea6ba 100644
--- a/libsandbox/libsandbox.h
+++ b/libsandbox/libsandbox.h
@@ -46,6 +46,10 @@
 #define  SB_SAFE_OPEN_CHAR(_path, _mode) \
          SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode)
 
+/* Symbols that don't exist in the C library will be <= this value. */
+#define SB_NR_UNDEF -99999
+#define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF)
+
 bool is_sandbox_on(void);
 bool before_syscall(int, int, const char *, const char *, int);
 bool before_syscall_access(int, int, const char *, const char *, int);

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 7660d47..ae5f935 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -305,7 +305,7 @@ static bool trace_check_syscall(const struct syscall_entry 
*se, void *regs)
        state.regs = regs;
        state.nr = nr = se->sys;
        state.func = name = se->name;
-       if (nr == SB_NR_UNDEF)          goto done;
+       if (!SB_NR_IS_DEFINED(nr))      goto done;
        else if (nr == SB_NR_MKDIR)     state.pre_check = sb_mkdirat_pre_check;
        else if (nr == SB_NR_MKDIRAT)   state.pre_check = sb_mkdirat_pre_check;
        else if (nr == SB_NR_UNLINK)    state.pre_check = sb_unlinkat_pre_check;
@@ -313,7 +313,7 @@ static bool trace_check_syscall(const struct syscall_entry 
*se, void *regs)
        else                            state.pre_check = NULL;
 
        /* Hmm, add these functions to the syscall table and avoid this if() ? 
*/
-       if (nr == SB_NR_UNDEF)          goto done;
+       if (!SB_NR_IS_DEFINED(nr))      goto done;
        else if (nr == SB_NR_CHMOD)     return  trace_check_syscall_C  (&state);
        else if (nr == SB_NR_CHOWN)     return  trace_check_syscall_C  (&state);
        else if (nr == SB_NR_CREAT)     return  trace_check_syscall_C  (&state);

diff --git a/libsandbox/wrapper-funcs/__pre_check.c 
b/libsandbox/wrapper-funcs/__pre_check.c
index 28ad91f..e7db0a2 100644
--- a/libsandbox/wrapper-funcs/__pre_check.c
+++ b/libsandbox/wrapper-funcs/__pre_check.c
@@ -5,19 +5,19 @@
  * Licensed under the GPL-2
  */
 
-#if SB_NR_MKDIR != SB_NR_UNDEF && SB_NR_MKDIRAT == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_MKDIR) && !SB_NR_IS_DEFINED(SB_NR_MKDIRAT)
 # include "mkdirat_pre_check.c"
 #endif
 
-#if SB_NR_OPEN != SB_NR_UNDEF && SB_NR_OPENAT == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_OPEN) && !SB_NR_IS_DEFINED(SB_NR_OPENAT)
 # include "openat_pre_check.c"
 #endif
 
-#if SB_NR_OPEN64 != SB_NR_UNDEF && SB_NR_OPENAT64 == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_OPEN64) && !SB_NR_IS_DEFINED(SB_NR_OPENAT64)
 # include "openat64_pre_check.c"
 #endif
 
-#if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_UNLINK) && !SB_NR_IS_DEFINED(SB_NR_UNLINKAT)
 # include "unlinkat_pre_check.c"
 #endif
 

diff --git a/scripts/gen_symbol_header.awk b/scripts/gen_symbol_header.awk
index 48d2f9d..14e0a99 100644
--- a/scripts/gen_symbol_header.awk
+++ b/scripts/gen_symbol_header.awk
@@ -96,7 +96,6 @@ BEGIN {
 END {
        printf("#ifndef __symbols_h\n");
        printf("#define __symbols_h\n\n");
-       printf("#define SB_NR_UNDEF -99999\n\n");
 
        SB_MAX_STRING_LEN = 0
 
@@ -109,7 +108,7 @@ END {
                        SB_MAX_STRING_LEN = length(sym_index);
 
                if (full_count == 0)
-                       printf("#define SB_NR_%s SB_NR_UNDEF\n", 
toupper(sym_index));
+                       printf("#define SB_NR_%s (SB_NR_UNDEF - %i)\n", 
toupper(sym_index), i);
 
                for (x in sym_full_names) {
                        split(sym_full_names[x], symbol_array, /@|@@/);

[gentoo-commits] proj/sandbox:master commit in: libsandbox/, scripts/, libsandbox/wrapper-funcs/

Reply via email to