[gentoo-commits] proj/sandbox:master commit in: libsandbox/

Wed, 03 Nov 2021 09:40:39 -0700 

commit:     01318f0d48654425b4ea3a90520a52f774b60ead
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Nov  3 16:34:54 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov  3 16:34:54 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=01318f0d

libsandbox: refine yama check to abort on level 3+

There's no way we can support level 3+ since the kernel blocks it,
so give up and inform the user their setup is incompatible.

Bug: https://bugs.gentoo.org/771360
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 libsandbox/trace.c | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index d2899b7..036d57f 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -49,13 +49,7 @@ pid_t trace_pid;
 static int trace_yama_level(void)
 {
        char ch;
-       int fd;
-
-       /* ptrace scope binds access to specific capabilities.  Lets use uid==0 
as a
-        * lazy proxy for "we have all capabilities" until we can refine this.
-        */
-       if (getuid() == 0)
-               return 0;
+       int fd, level;
 
        fd = open("/proc/sys/kernel/yama/ptrace_scope", O_RDONLY | O_CLOEXEC);
        if (fd == -1)
@@ -63,7 +57,25 @@ static int trace_yama_level(void)
 
        RETRY_EINTR(read(fd, &ch, 1));
        close(fd);
-       return ch - '0';
+       level = ch - '0';
+
+       switch (level) {
+       case 0:
+               /* Normal levels work fine. */
+               return 0;
+
+       case 1:
+       case 2:
+               /* ptrace scope binds access to specific capabilities.  Lets 
use uid==0 as a
+                * lazy proxy for "we have all capabilities" until we can 
refine this.
+                */
+               return getuid() == 0 ? 0 : level;
+
+       case 3:
+       default:
+               /* Level 3+ is not supported. */
+               sb_ebort("YAMA ptrace_scope=%i+ is not supported as it makes 
tracing impossible.\n", level);
+       }
 }
 
 static void trace_exit(int status)
@@ -709,7 +721,7 @@ bool trace_possible(const char *filename, char *const 
argv[], const void *data)
        /* If YAMA ptrace_scope is very high, then we can't trace at all.  
#771360 */
        int yama = trace_yama_level();
        if (yama >= 2) {
-               sb_eqawarn("YAMA ptrace_scope=%i\n", yama);
+               sb_eqawarn("YAMA ptrace_scope=%i is not currently supported\n", 
yama);
                goto fail;
        }

Reply via email to