[gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, tests/, /, libsandbox/
commit: 701486a499631955c150344559762ac301147833 Author: Mike Frysinger gentoo org> AuthorDate: Fri Oct 22 03:20:21 2021 + Commit: Mike Frysinger gentoo org> CommitDate: Fri Oct 22 04:15:04 2021 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=701486a4 libsandbox: add xattr wrappers #672566 These modify the filesystem, so don't let them do their business. Fixes: https://bugs.gentoo.org/672566 Signed-off-by: Mike Frysinger gentoo.org> configure.ac| 5 + headers.h | 3 +++ libsandbox/libsandbox.c | 24 +++- libsandbox/symbols.h.in | 4 libsandbox/wrapper-funcs/lremovexattr.c | 11 +++ libsandbox/wrapper-funcs/lsetxattr.c| 11 +++ libsandbox/wrapper-funcs/removexattr.c | 11 +++ libsandbox/wrapper-funcs/setxattr.c | 11 +++ tests/Makefile.am | 4 tests/lremovexattr-0.c | 15 +++ tests/lsetxattr-0.c | 24 tests/removexattr-0.c | 15 +++ tests/removexattr-1.sh | 13 + tests/removexattr.at| 1 + tests/setxattr-0.c | 24 tests/setxattr-1.sh | 13 + tests/setxattr.at | 1 + tests/tests.h | 1 + 18 files changed, 182 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index e16892f..96c602f 100644 --- a/configure.ac +++ b/configure.ac @@ -143,6 +143,7 @@ AC_CHECK_HEADERS_ONCE(m4_flatten([ sys/uio.h sys/user.h sys/wait.h + sys/xattr.h asm/ptrace.h linux/ptrace.h ])) @@ -185,6 +186,8 @@ AC_CHECK_FUNCS_ONCE(m4_flatten([ getcwd lchown linkat + lremovexattr + lsetxattr lutimes memmove memcpy @@ -210,10 +213,12 @@ AC_CHECK_FUNCS_ONCE(m4_flatten([ ptrace realpath remove + removexattr renameat renameat2 rmdir setenv + setxattr strcasecmp strchr strdup diff --git a/headers.h b/headers.h index 13e005a..605413e 100644 --- a/headers.h +++ b/headers.h @@ -143,6 +143,9 @@ #ifdef HAVE_SYS_WAIT_H # include #endif +#ifdef HAVE_SYS_XATTR_H +# include +#endif #ifdef __ia64__ /* what a pos */ # define ia64_fpreg FU_ia64_fpreg diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index c00c92c..beaf305 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -676,15 +676,17 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path) struct stat st; /* These funcs always operate on symlinks */ - if (!(sb_nr == SB_NR_UNLINK || - sb_nr == SB_NR_UNLINKAT || - sb_nr == SB_NR_LCHOWN || - sb_nr == SB_NR_REMOVE || - sb_nr == SB_NR_RENAME || - sb_nr == SB_NR_RENAMEAT || - sb_nr == SB_NR_RENAMEAT2|| - sb_nr == SB_NR_RMDIR|| - sb_nr == SB_NR_SYMLINK || + if (!(sb_nr == SB_NR_UNLINK || + sb_nr == SB_NR_UNLINKAT || + sb_nr == SB_NR_LCHOWN || + sb_nr == SB_NR_LREMOVEXATTR || + sb_nr == SB_NR_LSETXATTR|| + sb_nr == SB_NR_REMOVE || + sb_nr == SB_NR_RENAME || + sb_nr == SB_NR_RENAMEAT || + sb_nr == SB_NR_RENAMEAT2|| + sb_nr == SB_NR_RMDIR|| + sb_nr == SB_NR_SYMLINK || sb_nr == SB_NR_SYMLINKAT)) { /* These funcs sometimes operate on symlinks */ @@ -776,6 +778,8 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, sb_nr == SB_NR_LCHOWN || sb_nr == SB_NR_LINK|| sb_nr == SB_NR_LINKAT || + sb_nr == SB_NR_LREMOVEXATTR|| + sb_nr == SB_NR_LSETXATTR || sb_nr == SB_NR_LUTIMES || sb_nr == SB_NR_MKDIR || sb_nr == SB_NR_MKDIRAT || @@ -794,10 +798,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, sb_nr == SB_NR_MKSTEMPS64 || sb_nr == SB_NR_OPEN_WR || sb_nr == SB_NR_REMOVE || + sb_nr == SB_NR_REMOVEXATTR || sb_nr == SB_NR_RENAME || sb_nr == SB_NR_RENAMEAT|| sb_nr == SB_NR_RENAMEAT2 || sb_nr == SB_NR_RMDIR || + sb_nr == SB_NR_SETXATTR|| sb_nr == SB_NR_SYMLINK || sb_nr == SB_NR_SYMLINKAT || sb_nr == SB_NR_TRUNCATE|| diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in index
[gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, tests/, libsandbox/
commit: 55087abd8dc9802cf68cade776fe612a3f19f6a1 Author: Mike Frysinger gentoo org> AuthorDate: Wed Feb 17 00:23:53 2016 + Commit: Mike Frysinger gentoo org> CommitDate: Wed Feb 17 00:23:53 2016 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=55087abd libsandbox: use ptrace on apps that interpose their own allocator If an app installs its own memory allocator by overriding the internal glibc symbols, then we can easily hit a loop that cannot be broken: the dlsym functions can attempt to allocate memory, and sandbox relies on them to find the "real" functions. So when someone calls a symbol that the sandbox protects, we call dlsym, and that calls malloc, which calls back into the app, and their allocator might use another symbol such as open ... which is protected by the sandbox. So we hit the loop like: -> open -> libsandbox:open -> dlsym -> malloc -> open -> libsandbox:open -> dlsym -> malloc -> ... Change the exec checking logic to scan the ELF instead. If it exports these glibc symbols, then we have to assume it can trigger a loop, so scrub the sandbox environment to prevent us from being loaded. Then we use the out-of-process tracer (i.e. ptrace). This should generally be as robust anyways ... if it's not, that's a bug we want to fix as this is the same code used for static apps. URL: http://crbug.com/586444 Reported-by: Ryo Hashimoto chromium.org> Signed-off-by: Mike Frysinger gentoo.org> libsandbox/libsandbox.c | 72 ++--- libsandbox/libsandbox.h | 2 +- libsandbox/wrapper-funcs/__wrapper_exec.c | 126 ++ tests/Makefile.am | 3 + tests/malloc-2.sh | 4 + tests/malloc.at | 1 + tests/malloc_hooked_tst.c | 44 +++ 7 files changed, 210 insertions(+), 42 deletions(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 2bcff95..7555862 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -1137,7 +1137,7 @@ typedef struct { * XXX: Might be much nicer if we could serialize these vars behind the back of * the program. Might be hard to handle LD_PRELOAD though ... */ -char **sb_check_envp(char **envp, size_t *mod_cnt) +char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert) { char **my_env; char *entry; @@ -1194,7 +1194,8 @@ char **sb_check_envp(char **envp, size_t *mod_cnt) } /* If we found everything, there's nothing to do! */ - if (num_vars == found_var_cnt) + if ((insert && num_vars == found_var_cnt) || + (!insert && found_var_cnt == 0)) /* Use the user's envp */ return envp; @@ -1217,33 +1218,50 @@ char **sb_check_envp(char **envp, size_t *mod_cnt) } my_env = NULL; - if (mod_cnt) { - /* Count directly due to variability with LD_PRELOAD and the value -* logic below. Getting out of sync can mean memory corruption. */ - *mod_cnt = 0; - if (unlikely(merge_ld_preload)) { - str_list_add_item(my_env, ld_preload, error); - (*mod_cnt)++; - } - for (i = 0; i < num_vars; ++i) { - if (found_vars[i] || !vars[i].value) - continue; - str_list_add_item_env(my_env, vars[i].name, vars[i].value, error); - (*mod_cnt)++; - } - - str_list_for_each_item(envp, entry, count) { - if (unlikely(merge_ld_preload && is_env_var(entry, vars[0].name, vars[0].len))) - continue; - str_list_add_item(my_env, entry, error); + if (!insert) { + if (mod_cnt) { + str_list_for_each_item(envp, entry, count) { + for (i = 0; i < num_vars; ++i) + if (is_env_var(entry, vars[i].name, vars[i].len)) { + (*mod_cnt)++; + goto skip; + } + str_list_add_item(my_env, entry, error); + skip: ; + } + } else { + for (i = 0; i < num_vars; ++i) + unsetenv(vars[i].name); } } else { - if (unlikely(merge_ld_preload)) - putenv(ld_preload); - for (i = 0; i < num_vars; ++i) { - if (found_vars[i] || !vars[i].value) - continue; - setenv(vars[i].name, vars[i].value, 1); + if (mod_cnt) { + /* Count
[gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, tests/, libsandbox/
commit: 87f753cf677137f8d6c06c56ee6cc4db11ec71b0 Author: Mike Frysinger gentoo org> AuthorDate: Sat Feb 23 05:28:42 2013 + Commit: Mike Frysinger gentoo org> CommitDate: Sat Feb 23 05:28:42 2013 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=87f753cf libsandbox: preserve more SANDBOX env vars While we took pains to preserve the LD_PRELOAD setting, this doesn't help us too much in practice. If a process is going out of its way to blow away LD_PRELOAD, chances are good it's blowing away all vars it doesn't know about. That means all of our SANDBOX_XXX settings. Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX env vars, make sure we preserve those as well. These changes also imply some behavioral differences from older versions. Previously, you could `unset` a sandbox var in order to disable it. That no longer works. If you wish to disable things, you have to explicitly set it to "". Signed-off-by: Mike Frysinger gentoo.org> libsandbox/libsandbox.c | 284 -- libsandbox/libsandbox.h | 2 + libsandbox/wrapper-funcs/__wrapper_exec.c | 84 + tests/Makefile.am | 2 +- tests/mkdir-3.sh | 2 +- tests/script-10.sh| 21 +++ tests/script.at | 1 + 7 files changed, 262 insertions(+), 134 deletions(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 5d9a796..4f4589f 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -28,7 +28,8 @@ char sandbox_lib[SB_PATH_MAX]; typedef struct { - bool show_access_violation; + bool show_access_violation, on, active, testing, verbose, debug; + char *ld_library_path; char **prefixes[5]; int num_prefixes[5]; #define deny_prefixes prefixes[0] @@ -43,6 +44,7 @@ typedef struct { #define num_write_denied_prefixes num_prefixes[4] #define MAX_DYN_PREFIXES 4 /* the first 4 are dynamic */ } sbcontext_t; +static sbcontext_t sbcontext; static char *cached_env_vars[MAX_DYN_PREFIXES]; static char log_path[SB_PATH_MAX]; @@ -57,8 +59,7 @@ FILE *(*sbio_popen)(const char *, const char *) = sb_unwrapped_popen; static char *resolve_path(const char *, int); static int check_prefixes(char **, int, const char *); static void clean_env_entries(char ***, int *); -static void init_context(sbcontext_t *); -static void init_env_entries(char ***, int *, const char *, const char *, int); +static void sb_process_env_settings(void); const char *sbio_message_path; const char sbio_fallback_path[] = "/dev/tty"; @@ -84,6 +85,20 @@ void libsb_init(void) get_sandbox_debug_log(debug_log_path, NULL); get_sandbox_message_path(message_path); sbio_message_path = message_path; + + memset(, 0x00, sizeof(sbcontext)); + sbcontext.show_access_violation = true; + + sb_process_env_settings(); + is_sandbox_on(); + sbcontext.verbose = is_env_on(ENV_SANDBOX_VERBOSE); + sbcontext.debug = is_env_on(ENV_SANDBOX_DEBUG); + sbcontext.testing = is_env_on(ENV_SANDBOX_TESTING); + if (sbcontext.testing) { + const char *ldpath = getenv("LD_LIBRARY_PATH"); + if (ldpath) + sbcontext.ld_library_path = xstrdup(ldpath); + } } /* resolve_dirfd_path - get the path relative to a dirfd @@ -445,12 +460,6 @@ static bool write_logfile(const char *logfile, const char *func, const char *pat return ret; } -static void init_context(sbcontext_t *context) -{ - memset(context, 0x00, sizeof(*context)); - context->show_access_violation = true; -} - static void clean_env_entries(char ***prefixes_array, int *prefixes_num) { if (*prefixes_array == NULL) @@ -555,6 +564,43 @@ done: return; } +static void sb_process_env_settings(void) +{ + static const char * const sb_env_names[4] = { + ENV_SANDBOX_DENY, + ENV_SANDBOX_READ, + ENV_SANDBOX_WRITE, + ENV_SANDBOX_PREDICT, + }; + + size_t i; + for (i = 0; i < ARRAY_SIZE(sb_env_names); ++i) { + char *sb_env = getenv(sb_env_names[i]); + + /* Allow the vars to change values, but not be unset. +* See sb_check_envp() for more details. */ + if (!sb_env) + continue; + + if (/*(!sb_env && cached_env_vars[i]) || -- see above */ + !cached_env_vars[i] || + strcmp(cached_env_vars[i], sb_env) != 0) + { + clean_env_entries([i], _prefixes[i]); + + if (cached_env_vars[i]) + free(cached_env_vars[i]); + + if (sb_env) { + init_env_entries([i], _prefixes[i], +