[gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, tests/, /, libsandbox/
commit: 701486a499631955c150344559762ac301147833
Author: Mike Frysinger gentoo org>
AuthorDate: Fri Oct 22 03:20:21 2021 +
Commit: Mike Frysinger gentoo org>
CommitDate: Fri Oct 22 04:15:04 2021 +
URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=701486a4
libsandbox: add xattr wrappers #672566
These modify the filesystem, so don't let them do their business.
Fixes: https://bugs.gentoo.org/672566
Signed-off-by: Mike Frysinger gentoo.org>
configure.ac| 5 +
headers.h | 3 +++
libsandbox/libsandbox.c | 24 +++-
libsandbox/symbols.h.in | 4
libsandbox/wrapper-funcs/lremovexattr.c | 11 +++
libsandbox/wrapper-funcs/lsetxattr.c| 11 +++
libsandbox/wrapper-funcs/removexattr.c | 11 +++
libsandbox/wrapper-funcs/setxattr.c | 11 +++
tests/Makefile.am | 4
tests/lremovexattr-0.c | 15 +++
tests/lsetxattr-0.c | 24
tests/removexattr-0.c | 15 +++
tests/removexattr-1.sh | 13 +
tests/removexattr.at| 1 +
tests/setxattr-0.c | 24
tests/setxattr-1.sh | 13 +
tests/setxattr.at | 1 +
tests/tests.h | 1 +
18 files changed, 182 insertions(+), 9 deletions(-)
diff --git a/configure.ac b/configure.ac
index e16892f..96c602f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -143,6 +143,7 @@ AC_CHECK_HEADERS_ONCE(m4_flatten([
sys/uio.h
sys/user.h
sys/wait.h
+ sys/xattr.h
asm/ptrace.h
linux/ptrace.h
]))
@@ -185,6 +186,8 @@ AC_CHECK_FUNCS_ONCE(m4_flatten([
getcwd
lchown
linkat
+ lremovexattr
+ lsetxattr
lutimes
memmove
memcpy
@@ -210,10 +213,12 @@ AC_CHECK_FUNCS_ONCE(m4_flatten([
ptrace
realpath
remove
+ removexattr
renameat
renameat2
rmdir
setenv
+ setxattr
strcasecmp
strchr
strdup
diff --git a/headers.h b/headers.h
index 13e005a..605413e 100644
--- a/headers.h
+++ b/headers.h
@@ -143,6 +143,9 @@
#ifdef HAVE_SYS_WAIT_H
# include
#endif
+#ifdef HAVE_SYS_XATTR_H
+# include
+#endif
#ifdef __ia64__ /* what a pos */
# define ia64_fpreg FU_ia64_fpreg
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index c00c92c..beaf305 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -676,15 +676,17 @@ static bool symlink_func(int sb_nr, int flags, const char
*abs_path)
struct stat st;
/* These funcs always operate on symlinks */
- if (!(sb_nr == SB_NR_UNLINK ||
- sb_nr == SB_NR_UNLINKAT ||
- sb_nr == SB_NR_LCHOWN ||
- sb_nr == SB_NR_REMOVE ||
- sb_nr == SB_NR_RENAME ||
- sb_nr == SB_NR_RENAMEAT ||
- sb_nr == SB_NR_RENAMEAT2||
- sb_nr == SB_NR_RMDIR||
- sb_nr == SB_NR_SYMLINK ||
+ if (!(sb_nr == SB_NR_UNLINK ||
+ sb_nr == SB_NR_UNLINKAT ||
+ sb_nr == SB_NR_LCHOWN ||
+ sb_nr == SB_NR_LREMOVEXATTR ||
+ sb_nr == SB_NR_LSETXATTR||
+ sb_nr == SB_NR_REMOVE ||
+ sb_nr == SB_NR_RENAME ||
+ sb_nr == SB_NR_RENAMEAT ||
+ sb_nr == SB_NR_RENAMEAT2||
+ sb_nr == SB_NR_RMDIR||
+ sb_nr == SB_NR_SYMLINK ||
sb_nr == SB_NR_SYMLINKAT))
{
/* These funcs sometimes operate on symlinks */
@@ -776,6 +778,8 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr,
const char *func,
sb_nr == SB_NR_LCHOWN ||
sb_nr == SB_NR_LINK||
sb_nr == SB_NR_LINKAT ||
+ sb_nr == SB_NR_LREMOVEXATTR||
+ sb_nr == SB_NR_LSETXATTR ||
sb_nr == SB_NR_LUTIMES ||
sb_nr == SB_NR_MKDIR ||
sb_nr == SB_NR_MKDIRAT ||
@@ -794,10 +798,12 @@ static int check_access(sbcontext_t *sbcontext, int
sb_nr, const char *func,
sb_nr == SB_NR_MKSTEMPS64 ||
sb_nr == SB_NR_OPEN_WR ||
sb_nr == SB_NR_REMOVE ||
+ sb_nr == SB_NR_REMOVEXATTR ||
sb_nr == SB_NR_RENAME ||
sb_nr == SB_NR_RENAMEAT||
sb_nr == SB_NR_RENAMEAT2 ||
sb_nr == SB_NR_RMDIR ||
+ sb_nr == SB_NR_SETXATTR||
sb_nr == SB_NR_SYMLINK ||
sb_nr == SB_NR_SYMLINKAT ||
sb_nr == SB_NR_TRUNCATE||
diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in
index
[gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, tests/, libsandbox/
commit: 55087abd8dc9802cf68cade776fe612a3f19f6a1
Author: Mike Frysinger gentoo org>
AuthorDate: Wed Feb 17 00:23:53 2016 +
Commit: Mike Frysinger gentoo org>
CommitDate: Wed Feb 17 00:23:53 2016 +
URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=55087abd
libsandbox: use ptrace on apps that interpose their own allocator
If an app installs its own memory allocator by overriding the internal
glibc symbols, then we can easily hit a loop that cannot be broken: the
dlsym functions can attempt to allocate memory, and sandbox relies on
them to find the "real" functions. So when someone calls a symbol that
the sandbox protects, we call dlsym, and that calls malloc, which calls
back into the app, and their allocator might use another symbol such as
open ... which is protected by the sandbox. So we hit the loop like:
-> open -> libsandbox:open -> dlsym -> malloc -> open ->
libsandbox:open -> dlsym -> malloc -> ...
Change the exec checking logic to scan the ELF instead. If it exports
these glibc symbols, then we have to assume it can trigger a loop, so
scrub the sandbox environment to prevent us from being loaded. Then we
use the out-of-process tracer (i.e. ptrace). This should generally be
as robust anyways ... if it's not, that's a bug we want to fix as this
is the same code used for static apps.
URL: http://crbug.com/586444
Reported-by: Ryo Hashimoto chromium.org>
Signed-off-by: Mike Frysinger gentoo.org>
libsandbox/libsandbox.c | 72 ++---
libsandbox/libsandbox.h | 2 +-
libsandbox/wrapper-funcs/__wrapper_exec.c | 126 ++
tests/Makefile.am | 3 +
tests/malloc-2.sh | 4 +
tests/malloc.at | 1 +
tests/malloc_hooked_tst.c | 44 +++
7 files changed, 210 insertions(+), 42 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 2bcff95..7555862 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -1137,7 +1137,7 @@ typedef struct {
* XXX: Might be much nicer if we could serialize these vars behind the back of
* the program. Might be hard to handle LD_PRELOAD though ...
*/
-char **sb_check_envp(char **envp, size_t *mod_cnt)
+char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert)
{
char **my_env;
char *entry;
@@ -1194,7 +1194,8 @@ char **sb_check_envp(char **envp, size_t *mod_cnt)
}
/* If we found everything, there's nothing to do! */
- if (num_vars == found_var_cnt)
+ if ((insert && num_vars == found_var_cnt) ||
+ (!insert && found_var_cnt == 0))
/* Use the user's envp */
return envp;
@@ -1217,33 +1218,50 @@ char **sb_check_envp(char **envp, size_t *mod_cnt)
}
my_env = NULL;
- if (mod_cnt) {
- /* Count directly due to variability with LD_PRELOAD and the
value
-* logic below. Getting out of sync can mean memory
corruption. */
- *mod_cnt = 0;
- if (unlikely(merge_ld_preload)) {
- str_list_add_item(my_env, ld_preload, error);
- (*mod_cnt)++;
- }
- for (i = 0; i < num_vars; ++i) {
- if (found_vars[i] || !vars[i].value)
- continue;
- str_list_add_item_env(my_env, vars[i].name,
vars[i].value, error);
- (*mod_cnt)++;
- }
-
- str_list_for_each_item(envp, entry, count) {
- if (unlikely(merge_ld_preload && is_env_var(entry,
vars[0].name, vars[0].len)))
- continue;
- str_list_add_item(my_env, entry, error);
+ if (!insert) {
+ if (mod_cnt) {
+ str_list_for_each_item(envp, entry, count) {
+ for (i = 0; i < num_vars; ++i)
+ if (is_env_var(entry, vars[i].name,
vars[i].len)) {
+ (*mod_cnt)++;
+ goto skip;
+ }
+ str_list_add_item(my_env, entry, error);
+ skip: ;
+ }
+ } else {
+ for (i = 0; i < num_vars; ++i)
+ unsetenv(vars[i].name);
}
} else {
- if (unlikely(merge_ld_preload))
- putenv(ld_preload);
- for (i = 0; i < num_vars; ++i) {
- if (found_vars[i] || !vars[i].value)
- continue;
- setenv(vars[i].name, vars[i].value, 1);
+ if (mod_cnt) {
+ /* Count
[gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, tests/, libsandbox/
commit: 87f753cf677137f8d6c06c56ee6cc4db11ec71b0
Author: Mike Frysinger gentoo org>
AuthorDate: Sat Feb 23 05:28:42 2013 +
Commit: Mike Frysinger gentoo org>
CommitDate: Sat Feb 23 05:28:42 2013 +
URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=87f753cf
libsandbox: preserve more SANDBOX env vars
While we took pains to preserve the LD_PRELOAD setting, this doesn't
help us too much in practice. If a process is going out of its way
to blow away LD_PRELOAD, chances are good it's blowing away all vars
it doesn't know about. That means all of our SANDBOX_XXX settings.
Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX
env vars, make sure we preserve those as well.
These changes also imply some behavioral differences from older
versions. Previously, you could `unset` a sandbox var in order
to disable it. That no longer works. If you wish to disable
things, you have to explicitly set it to "".
Signed-off-by: Mike Frysinger gentoo.org>
libsandbox/libsandbox.c | 284 --
libsandbox/libsandbox.h | 2 +
libsandbox/wrapper-funcs/__wrapper_exec.c | 84 +
tests/Makefile.am | 2 +-
tests/mkdir-3.sh | 2 +-
tests/script-10.sh| 21 +++
tests/script.at | 1 +
7 files changed, 262 insertions(+), 134 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 5d9a796..4f4589f 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -28,7 +28,8 @@
char sandbox_lib[SB_PATH_MAX];
typedef struct {
- bool show_access_violation;
+ bool show_access_violation, on, active, testing, verbose, debug;
+ char *ld_library_path;
char **prefixes[5];
int num_prefixes[5];
#define deny_prefixes prefixes[0]
@@ -43,6 +44,7 @@ typedef struct {
#define num_write_denied_prefixes num_prefixes[4]
#define MAX_DYN_PREFIXES 4 /* the first 4 are dynamic */
} sbcontext_t;
+static sbcontext_t sbcontext;
static char *cached_env_vars[MAX_DYN_PREFIXES];
static char log_path[SB_PATH_MAX];
@@ -57,8 +59,7 @@ FILE *(*sbio_popen)(const char *, const char *) =
sb_unwrapped_popen;
static char *resolve_path(const char *, int);
static int check_prefixes(char **, int, const char *);
static void clean_env_entries(char ***, int *);
-static void init_context(sbcontext_t *);
-static void init_env_entries(char ***, int *, const char *, const char *, int);
+static void sb_process_env_settings(void);
const char *sbio_message_path;
const char sbio_fallback_path[] = "/dev/tty";
@@ -84,6 +85,20 @@ void libsb_init(void)
get_sandbox_debug_log(debug_log_path, NULL);
get_sandbox_message_path(message_path);
sbio_message_path = message_path;
+
+ memset(, 0x00, sizeof(sbcontext));
+ sbcontext.show_access_violation = true;
+
+ sb_process_env_settings();
+ is_sandbox_on();
+ sbcontext.verbose = is_env_on(ENV_SANDBOX_VERBOSE);
+ sbcontext.debug = is_env_on(ENV_SANDBOX_DEBUG);
+ sbcontext.testing = is_env_on(ENV_SANDBOX_TESTING);
+ if (sbcontext.testing) {
+ const char *ldpath = getenv("LD_LIBRARY_PATH");
+ if (ldpath)
+ sbcontext.ld_library_path = xstrdup(ldpath);
+ }
}
/* resolve_dirfd_path - get the path relative to a dirfd
@@ -445,12 +460,6 @@ static bool write_logfile(const char *logfile, const char
*func, const char *pat
return ret;
}
-static void init_context(sbcontext_t *context)
-{
- memset(context, 0x00, sizeof(*context));
- context->show_access_violation = true;
-}
-
static void clean_env_entries(char ***prefixes_array, int *prefixes_num)
{
if (*prefixes_array == NULL)
@@ -555,6 +564,43 @@ done:
return;
}
+static void sb_process_env_settings(void)
+{
+ static const char * const sb_env_names[4] = {
+ ENV_SANDBOX_DENY,
+ ENV_SANDBOX_READ,
+ ENV_SANDBOX_WRITE,
+ ENV_SANDBOX_PREDICT,
+ };
+
+ size_t i;
+ for (i = 0; i < ARRAY_SIZE(sb_env_names); ++i) {
+ char *sb_env = getenv(sb_env_names[i]);
+
+ /* Allow the vars to change values, but not be unset.
+* See sb_check_envp() for more details. */
+ if (!sb_env)
+ continue;
+
+ if (/*(!sb_env && cached_env_vars[i]) || -- see above */
+ !cached_env_vars[i] ||
+ strcmp(cached_env_vars[i], sb_env) != 0)
+ {
+ clean_env_entries([i],
_prefixes[i]);
+
+ if (cached_env_vars[i])
+ free(cached_env_vars[i]);
+
+ if (sb_env) {
+ init_env_entries([i],
_prefixes[i],
+
