[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: 83b7d3141d66f2b5a2613b677e4673a51a3e9654 Author: Sv. Lockal gmail com> AuthorDate: Sat Jan 27 10:44:55 2024 + Commit: Mike Gilbert gentoo org> CommitDate: Sat Jan 27 18:05:22 2024 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=83b7d314 Fix SIGSEGV in gtest death tests due to small stack In https://github.com/google/googletest/blob/v1.14.0/googletest/src/gtest-death-test.cc#L1307 on x86-64 gtest sallocates 8192 bytes for `clone`: ``` static pid_t ExecDeathTestSpawnChild(char* const* argv, int close_fd) { const auto stack_size = static_cast(getpagesize() * 2); ... child_pid = clone(, stack_top, SIGCHLD, ); ``` After that attempt to call execv is intercepted by libsandbox.so, which allocates 8192 + more bytes multiple times on stack, causing SIGSEGV (instead of expected types of crashes). This PR moves all allocations for related function to heap, so now call path fits `getpagesize() * 2` with large margin. Bug: https://bugs.gentoo.org/923013 Closes: https://github.com/gentoo/sandbox/pull/26 Signed-off-by: Sv. Lockal gmail.com> Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 1f7d3654498e17e0a91c83f57e6265e08628d5fe) libsandbox/libsandbox.c | 34 +- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 6a7368c..e0928bb 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -132,7 +132,8 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, save_errno(); - char fd_path[SB_PATH_MAX]; + char *fd_path = xmalloc(SB_PATH_MAX * sizeof(char)); + size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0); if (trace_pid) { sprintf(fd_path, "/proc/%i/fd/%i", trace_pid, dirfd); @@ -148,12 +149,14 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, /* see comments at end of check_syscall() */ if (errno_is_too_long()) { restore_errno(); + free(fd_path); return 2; } sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", fd_path, strerror(errno)); /* If the fd isn't found, some guys (glibc) expect errno */ if (errno == ENOENT) errno = EBADF; + free(fd_path); return -1; } resolved_path[ret] = '/'; @@ -162,6 +165,7 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, strcat(resolved_path, path); restore_errno(); + free(fd_path); return 0; } @@ -286,7 +290,7 @@ static char *resolve_path(const char *path, int follow_link) } if (!ret) { - char tmp_str1[SB_PATH_MAX]; + char *tmp_str1 = xmalloc(SB_PATH_MAX * sizeof(char)); snprintf(tmp_str1, SB_PATH_MAX, "%s", path); dname = dirname(tmp_str1); @@ -304,7 +308,7 @@ static char *resolve_path(const char *path, int follow_link) filtered_path = NULL; } } else { - char tmp_str2[SB_PATH_MAX]; + char *tmp_str2 = xmalloc(SB_PATH_MAX * sizeof(char)); /* OK, now add the basename to keep our access * checking happy (don't want '/usr/lib' if we * tried to do something with non-existing @@ -316,7 +320,10 @@ static char *resolve_path(const char *path, int follow_link) snprintf(filtered_path + len, SB_PATH_MAX - len, "%s%s", (filtered_path[len - 1] != '/') ? "/" : "", bname); + free(tmp_str2); } + + free(tmp_str1); } } @@ -1034,10 +1041,24 @@ bool is_sandbox_on(void) return result; } +static int resolve_dirfd_path_alloc(int dirfd, const char *path, char **resolved_path) +{ + size_t resolved_path_size = SB_PATH_MAX * sizeof(char); + *resolved_path = xmalloc(resolved_path_size); + int result = resolve_dirfd_path(dirfd, path, *resolved_path, resolved_path_size); + + if (result) { + free(*resolved_path); + *resolved_path = NULL; + } + + return result; +} + bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, int flags) { int result; - char at_file_buf[SB_PATH_MAX]; + char *at_file_buf; /* Some funcs operate on a fd directly and so filename is NULL, but * the rest should
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: f7d02c04b2a8e395f478bda03306fb68fb44ba4c Author: Mike Gilbert gentoo org> AuthorDate: Mon Jan 8 19:59:35 2024 + Commit: Mike Gilbert gentoo org> CommitDate: Mon Jan 22 21:41:13 2024 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f7d02c04 libsandbox: stat the original path for EEXIST hackaround Resolves an issue that can occur with paths that contain parent directory references (/../). If part of the path does not exist, the sandboxed program should get ENOENT, not EEXIST. If we use the canonicalized path, intermediate paths will be eliminated and we produce the wrong result. Bug: https://bugs.gentoo.org/921581 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit ef9208bea4e0f0dff5abf358002565f36e4d7a8d) libsandbox/pre_check_mkdirat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsandbox/pre_check_mkdirat.c b/libsandbox/pre_check_mkdirat.c index b1e86cf..49c382a 100644 --- a/libsandbox/pre_check_mkdirat.c +++ b/libsandbox/pre_check_mkdirat.c @@ -37,7 +37,7 @@ bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) * will trigger a sandbox violation. */ struct stat64 st; - if (0 == lstat64(canonic, )) { + if (0 == lstat64(pathname, )) { int new_errno; sb_debug_dyn("EARLY FAIL: %s(%s[%s]) @ lstat: %s\n", func, pathname, canonic, strerror(errno));
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: ebaca399acb215cf4dd8a06a74a6d436047b3711 Author: Mike Gilbert gentoo org> AuthorDate: Sun Aug 6 00:41:15 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:41:15 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ebaca399 v2.38 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index ba878ef..7d32dd7 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.37], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.38], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: 0d063e31d575fb0a94b56219cafb0a198215b7aa Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:11:58 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:52 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=0d063e31 erealpath: drop unused path_max variable The SB_PATH_MAX macro is always defined, so this variable was pointless. Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 128d5b32b301a552299feff7cc64e5f8f7c4fee7) libsandbox/canonicalize.c | 26 +- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c index f742ed4..f282bdd 100644 --- a/libsandbox/canonicalize.c +++ b/libsandbox/canonicalize.c @@ -49,7 +49,6 @@ erealpath(const char *name, char *resolved) { char *rpath, *dest, *recover; const char *start, *end, *rpath_limit; - long int path_max; if (name == NULL) { /* As per Single Unix Specification V2 we must return an error if @@ -66,16 +65,9 @@ erealpath(const char *name, char *resolved) __set_errno(ENOENT); return NULL; } -#ifdef SB_PATH_MAX - path_max = SB_PATH_MAX; -#else - path_max = pathconf(name, _PC_PATH_MAX); - if (path_max <= 0) - path_max = 1024; -#endif if (resolved == NULL) { - rpath = xmalloc(path_max); + rpath = xmalloc(SB_PATH_MAX); } else { /* We can't handle resolving a buffer inline, so demand * separate read and write strings. @@ -83,11 +75,11 @@ erealpath(const char *name, char *resolved) sb_assert(name != resolved); rpath = resolved; } - rpath_limit = rpath + path_max; + rpath_limit = rpath + SB_PATH_MAX; recover = NULL; if (name[0] != '/') { - if (!egetcwd(rpath, path_max)) { + if (!egetcwd(rpath, SB_PATH_MAX)) { rpath[0] = '\0'; goto error; } @@ -110,16 +102,16 @@ erealpath(const char *name, char *resolved) if (lstat64(rpath, )) break; if (S_ISLNK(st.st_mode)) { - ssize_t cnt = readlink(rpath, rpath, path_max); + ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX); if (cnt == -1) break; rpath[cnt] = '\0'; if (p) { size_t bytes_left = strlen(p); - if (bytes_left >= path_max) + if (bytes_left >= SB_PATH_MAX) break; strncat(rpath, name + (p - rpath + 1), - path_max - bytes_left - 1); + SB_PATH_MAX - bytes_left - 1); } /* Ok, we have a chance at something better. If @@ -187,10 +179,10 @@ erealpath(const char *name, char *resolved) goto error; } new_size = rpath_limit - rpath; - if (end - start + 1 > path_max) + if (end - start + 1 > SB_PATH_MAX) new_size += end - start + 1; else - new_size += path_max; + new_size += SB_PATH_MAX; new_rpath = (char *) xrealloc(rpath, new_size); rpath = new_rpath; rpath_limit = rpath + new_size; @@ -213,7 +205,7 @@ erealpath(const char *name, char *resolved) error: if (resolved) - snprintf(resolved, path_max, "%s", rpath); + snprintf(resolved, SB_PATH_MAX, "%s", rpath); else free(rpath); free(recover);
[gentoo-commits] proj/sandbox:stable-2.x commit in: src/
commit: 3ad50e42b3a55bfa2713f0bbdc496b7c78fd8038 Author: gto2023 mailbox org> AuthorDate: Thu Jul 13 11:55:09 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:52 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=3ad50e42 sandbox: prevent possible use of uninitialized members of sandbox_info struct Signed-off-by: gto2023 mailbox.org> Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 5d13985d6ec4ceeced9b9b45f00bc19c69efbb8f) src/sandbox.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sandbox.c b/src/sandbox.c index f4ffd20..9c3e0da 100644 --- a/src/sandbox.c +++ b/src/sandbox.c @@ -211,7 +211,7 @@ int main(int argc, char **argv) { int sandbox_log_presence = 0; - struct sandbox_info_t sandbox_info; + struct sandbox_info_t sandbox_info = {}; char **sandbox_environ; char **argv_bash = NULL;
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: c2f63554e729401f8ef44dbf3eb67ecc12ece58c Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:14:09 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:52 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=c2f63554 erealpath: leave space for a trailing '\0' in readlink's buffer Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 1c9a17d40de6dd3ea5b7aacaa76878357350881b) libsandbox/canonicalize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c index f282bdd..6c9a2d6 100644 --- a/libsandbox/canonicalize.c +++ b/libsandbox/canonicalize.c @@ -102,7 +102,7 @@ erealpath(const char *name, char *resolved) if (lstat64(rpath, )) break; if (S_ISLNK(st.st_mode)) { - ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX); + ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX - 1); if (cnt == -1) break; rpath[cnt] = '\0';
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: e4f9687b0517a691a82693c3bd772516fee01762 Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:18:53 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:53 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=e4f9687b erealpath: use separate buffer for readlink Fixes a compiler warning: ``` warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict] ``` Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 8c3bc21729c3ad13295b586cd185b2b5da686731) libsandbox/canonicalize.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libsandbox/canonicalize.c b/libsandbox/canonicalize.c index 6c9a2d6..f8d32f0 100644 --- a/libsandbox/canonicalize.c +++ b/libsandbox/canonicalize.c @@ -102,10 +102,12 @@ erealpath(const char *name, char *resolved) if (lstat64(rpath, )) break; if (S_ISLNK(st.st_mode)) { - ssize_t cnt = readlink(rpath, rpath, SB_PATH_MAX - 1); + char buffer[SB_PATH_MAX]; + ssize_t cnt = readlink(rpath, buffer, SB_PATH_MAX - 1); if (cnt == -1) break; - rpath[cnt] = '\0'; + buffer[cnt] = '\0'; + strcpy(rpath, buffer); if (p) { size_t bytes_left = strlen(p); if (bytes_left >= SB_PATH_MAX)
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: ae2cb037f024a2bd417c6a241d907390876ecc8a Author: Mike Gilbert gentoo org> AuthorDate: Sat Aug 5 19:39:21 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:53 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ae2cb037 resolve_dirfd_path: use separate buffer for readlink Fixes a compile warning: ``` warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict] ``` Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 4b27824ee27013c672f75bce2066c950a71280d2) libsandbox/libsandbox.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 4edcf60..6a7368c 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -132,24 +132,25 @@ int resolve_dirfd_path(int dirfd, const char *path, char *resolved_path, save_errno(); + char fd_path[SB_PATH_MAX]; size_t at_len = resolved_path_len - 1 - 1 - (path ? strlen(path) : 0); if (trace_pid) { - sprintf(resolved_path, "/proc/%i/fd/%i", trace_pid, dirfd); + sprintf(fd_path, "/proc/%i/fd/%i", trace_pid, dirfd); } else { /* If /proc was mounted by a process in a different pid namespace, * getpid cannot be used to create a valid /proc/ path. Instead * use sb_get_fd_dir() which works in any case. */ - sprintf(resolved_path, "%s/%i", sb_get_fd_dir(), dirfd); + sprintf(fd_path, "%s/%i", sb_get_fd_dir(), dirfd); } - ssize_t ret = readlink(resolved_path, resolved_path, at_len); + ssize_t ret = readlink(fd_path, resolved_path, at_len); if (ret == -1) { /* see comments at end of check_syscall() */ if (errno_is_too_long()) { restore_errno(); return 2; } - sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", resolved_path, strerror(errno)); + sb_debug_dyn("AT_FD LOOKUP fail: %s: %s\n", fd_path, strerror(errno)); /* If the fd isn't found, some guys (glibc) expect errno */ if (errno == ENOENT) errno = EBADF;
[gentoo-commits] proj/sandbox:stable-2.x commit in: src/
commit: b0b2afb1941f540126aa510d47636cd8d2cf9ad8 Author: gto2023 mailbox org> AuthorDate: Thu Jul 13 11:59:24 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Aug 6 00:39:52 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=b0b2afb1 sandbox: do not compare array to NULL Fixes a compiler warning: ``` src/environ.c:211:19: warning: the comparison will always evaluate as ‘true’ for the address of ‘work_dir’ will never be NULL [-Waddress] ``` Bug: https://bugs.gentoo.org/906234 Signed-off-by: gto2023 mailbox.org> Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 7f230519475c2aaea91df75b0165d8b6c03b9fa9) src/environ.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/environ.c b/src/environ.c index 542dd64..2b28c0b 100644 --- a/src/environ.c +++ b/src/environ.c @@ -208,7 +208,7 @@ static int setup_cfg_vars(struct sandbox_info_t *sandbox_info) if (-1 == setup_access_var(ENV_SANDBOX_WRITE)) return -1; if ((NULL == getenv(ENV_SANDBOX_WRITE)) && - (NULL != sandbox_info->work_dir)) + strlen(sandbox_info->work_dir)) setenv(ENV_SANDBOX_WRITE, sandbox_info->work_dir, 1); if (-1 == setup_access_var(ENV_SANDBOX_PREDICT))
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/trace/, libsandbox/, libsandbox/trace/linux/, /, src/
commit: 9a5171e20f695cb18f7c860ba443d0839df6d4a3 Author: Sam James gentoo org> AuthorDate: Fri Jul 21 14:57:05 2023 + Commit: Sam James gentoo org> CommitDate: Sat Aug 5 04:32:37 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9a5171e2 Rename multiple personalities feature "schizo" isn't a particularly sensitive term, and it's not very clear what it means to non-native English speakers anyway. Name it after what the feature really does: multiple (Linux) personality support using ptrace. Signed-off-by: Sam James gentoo.org> (cherry picked from commit f342efa52fb54c55f009b694af1899e431300629) configure.ac| 50 - libsandbox/local.mk | 8 +++ libsandbox/trace/common.c | 2 +- libsandbox/trace/linux/i386.c | 2 +- libsandbox/trace/linux/s390.c | 6 ++--- libsandbox/trace/linux/sparc.c | 6 ++--- libsandbox/trace/linux/x86_64.c | 8 +++ src/options.c | 6 ++--- 8 files changed, 44 insertions(+), 44 deletions(-) diff --git a/configure.ac b/configure.ac index de0dc2b..8eb60a4 100644 --- a/configure.ac +++ b/configure.ac @@ -47,12 +47,12 @@ AC_PREFIX_DEFAULT([/usr]) dnl multiple personality support (x86 & x86_64: multilib) AC_MSG_CHECKING([for multiple personalities]) -AC_ARG_ENABLE([schizo], - [AS_HELP_STRING([--enable-schizo],[Support multiple personalities])], - [],[enable_schizo="auto"]) -AC_MSG_RESULT([$enable_schizo]) -SB_SCHIZO_SETTINGS= -AC_DEFUN([SB_CHECK_SCHIZO],[dnl +AC_ARG_ENABLE([personalities], + [AS_HELP_STRING([--enable-personalities],[Support multiple Linux personalities using ptrace])], + [],[enable_personalities="auto"]) +AC_MSG_RESULT([$enable_personalities]) +SB_PERSONALITIES_SETTINGS= +AC_DEFUN([SB_CHECK_PERSONALITIES],[dnl AC_MSG_CHECKING([checking for $1/$2 compiler support]) ac_save_CFLAGS=$CFLAGS CFLAGS="$CFLAGS $2" @@ -61,42 +61,42 @@ AC_DEFUN([SB_CHECK_SCHIZO],[dnl ], [ return 0 ], [ - enable_schizo=yes - AS_VAR_APPEND([SB_SCHIZO_SETTINGS], " $1:$2") - AS_VAR_APPEND([SB_SCHIZO_HEADERS], " libsandbox/trace_syscalls_$1.h") + enable_personalities=yes + AS_VAR_APPEND([SB_PERSONALITIES_SETTINGS], " $1:$2") + AS_VAR_APPEND([SB_PERSONALITIES_HEADERS], " libsandbox/trace_syscalls_$1.h") AC_MSG_RESULT([yes]) - AC_DEFINE_UNQUOTED([SB_SCHIZO_$1], 1, [Support for $1/$2 is available]) + AC_DEFINE_UNQUOTED([SB_PERSONALITIES_$1], 1, [Support for $1/$2 is available]) ], [ AC_MSG_RESULT([no]) ]) CFLAGS=$ac_save_CFLAGS ]) -if test "x$enable_schizo" != "xno" ; then - enable_schizo=no +if test "x$enable_personalities" != "xno" ; then + enable_personalities=no case $host in i686*linux*|\ x86_64*linux*) - SB_CHECK_SCHIZO([x86_64], [-m64]) - SB_CHECK_SCHIZO([x86], [-m32]) - SB_CHECK_SCHIZO([x32], [-mx32]) + SB_CHECK_PERSONALITIES([x86_64], [-m64]) + SB_CHECK_PERSONALITIES([x86], [-m32]) + SB_CHECK_PERSONALITIES([x32], [-mx32]) ;; s390*linux*) - SB_CHECK_SCHIZO([s390x], [-m64]) - SB_CHECK_SCHIZO([s390], [-m31]) + SB_CHECK_PERSONALITIES([s390x], [-m64]) + SB_CHECK_PERSONALITIES([s390], [-m31]) ;; sparc*linux*) - SB_CHECK_SCHIZO([sparc64], [-m64]) - SB_CHECK_SCHIZO([sparc], [-m32]) + SB_CHECK_PERSONALITIES([sparc64], [-m64]) + SB_CHECK_PERSONALITIES([sparc], [-m32]) ;; esac - SB_SCHIZO_SETTINGS=${SB_SCHIZO_SETTINGS# } - if test "x$enable_schizo" != "xno" ; then - AC_DEFINE_UNQUOTED([SB_SCHIZO], ["$SB_SCHIZO_SETTINGS"], [Enable multiple personalities support]) + SB_PERSONALITIES_SETTINGS=${SB_PERSONALITIES_SETTINGS# } + if test "x$enable_personalities" != "xno" ; then + AC_DEFINE_UNQUOTED([SB_PERSONALITIES], ["$SB_PERSONALITIES_SETTINGS"], [Enable multiple personalities support]) fi fi -AC_SUBST(SB_SCHIZO_SETTINGS) -AC_SUBST(SB_SCHIZO_HEADERS) -AM_CONDITIONAL([SB_SCHIZO], [test "x$enable_schizo" != "xno"]) +AC_SUBST(SB_PERSONALITIES_SETTINGS) +AC_SUBST(SB_PERSONALITIES_HEADERS) +AM_CONDITIONAL([SB_PERSONALITIES], [test "x$enable_personalities" != "xno"]) dnl this test fills up the stack and then triggers a segfault ... dnl but it's hard to wrap things without a stack, so let's ignore diff --git a/libsandbox/local.mk b/libsandbox/local.mk index 50bc54d..dd78a76 100644 ---
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: fa7aa29903a6dc57fdb5dd3b6b8c4c5a7ad7126f Author: Sam James gentoo org> AuthorDate: Fri Jul 21 15:05:56 2023 + Commit: Sam James gentoo org> CommitDate: Sat Aug 5 04:32:48 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=fa7aa299 configure.ac: fix whitespace Signed-off-by: Sam James gentoo.org> (cherry picked from commit 62ce93feaa51f9e3a490ef522e0bad91f666ebe1) configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 847bc4c..ba878ef 100644 --- a/configure.ac +++ b/configure.ac @@ -343,7 +343,7 @@ if test x"$have_rtld_next" = xyes ; then AC_DEFINE([HAVE_RTLD_NEXT], [1], [Have RTLD_NEXT enabled libc]) fi -dnl we need to handle symbols differently based upon their version, +dnl we need to handle symbols differently based upon their version, dnl but we have to know which symbols the libc supports first AC_MSG_CHECKING([libc path]) echo "int main(void) { return 0; }" > libctest.c @@ -381,7 +381,7 @@ AC_DEFINE_UNQUOTED([LIBC_PATH], ["$LIBC_PATH"], [Full path to the libc]) AC_MSG_RESULT([$LIBC_PATH]) AC_SUBST([LIBC_PATH]) -dnl when intercepting libc calls, we have to know the name of the +dnl when intercepting libc calls, we have to know the name of the dnl libc to load and search with dl*() calls AC_MSG_CHECKING([libc version]) dnl the sed script at the end here looks funny but it's ok ...
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: 38507cc25cebe228d72cb75a2ab4acfaacf2a5fe Author: Sam James gentoo org> AuthorDate: Fri Jul 21 15:04:23 2023 + Commit: Sam James gentoo org> CommitDate: Sat Aug 5 04:32:44 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=38507cc2 configure.ac: cleanup error messages Signed-off-by: Sam James gentoo.org> (cherry picked from commit 4f42e1984227012797030839b5e757a6da147141) configure.ac | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index 8eb60a4..847bc4c 100644 --- a/configure.ac +++ b/configure.ac @@ -293,18 +293,18 @@ if test x"$va_copy" != xva_copy ; then ) fi -dnl Verify people aren't doing stupid shit +dnl Avoid footguns. if test x"$enable_static" != xno ; then - AC_MSG_ERROR([dont be a Kumba, building a libsandbox.a is stupid]) + AC_MSG_ERROR([Building a static libsandbox.a is not supported]) fi if test x"$enable_shared" != xyes ; then - AC_MSG_ERROR([dont be a Kumba, omitting a libsandbox.so is stupid]) + AC_MSG_ERROR([Omitting a libsandbox.so is not supported]) fi if echo " $CFLAGS " | $EGREP ' -static ' >/dev/null 2>&1; then - AC_MSG_ERROR([dont be a Kumba, using -static in CFLAGS is stupid]) + AC_MSG_ERROR([Using -static in CFLAGS is not supported]) fi if echo " $LDFLAGS " | $EGREP ' -static ' >/dev/null 2>&1; then - AC_MSG_ERROR([dont be a Kumba, using -static in LDFLAGS is stupid]) + AC_MSG_ERROR([Using -static in LDFLAGS is not supported]) fi dnl Some libc's like those on bsd have dlopen() in libc, and not libdl
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: 143e5fd3b50fa7085c9c4eb66c103e3c6d1b64c7 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 17 14:55:27 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Aug 4 00:26:27 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=143e5fd3 libsandbox: skip checking access() without W_OK or R_OK mode If access/faccessat is called with F_OK or X_OK in the mode argument, there is no need to check the path. Bug: https://bugs.gentoo.org/910273 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 8d6a4839ebd909903691e4a71d6a94b3809adc82) libsandbox/libsandbox.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index e5f6d38..08b85ce 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -1095,8 +1095,11 @@ bool before_syscall_access(int dirfd, int sb_nr, const char *func, const char *f const char *ext_func; if (flags & W_OK) sb_nr = SB_NR_ACCESS_WR, ext_func = "access_wr"; - else + else if (flags & R_OK) sb_nr = SB_NR_ACCESS_RD, ext_func = "access_rd"; + else + /* Must be F_OK or X_OK; we do not need to check either. */ + return true; return before_syscall(dirfd, sb_nr, ext_func, file, flags); }
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsbutil/, libsandbox/, src/
commit: 4d33585e8070f17c182888f3573e5ce3d1ff6a70 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 17 15:03:13 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Aug 4 00:26:30 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=4d33585e libsbutil: add sbio_faccessat and use it in sb_exists sbio_faccessat allows libsbutil to access the unwrapped version of faccessat when called from libsandbox. Using faccessat in place of fstatat seems to give a small boost in performance. Pass AT_EACCESS faccessat to enable a faster path if uid != euid. Bug: https://bugs.gentoo.org/910273 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 0317bbe09fe23e4bd972ee254f14817def701731) libsandbox/libsandbox.c | 1 + libsandbox/wrappers.h | 2 ++ libsbutil/sb_exists.c | 10 ++ libsbutil/sbutil.h | 1 + src/sandbox.c | 1 + 5 files changed, 15 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 08b85ce..4edcf60 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -54,6 +54,7 @@ static char message_path[SB_PATH_MAX]; bool sandbox_on = true; static bool sb_init = false; static bool sb_env_init = false; +int (*sbio_faccessat)(int, const char *, int, int) = sb_unwrapped_faccessat; int (*sbio_open)(const char *, int, mode_t) = sb_unwrapped_open; FILE *(*sbio_popen)(const char *, const char *) = sb_unwrapped_popen; diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h index bf5bf64..3237397 100644 --- a/libsandbox/wrappers.h +++ b/libsandbox/wrappers.h @@ -15,6 +15,8 @@ */ #definesb_unwrapped_access sb_unwrapped_access_DEFAULT attribute_hidden int sb_unwrapped_access (const char *, int); +#definesb_unwrapped_faccessat sb_unwrapped_faccessat_DEFAULT +attribute_hidden int sb_unwrapped_faccessat (int, const char *, int, int); #definesb_unwrapped_getcwd sb_unwrapped_getcwd_DEFAULT attribute_hidden char *sb_unwrapped_getcwd (char *, size_t); #definesb_unwrapped_open sb_unwrapped_open_DEFAULT diff --git a/libsbutil/sb_exists.c b/libsbutil/sb_exists.c index d34f0cc..c2171fe 100644 --- a/libsbutil/sb_exists.c +++ b/libsbutil/sb_exists.c @@ -10,5 +10,15 @@ int sb_exists(int dirfd, const char *pathname, int flags) { struct stat64 buf; + + if (sbio_faccessat(dirfd, pathname, F_OK, flags|AT_EACCESS) == 0) + return 0; + + /* musl's faccessat gives EINVAL when the kernel does not support +* faccessat2 and AT_SYMLINK_NOFOLLOW is set. +* https://www.openwall.com/lists/musl/2023/06/19/1 */ + if (errno != EINVAL) + return -1; + return fstatat64(dirfd, pathname, , flags); } diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h index 981fe0d..ed335e2 100644 --- a/libsbutil/sbutil.h +++ b/libsbutil/sbutil.h @@ -98,6 +98,7 @@ extern const char sb_fd_dir[]; const char *sb_get_cmdline(pid_t pid); /* libsandbox need to use a wrapper for open */ +attribute_hidden extern int (*sbio_faccessat)(int, const char *, int, int); attribute_hidden extern int (*sbio_open)(const char *, int, mode_t); attribute_hidden extern FILE *(*sbio_popen)(const char *, const char *); extern const char *sbio_message_path; diff --git a/src/sandbox.c b/src/sandbox.c index ed0c7f6..f4ffd20 100644 --- a/src/sandbox.c +++ b/src/sandbox.c @@ -21,6 +21,7 @@ static int print_debug = 0; #define dprintf(fmt, args...) do { if (print_debug) printf(fmt, ## args); } while (0) #define dputs(str) do { if (print_debug) puts(str); } while (0) +int (*sbio_faccessat)(int, const char *, int, int) = faccessat; int (*sbio_open)(const char *, int, mode_t) = (void *)open; FILE *(*sbio_popen)(const char *, const char *) = popen;
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/
commit: f3c48c3262edab7db3fc95d87ac1511a97ad930e Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 31 15:39:40 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Tue Aug 1 14:15:12 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f3c48c32 libsandbox: always permit access to '/memfd:' For memfd objects, the kernel populates the target for symlinks under /proc/$PID/fd as "/memfd:name". Said target does not actually exist. It is unfortunate that the kernel includes the leading slash, but we will just have to work around it. Bug: https://bugs.gentoo.org/910561 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 27232d52fee4abecd5f709acc616fa1296e0464f) libsandbox/libsandbox.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 847b4e2..e5f6d38 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, /* Fall in a read/write denied path, Deny Access */ goto out; + if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) { + /* Allow operations on memfd objects #910561 */ + result = 1; + goto out; + } + if (!sym_func) { retval = check_prefixes(sbcontext->deny_prefixes, sbcontext->num_deny_prefixes, resolv_path);
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: 816bd9fc97f130df92e2c7e0cda5f472588a6d86 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 17 13:55:53 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Mon Jul 17 13:55:53 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=816bd9fc v2.37 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0a3c4fc..de0dc2b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.36], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.37], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsbutil/
commit: 0cd40599d89e50c23f14970f6e4a31f0500a8b15 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 17 13:43:51 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Mon Jul 17 13:55:25 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=0cd40599 sb_exists: drop use of faccessat faccessat appears to perform quite poorly under certain conditions. Go back to using fstatat until this can be debugged. Bug: https://bugs.gentoo.org/910273 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 6a6a6a6c9680e5868544887a7ab4d141833abfb6) libsbutil/sb_exists.c | 10 -- 1 file changed, 10 deletions(-) diff --git a/libsbutil/sb_exists.c b/libsbutil/sb_exists.c index 9ec7730..d34f0cc 100644 --- a/libsbutil/sb_exists.c +++ b/libsbutil/sb_exists.c @@ -10,15 +10,5 @@ int sb_exists(int dirfd, const char *pathname, int flags) { struct stat64 buf; - - if (faccessat(dirfd, pathname, F_OK, flags) == 0) - return 0; - - /* musl's faccessat gives EINVAL when the kernel does not support -* faccessat2 and AT_SYMLINK_NOFOLLOW is set. -* https://www.openwall.com/lists/musl/2023/06/19/1 */ - if (errno != EINVAL) - return -1; - return fstatat64(dirfd, pathname, , flags); }
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/trace/linux/
commit: 1b3255175804af8743c9b264e4709cd6a3e8f353 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 10 15:11:41 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Mon Jul 10 15:52:35 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=1b325517 libsandbox/trace: cast NT_ARM_SYSTEM_CALL to avoid warnings Bug: https://bugs.gentoo.org/910195 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 12c24e7f990dec058563ca1ef954bfd8264f2f96) libsandbox/trace/linux/aarch64.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsandbox/trace/linux/aarch64.c b/libsandbox/trace/linux/aarch64.c index 8f32912..82e829c 100644 --- a/libsandbox/trace/linux/aarch64.c +++ b/libsandbox/trace/linux/aarch64.c @@ -36,7 +36,7 @@ static int trace_get_sysnum(void *vregs) .iov_base = , .iov_len = sizeof(nr), }; - do_ptrace(PTRACE_GETREGSET, NT_ARM_SYSTEM_CALL, _nr); + do_ptrace(PTRACE_GETREGSET, (void *)(uintptr_t)NT_ARM_SYSTEM_CALL, _nr); return nr; } @@ -46,5 +46,5 @@ static void trace_set_sysnum(void *vregs, int nr) .iov_base = , .iov_len = sizeof(nr), }; - do_ptrace(PTRACE_SETREGSET, NT_ARM_SYSTEM_CALL, _nr); + do_ptrace(PTRACE_SETREGSET, (void *)(uintptr_t)NT_ARM_SYSTEM_CALL, _nr); }
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: 96838cf81d6fe0d6f8b68fb188844666387bdf57 Author: Mike Gilbert gentoo org> AuthorDate: Mon Jul 10 15:52:52 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Mon Jul 10 15:52:52 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=96838cf8 v2.36 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c3e772f..0a3c4fc 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.35], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.36], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: c642111b431f0822234dd2f2b4411832616ab0b0 Author: Mike Gilbert gentoo org> AuthorDate: Sat Jul 8 03:08:09 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sat Jul 8 03:08:09 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=c642111b v2.35 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index d55ac79..c3e772f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.34], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.35], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/trace/linux/
commit: 879cfbd1ec96b8690b70430b7d8b4b6ccd9ce7d8 Author: Mike Gilbert gentoo org> AuthorDate: Sat Jul 8 02:50:02 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sat Jul 8 03:07:44 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=879cfbd1 libsandbox/trace: fix syscall cancellation on arm64 arm64 has a dedicated regset to manipulate the system call number. See kernel commit 766a85d7bc5d7f1ddd6de28bdb844eae45ec63b0. Bug: https://bugs.gentoo.org/909416 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit f4c6bf434459d2d7b57c003e4eab81f2f8c21f51) libsandbox/trace/linux/aarch64.c | 21 - 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/libsandbox/trace/linux/aarch64.c b/libsandbox/trace/linux/aarch64.c index d056259..8f32912 100644 --- a/libsandbox/trace/linux/aarch64.c +++ b/libsandbox/trace/linux/aarch64.c @@ -1,5 +1,4 @@ #define trace_reg_ret regs[0] /* x0 */ -#define trace_reg_sysnum regs[8] /* w0 */ #undef trace_get_regs static long trace_get_regs(void *vregs) @@ -29,3 +28,23 @@ static unsigned long trace_arg(void *vregs, int num) else return -1; } + +static int trace_get_sysnum(void *vregs) +{ + int nr; + struct iovec iov_nr = { + .iov_base = , + .iov_len = sizeof(nr), + }; + do_ptrace(PTRACE_GETREGSET, NT_ARM_SYSTEM_CALL, _nr); + return nr; +} + +static void trace_set_sysnum(void *vregs, int nr) +{ + struct iovec iov_nr = { + .iov_base = , + .iov_len = sizeof(nr), + }; + do_ptrace(PTRACE_SETREGSET, NT_ARM_SYSTEM_CALL, _nr); +}
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: 3cbe56b72b0aad22b87fb1abdd8d3a902acf07b6 Author: Mike Gilbert gentoo org> AuthorDate: Sat Jul 1 23:53:43 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sat Jul 1 23:53:43 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=3cbe56b7 v2.34 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 8cdca8b..d55ac79 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.33], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.34], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: tests/
commit: 378995f8efc182f42c4e553eacb081cd67bb2f2a Author: Michael Orlitzky gentoo org> AuthorDate: Sat Jul 1 20:52:34 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sat Jul 1 23:53:01 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=378995f8 tests: use explicit adddeny() calls in fchmod and fchown tests. When running the test suite under portage, the entire build directory will be writable because portage adds PORTAGE_TMPDIR to SANDBOX_WRITE (thanks floppym). This breaks the tests for these two wrappers, since they expect to fail when trying to write above $PWD. To avoid that, we create a new file to call fchown/fchmod on, and then explicitly deny access to it. Closes: https://bugs.gentoo.org/909445 Signed-off-by: Michael Orlitzky gentoo.org> Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit e5032c6b89621db0475e36fb06c2905b6a9c024c) tests/fchmod-1.sh | 6 +- tests/fchown-1.sh | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/fchmod-1.sh b/tests/fchmod-1.sh index db404ba..140d84f 100755 --- a/tests/fchmod-1.sh +++ b/tests/fchmod-1.sh @@ -4,11 +4,15 @@ # addwrite $PWD +rm -f deny || exit 1 +touch deny || exit 1 +adddeny $PWD/deny # The sandbox doesn't log anything when it returns a junk file # descriptor? It doesn't look like we can test the contents of # sandbox.log here... instead, we just have to count on fchmod # failing, which it does if you use O_RDWR, and it *should* if you use # O_RDONLY (because that won't stop the change of permissions). -fchmod-0 $(stat --format='%#04a' ../..) ../.. && exit 1 +fchmod-0 $(stat --format='%#04a' $PWD/deny) $PWD/deny && exit 1 + exit 0 diff --git a/tests/fchown-1.sh b/tests/fchown-1.sh index 1b4a173..6c1178e 100755 --- a/tests/fchown-1.sh +++ b/tests/fchown-1.sh @@ -4,11 +4,15 @@ # addwrite $PWD +rm -f deny || exit 1 +touch deny || exit 1 +adddeny $PWD/deny # The sandbox doesn't log anything when it returns a junk file # descriptor? It doesn't look like we can test the contents of # sandbox.log here... instead, we just have to count on fchown # failing, which it does if you use O_RDWR, and it *should* if you use # O_RDONLY (because that won't stop the change of ownership). -fchown-0 ${SB_UID} ${SB_GID} ../.. && exit 1 +fchown-0 ${SB_UID} ${SB_GID} $PWD/deny && exit 1 + exit 0
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: 4d23fef44f592455b59793199afe96f239cd5923 Author: Mike Gilbert gentoo org> AuthorDate: Fri Jun 30 16:53:42 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Jun 30 16:53:42 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=4d23fef4 v2.33 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index a030dce..8cdca8b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.32], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.33], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: a38d957a825418fefeebc4212cc9e6d34ecdd8b0 Author: Mike Gilbert gentoo org> AuthorDate: Fri Jun 23 03:14:58 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Jun 23 17:25:40 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=a38d957a configure: update libc grep expression On Alpine, libc's SONAME is 'libc.musl-x86_64.so.1'. Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 3ccc775d6f98c1917408bc3a370cfd6d3d789d50) configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index ca5ed5b..a030dce 100644 --- a/configure.ac +++ b/configure.ac @@ -389,7 +389,7 @@ echo "int main(void) { return 0; }" > libctest.c $CC $CFLAGS $CPPFLAGS $LDFLAGS -o libctest libctest.c LIBC_VERSION=$( $READELF -d libctest | \ - $EGREP 'NEEDED.* \@<:@libc\.so' | \ + $EGREP 'NEEDED.* \@<:@libc\..*so' | \ $AWK '{print $NF}' | [sed -e 's:\[::' -e 's:\]::'] ) rm -f libctest*
[gentoo-commits] proj/sandbox:stable-2.x commit in: .github/workflows/
commit: 84e3934c938a6c94c40b0d0857a333a7be247800 Author: Mike Gilbert gentoo org> AuthorDate: Fri Jun 23 15:35:43 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Jun 23 17:25:44 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=84e3934c CI: clean up glibc job Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit e2f8b0382aef54fd0827c61f05589b82ddfa8331) .github/workflows/build-test-ci.yml | 32 +++- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build-test-ci.yml b/.github/workflows/build-test-ci.yml index 4a3ef88..5c95baa 100644 --- a/.github/workflows/build-test-ci.yml +++ b/.github/workflows/build-test-ci.yml @@ -3,58 +3,32 @@ name: Build+Test CI -#on: -# push: -#branches: [master, gh-actions] -#tags: [v*] -# pull_request: -#types: [created, opened, edited, push] - on: [pull_request, push] jobs: glibc: strategy: matrix: -os: [ubuntu-latest] cc: [gcc, clang] -sanitize: [none] # [none, asan, ubsan] fail-fast: false -runs-on: ${{ matrix.os }} +runs-on: ubuntu-latest env: CC: ${{ matrix.cc }} - SANITIZER: ${{ matrix.sanitize }} - UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1" steps: - name: Install dependencies run: | sudo apt-get update -qq sudo apt-get install build-essential gcc clang automake autoconf autoconf-archive libtool pax-utils -qy -case "$SANITIZER" in - none) - ;; - asan) - echo CFLAGS="-O2 -ggdb3 -fsanitize=address" >> $GITHUB_ENV - echo CXXFLAGS="-O2 -ggdb3 -fsanitize=address" >> $GITHUB_ENV - echo LDFLAGS="-fsanitize=address" >> $GITHUB_ENV - ;; - ubsan) - echo CFLAGS="-O2 -ggdb3 -fsanitize=undefined" >> $GITHUB_ENV - echo CXXFLAGS="-O2 -ggdb3 -fsanitize=undefined" >> $GITHUB_ENV - echo LDFLAGS="-fsanitize=undefined" >> $GITHUB_ENV - ;; -esac - - uses: actions/checkout@v3 name: Checkout - name: Build run: | ./autogen.sh -./configure || cat config.log +./configure || { cat config.log; false; } make V=1 -make V=1 check +make V=1 check || { cat tests/testsuite.log; false; } make V=1 distcheck musl:
[gentoo-commits] proj/sandbox:stable-2.x commit in: .github/workflows/
commit: 90b9a7a12ebd1531738877e63f85c42b740e0a36 Author: Mike Gilbert gentoo org> AuthorDate: Fri Jun 23 03:14:58 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Jun 23 17:25:43 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=90b9a7a1 CI: add musl config Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 8fd0fb9f956c65dab850895102b21a7fef92b753) .github/workflows/build-test-ci.yml | 21 - 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-test-ci.yml b/.github/workflows/build-test-ci.yml index 7ad056b..4a3ef88 100644 --- a/.github/workflows/build-test-ci.yml +++ b/.github/workflows/build-test-ci.yml @@ -13,7 +13,7 @@ name: Build+Test CI on: [pull_request, push] jobs: - make: + glibc: strategy: matrix: os: [ubuntu-latest] @@ -56,3 +56,22 @@ jobs: make V=1 make V=1 check make V=1 distcheck + + musl: +runs-on: ubuntu-latest +container: + image: alpine:latest + options: --cap-add=SYS_PTRACE +steps: + - name: Install dependencies +run: apk add bash coreutils build-base automake autoconf autoconf-archive libtool pax-utils gawk sed + + - name: Checkout +uses: actions/checkout@v3 + + - name: Build +run: | + ./autogen.sh + ./configure || { cat config.log; false; } + make V=1 + make V=1 check || { cat tests/testsuite.log; false; }
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/, libsandbox/wrapper-funcs/
commit: 3e1725e56f0edb4e7d88aa08a9f9cdcbca08d713 Author: Mike Gilbert gentoo org> AuthorDate: Thu Jun 22 17:41:09 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Jun 23 14:25:22 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=3e1725e5 libsandbox: wrap musl time64 functions musl uses different names from glibc for the time64 symbols. Add them to symbols.h, and use symlinks for the wrapper-func files. Bug: https://bugs.gentoo.org/908970 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit 2911fdc0d72e37e99cac6609b4799ee06b29cd31) libsandbox/symbols.h.in | 4 libsandbox/wrapper-funcs/__futimesat_time64.c | 1 + libsandbox/wrapper-funcs/__lutimes_time64.c | 1 + libsandbox/wrapper-funcs/__utimensat_time64.c | 1 + libsandbox/wrapper-funcs/__utimes_time64.c| 1 + 5 files changed, 8 insertions(+) diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in index 297c13a..5805592 100644 --- a/libsandbox/symbols.h.in +++ b/libsandbox/symbols.h.in @@ -79,11 +79,15 @@ utime __utime64 utimes __utimes64 +__utimes_time64 utimensat __utimensat64 utimensat_time64 +__utimensat_time64 futimesat __futimesat64 +__futimesat_time64 lutimes __lutimes64 +__lutimes_time64 fork vfork diff --git a/libsandbox/wrapper-funcs/__futimesat_time64.c b/libsandbox/wrapper-funcs/__futimesat_time64.c new file mode 12 index 000..c3a9b23 --- /dev/null +++ b/libsandbox/wrapper-funcs/__futimesat_time64.c @@ -0,0 +1 @@ +__futimesat64.c \ No newline at end of file diff --git a/libsandbox/wrapper-funcs/__lutimes_time64.c b/libsandbox/wrapper-funcs/__lutimes_time64.c new file mode 12 index 000..1819ce7 --- /dev/null +++ b/libsandbox/wrapper-funcs/__lutimes_time64.c @@ -0,0 +1 @@ +__lutimes64.c \ No newline at end of file diff --git a/libsandbox/wrapper-funcs/__utimensat_time64.c b/libsandbox/wrapper-funcs/__utimensat_time64.c new file mode 12 index 000..2dceb14 --- /dev/null +++ b/libsandbox/wrapper-funcs/__utimensat_time64.c @@ -0,0 +1 @@ +__utimensat64.c \ No newline at end of file diff --git a/libsandbox/wrapper-funcs/__utimes_time64.c b/libsandbox/wrapper-funcs/__utimes_time64.c new file mode 12 index 000..3dea445 --- /dev/null +++ b/libsandbox/wrapper-funcs/__utimes_time64.c @@ -0,0 +1 @@ +__utimes64.c \ No newline at end of file
[gentoo-commits] proj/sandbox:stable-2.x commit in: tests/
commit: 88ffe50668ff8ffc25324ab62c0e4de85509a5de Author: Michael Orlitzky gentoo org> AuthorDate: Sun Jan 28 01:05:02 2018 + Commit: Mike Gilbert gentoo org> CommitDate: Thu Jun 22 13:55:26 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=88ffe506 tests: add test case for fchown/fchmod with O_RDONLY. Bug: https://bugs.gentoo.org/599706 Signed-off-by: Michael Orlitzky gentoo.org> Signed-off-by: Mike Gilbert gentoo.org> tests/fchmod-0.c | 35 +++ tests/fchmod-1.sh | 14 ++ tests/fchmod.at | 1 + tests/fchown-0.c | 34 ++ tests/fchown-1.sh | 14 ++ tests/fchown.at | 1 + tests/local.mk| 2 ++ 7 files changed, 101 insertions(+) diff --git a/tests/fchmod-0.c b/tests/fchmod-0.c new file mode 100644 index 000..de0c237 --- /dev/null +++ b/tests/fchmod-0.c @@ -0,0 +1,35 @@ +/* + * https://bugs.gentoo.org/599706 + * + */ + +#include "headers.h" + +int main(int argc, char *argv[]) +{ + if (argc < 2) + return -2; + + int mode = 0; + sscanf(argv[1], "%i", ); + /* The sandbox catches this: +* +* int fd = open(argv[2], O_RDWR); +* +* And it /should/ catch this: +* +*int fd = open(argv[2], O_RDONLY); +* +* ...but the latter only works when /proc/self/fd/%i +* is available. +* +*/ +#ifdef SANDBOX_PROC_SELF_FD + int fd = open(argv[2], O_RDONLY); +#else + int fd = open(argv[2], O_RDWR); +#endif + int fchmod_result = fchmod(fd, (mode_t)mode); + close(fd); + return fchmod_result; +} diff --git a/tests/fchmod-1.sh b/tests/fchmod-1.sh new file mode 100755 index 000..db404ba --- /dev/null +++ b/tests/fchmod-1.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# +# https://bugs.gentoo.org/599706 +# + +addwrite $PWD + +# The sandbox doesn't log anything when it returns a junk file +# descriptor? It doesn't look like we can test the contents of +# sandbox.log here... instead, we just have to count on fchmod +# failing, which it does if you use O_RDWR, and it *should* if you use +# O_RDONLY (because that won't stop the change of permissions). +fchmod-0 $(stat --format='%#04a' ../..) ../.. && exit 1 +exit 0 diff --git a/tests/fchmod.at b/tests/fchmod.at new file mode 100644 index 000..081d7d2 --- /dev/null +++ b/tests/fchmod.at @@ -0,0 +1 @@ +SB_CHECK(1) diff --git a/tests/fchown-0.c b/tests/fchown-0.c new file mode 100644 index 000..7fdca73 --- /dev/null +++ b/tests/fchown-0.c @@ -0,0 +1,34 @@ +/* + * https://bugs.gentoo.org/599706 + * + */ + +#include "headers.h" + +int main(int argc, char *argv[]) +{ + if (argc < 3) + return -2; + + uid_t uid = atoi(argv[1]); + gid_t gid = atoi(argv[2]); + /* The sandbox catches this: +* +* int fd = open(argv[3], O_RDWR); +* +* And it /should/ catch this: +* +*int fd = open(argv[3], O_RDONLY); +* +* ...but the latter only works when /proc/self/fd/%i +* is available. +*/ +#ifdef SANDBOX_PROC_SELF_FD + int fd = open(argv[3], O_RDONLY); +#else + int fd = open(argv[3], O_RDWR); +#endif + int fchown_result = fchown(fd, uid, gid); + close(fd); + return fchown_result; +} diff --git a/tests/fchown-1.sh b/tests/fchown-1.sh new file mode 100755 index 000..1b4a173 --- /dev/null +++ b/tests/fchown-1.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# +# https://bugs.gentoo.org/599706 +# + +addwrite $PWD + +# The sandbox doesn't log anything when it returns a junk file +# descriptor? It doesn't look like we can test the contents of +# sandbox.log here... instead, we just have to count on fchown +# failing, which it does if you use O_RDWR, and it *should* if you use +# O_RDONLY (because that won't stop the change of ownership). +fchown-0 ${SB_UID} ${SB_GID} ../.. && exit 1 +exit 0 diff --git a/tests/fchown.at b/tests/fchown.at new file mode 100644 index 000..081d7d2 --- /dev/null +++ b/tests/fchown.at @@ -0,0 +1 @@ +SB_CHECK(1) diff --git a/tests/local.mk b/tests/local.mk index 86a8a65..2f429e6 100644 --- a/tests/local.mk +++ b/tests/local.mk @@ -29,7 +29,9 @@ check_PROGRAMS += \ %D%/execv-0 \ %D%/execvp-0 \ %D%/faccessat-0 \ + %D%/fchmod-0 \ %D%/fchmodat-0 \ + %D%/fchown-0 \ %D%/fchownat-0 \ %D%/fopen-0 \ %D%/fopen64-0 \
[gentoo-commits] proj/sandbox:stable-2.x commit in: tests/
commit: 817965df90b7f421da65d2e1355957b588d8d2fe Author: Michael Orlitzky gentoo org> AuthorDate: Sun Jan 28 03:38:26 2018 + Commit: Mike Gilbert gentoo org> CommitDate: Thu Jun 22 13:55:26 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=817965df tests: add more tests to make sure fchown/fchmod are handled correctly. Closes: https://bugs.gentoo.org/599706 Signed-off-by: Michael Orlitzky gentoo.org> Signed-off-by: Mike Gilbert gentoo.org> tests/fchmod-2.sh | 11 +++ tests/fchmod.at | 1 + tests/fchown-2.sh | 11 +++ tests/fchown.at | 1 + 4 files changed, 24 insertions(+) diff --git a/tests/fchmod-2.sh b/tests/fchmod-2.sh new file mode 100755 index 000..96d7cc9 --- /dev/null +++ b/tests/fchmod-2.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# +# Ensure that fchmod() doesn't trigger spurious violations in the most +# basic of cases. +# +addwrite $PWD + +# This should not trigger a violation. +rm -f file +touch file +fchmod-0 0644 file || exit 1 diff --git a/tests/fchmod.at b/tests/fchmod.at index 081d7d2..d364b4b 100644 --- a/tests/fchmod.at +++ b/tests/fchmod.at @@ -1 +1,2 @@ SB_CHECK(1) +SB_CHECK(2) diff --git a/tests/fchown-2.sh b/tests/fchown-2.sh new file mode 100755 index 000..dedfbe4 --- /dev/null +++ b/tests/fchown-2.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# +# Ensure that fchown() doesn't trigger spurious violations in the most +# basic of cases. +# +addwrite $PWD + +# This should not trigger a violation. +rm -f file +touch file +fchown-0 ${SB_UID} ${SB_GID} file || exit 1 diff --git a/tests/fchown.at b/tests/fchown.at index 081d7d2..d364b4b 100644 --- a/tests/fchown.at +++ b/tests/fchown.at @@ -1 +1,2 @@ SB_CHECK(1) +SB_CHECK(2)
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/, libsandbox/wrapper-funcs/
commit: 45a8321f5015b19e706b8a3a1e2203bba900f24d Author: Michael Orlitzky orlitzky com> AuthorDate: Tue Jun 20 21:58:57 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Thu Jun 22 13:55:26 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=45a8321f libsandbox: add support for fchown/fchmod on linux The fchown/fchmod functions use a file descriptor obtained from open(), and the sandbox relies on its open() wrapper for safety. But it turns out that fchown/fchmod can operate on a descriptor opened O_RDONLY, which the open() wrapper is happy to give you. Oops. This is bug 599706. There's no POSIX way to map the descriptor to a path once you've got it, but on linux you can use the magic path "/proc/self/fd/%i" which should be a symlink pointing to the path passed to open(). Once we have that path, we can use the existing "is this path safe" machinery in the sandbox. There is precedent for this approach in sandbox, and the SANDBOX_PROC_SELF_FD macro already exists to indicate that the feature is available. Bug: https://bugs.gentoo.org/599706 Signed-off-by: Michael Orlitzky gentoo.org> Signed-off-by: Mike Gilbert gentoo.org> libsandbox/libsandbox.c | 17 + libsandbox/libsandbox.h | 7 +++ libsandbox/symbols.h.in | 2 ++ libsandbox/trace.c| 14 ++ libsandbox/wrapper-funcs/fchmod.c | 11 +++ libsandbox/wrapper-funcs/fchown.c | 11 +++ 6 files changed, 62 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index b9ef52e..847b4e2 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -766,7 +766,9 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, sb_nr == SB_NR_CHOWN || sb_nr == SB_NR_CREAT || sb_nr == SB_NR_CREAT64 || + sb_nr == SB_NR_FCHMOD || sb_nr == SB_NR_FCHMODAT|| + sb_nr == SB_NR_FCHOWN || sb_nr == SB_NR_FCHOWNAT|| /*sb_nr == SB_NR_FTRUNCATE || sb_nr == SB_NR_FTRUNCATE64 ||*/ @@ -1102,6 +1104,21 @@ bool before_syscall_open_int(int dirfd, int sb_nr, const char *func, const char return before_syscall(dirfd, sb_nr, ext_func, file, flags); } +bool before_syscall_fd(int sb_nr, const char *func, int fd) { +#ifdef SANDBOX_PROC_SELF_FD + /* We only know how to handle e.g. fchmod() and fchown() on +* linux, where it's possible to (eventually) get a path out +* of the given file descriptor. The "64" below accounts for +* the length of an integer string, and is probably +* overkill. */ + char path[sizeof("/proc/self/fd/") + 64]; + snprintf(path, sizeof("/proc/self/fd/") + 64, "/proc/self/fd/%i", fd); + return before_syscall(AT_FDCWD, sb_nr, func, path, 0); +#else + return true; +#endif +} + bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char *file, const char *mode) { if (NULL == mode) diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h index 206c506..01a4c6c 100644 --- a/libsandbox/libsandbox.h +++ b/libsandbox/libsandbox.h @@ -46,6 +46,11 @@ #define SB_SAFE_OPEN_CHAR(_path, _mode) \ SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode) +#define _SB_SAFE_FD(_nr, _name, _fd) \ +__SB_SAFE(before_syscall_fd(_nr, _name, fd)) +#define SB_SAFE_FD(_fd) \ + _SB_SAFE_FD(WRAPPER_NR, STRING_NAME, _fd) + /* Symbols that don't exist in the C library will be <= this value. */ #define SB_NR_UNDEF -9 #define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF) @@ -55,6 +60,8 @@ bool before_syscall(int, int, const char *, const char *, int); bool before_syscall_access(int, int, const char *, const char *, int); bool before_syscall_open_int(int, int, const char *, const char *, int); bool before_syscall_open_char(int, int, const char *, const char *, const char *); +bool before_syscall_fd(int, const char *, int); + enum sandbox_method_t get_sandbox_method(void); void *get_dlsym(const char *symname, const char *symver); diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in index ecf141c..297c13a 100644 --- a/libsandbox/symbols.h.in +++ b/libsandbox/symbols.h.in @@ -7,8 +7,10 @@ # before 'creat()' as 'creat()' uses 'open()' ... chmod +fchmod fchmodat chown +fchown fchownat open __open_2 diff --git a/libsandbox/trace.c b/libsandbox/trace.c index 4ae58aa..7ac4b5d 100644 --- a/libsandbox/trace.c +++ b/libsandbox/trace.c @@ -390,8 +390,22 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs) ret = 1; free(path); return ret; + + } else if (nr == SB_NR_FCHMOD) { + int fd = trace_arg(regs, 1); + mode_t mode = trace_arg(regs, 2); + __sb_debug("(%i, %o)", fd, mode); + return
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: a5fcf9744ad6e60cb4de8db47f1aa6ce42c51479 Author: Mike Gilbert gentoo org> AuthorDate: Wed Jun 21 14:45:41 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Wed Jun 21 14:45:41 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=a5fcf974 v2.32 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index b78cf98..ca5ed5b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.31], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.32], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsbutil/, libsandbox/wrapper-funcs/, libsbutil/src/, libsandbox/
commit: 609dd64e6e88b8abbbd424c24e5e40abe95cdb1c Author: Mike Gilbert gentoo org> AuthorDate: Mon Jun 19 15:50:46 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Wed Jun 21 14:41:51 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=609dd64e libsbutil: add sb_exists function This provides a central place to work around a bug on musl where faccessat sets errno to EINVAL when the kernel does not support faccessat2. Bug: https://bugs.gentoo.org/908765 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit b55840ebe3278032777a3b52cecc6dac325dcf85) libsandbox/pre_check_openat.c | 2 +- libsandbox/wrapper-funcs/fopen_pre_check.c | 2 +- libsbutil/local.mk | 1 + libsbutil/sb_exists.c | 24 libsbutil/sbutil.h | 1 + libsbutil/src/file.c | 2 +- 6 files changed, 29 insertions(+), 3 deletions(-) diff --git a/libsandbox/pre_check_openat.c b/libsandbox/pre_check_openat.c index 8fd3b23..99c03eb 100644 --- a/libsandbox/pre_check_openat.c +++ b/libsandbox/pre_check_openat.c @@ -19,7 +19,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int save_errno(); /* Doesn't exist -> skip permission checks */ - if (faccessat(dirfd, pathname, F_OK, (flags & O_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0) == -1) { + if (sb_exists(dirfd, pathname, (flags & O_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0) == -1) { sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", func, pathname, strerror(errno)); return false; } diff --git a/libsandbox/wrapper-funcs/fopen_pre_check.c b/libsandbox/wrapper-funcs/fopen_pre_check.c index 95108e0..e3ed2c6 100644 --- a/libsandbox/wrapper-funcs/fopen_pre_check.c +++ b/libsandbox/wrapper-funcs/fopen_pre_check.c @@ -11,7 +11,7 @@ bool sb_fopen_pre_check(const char *func, const char *pathname, const char *mode save_errno(); /* If we're trying to read, fail normally if file does not stat */ - if (faccessat(AT_FDCWD, pathname, F_OK, 0) == -1) { + if (sb_exists(AT_FDCWD, pathname, 0) == -1) { sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", func, pathname, strerror(errno)); return false; diff --git a/libsbutil/local.mk b/libsbutil/local.mk index 126c7ce..1cb5de7 100644 --- a/libsbutil/local.mk +++ b/libsbutil/local.mk @@ -16,6 +16,7 @@ noinst_LTLIBRARIES += %D%/libsbutil.la %D%/environment.c \ %D%/sb_backtrace.c\ %D%/sb_efuncs.c \ + %D%/sb_exists.c \ %D%/sb_gdb.c \ %D%/sb_method.c \ %D%/sb_open.c \ diff --git a/libsbutil/sb_exists.c b/libsbutil/sb_exists.c new file mode 100644 index 000..9ec7730 --- /dev/null +++ b/libsbutil/sb_exists.c @@ -0,0 +1,24 @@ +/* + * Copyright 2023 Gentoo Authors + * Distributed under the terms of the GNU General Public License v2 + */ + +#include "headers.h" +#include "sbutil.h" + +/* Wrapper for faccessat to work around buggy behavior on musl */ +int sb_exists(int dirfd, const char *pathname, int flags) +{ + struct stat64 buf; + + if (faccessat(dirfd, pathname, F_OK, flags) == 0) + return 0; + + /* musl's faccessat gives EINVAL when the kernel does not support +* faccessat2 and AT_SYMLINK_NOFOLLOW is set. +* https://www.openwall.com/lists/musl/2023/06/19/1 */ + if (errno != EINVAL) + return -1; + + return fstatat64(dirfd, pathname, , flags); +} diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h index d81543b..981fe0d 100644 --- a/libsbutil/sbutil.h +++ b/libsbutil/sbutil.h @@ -109,6 +109,7 @@ size_t sb_write(int fd, const void *buf, size_t count); int sb_close(int fd); void sb_close_all_fds(void); int sb_copy_file_to_fd(const char *file, int ofd); +int sb_exists(int dirfd, const char *pathname, int flags); /* Reliable output */ __printf(1, 2) void sb_printf(const char *format, ...); diff --git a/libsbutil/src/file.c b/libsbutil/src/file.c index 5a361f4..64a6f0e 100644 --- a/libsbutil/src/file.c +++ b/libsbutil/src/file.c @@ -15,7 +15,7 @@ bool rc_file_exists (const char *pathname) { - return faccessat(AT_FDCWD, pathname, F_OK, AT_SYMLINK_NOFOLLOW) == 0; + return sb_exists(AT_FDCWD, pathname, AT_SYMLINK_NOFOLLOW) == 0; } bool
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: 4228dca81575872fcd964b514916ee214816f053 Author: Mike Gilbert gentoo org> AuthorDate: Tue Jun 13 18:34:06 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Tue Jun 13 18:34:06 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=4228dca8 v2.31 Signed-off-by: Mike Gilbert gentoo.org> configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index a274580..b78cf98 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.69]) -AC_INIT([sandbox], [2.30], [sand...@gentoo.org]) +AC_INIT([sandbox], [2.31], [sand...@gentoo.org]) AM_INIT_AUTOMAKE([1.15 dist-xz foreign no-dist-gzip silent-rules subdir-objects -Wall]) AM_SILENT_RULES([yes]) # AM_INIT_AUTOMAKE([silent-rules]) is broken atm AC_CONFIG_HEADER([config.h])
[gentoo-commits] proj/sandbox:stable-2.x commit in: libsandbox/, tests/
commit: a96f5a62b05f7895acb0990cd65f7842f0b1ff7a Author: Mike Gilbert gentoo org> AuthorDate: Mon Jun 12 14:58:39 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Tue Jun 13 17:22:48 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=a96f5a62 libsandbox: add lutimes to symlink_func lutimes operates on symlinks, so we should not check for access against the symlink target. Bug: https://bugs.gentoo.org/908105 Signed-off-by: Mike Gilbert gentoo.org> (cherry picked from commit cdc89a00ac0bc3170d4ca7bfc77bc2572ce076b0) libsandbox/libsandbox.c | 1 + tests/lutimes-1.sh | 9 + tests/lutimes.at| 1 + 3 files changed, 11 insertions(+) diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 0ca2bc9..b9ef52e 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -679,6 +679,7 @@ static bool symlink_func(int sb_nr, int flags) sb_nr == SB_NR_LCHOWN || sb_nr == SB_NR_LREMOVEXATTR || sb_nr == SB_NR_LSETXATTR|| + sb_nr == SB_NR_LUTIMES || sb_nr == SB_NR_REMOVE || sb_nr == SB_NR_RENAME || sb_nr == SB_NR_RENAMEAT || diff --git a/tests/lutimes-1.sh b/tests/lutimes-1.sh new file mode 100755 index 000..8638bb2 --- /dev/null +++ b/tests/lutimes-1.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +addwrite "${PWD}" + +sym="lutimes-1.sym" +ln -s /bad/path "${sym}" + +lutimes-0 0 "${sym}" NULL || exit 1 +lutimes-0 -1,EACCES /bin/sh NULL || exit 1 diff --git a/tests/lutimes.at b/tests/lutimes.at new file mode 100644 index 000..081d7d2 --- /dev/null +++ b/tests/lutimes.at @@ -0,0 +1 @@ +SB_CHECK(1)
[gentoo-commits] proj/sandbox:stable-2.x commit in: /
commit: b926cd079443bb9d0420b11201d4bd88a7aacd08 Author: James Le Cuirot gentoo org> AuthorDate: Sat Jan 21 16:36:05 2023 + Commit: Sam James gentoo org> CommitDate: Fri May 12 01:39:38 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=b926cd07 build: Fix libc path configure test for mold bfd, gold, lld, and mold all support `-Wl,--trace`, which has cleaner output than `-Wl,--verbose`. mold doesn't output anything with the latter, so the test didn't support that until now. The only difference between them now is that mold prefixes its output with `trace: ` whereas the others do not. I checked the Solaris linker, but that does not support `-Wl,--trace`. Bug: https://bugs.gentoo.org/830463 Signed-off-by: James Le Cuirot gentoo.org> Closes: https://github.com/gentoo/sandbox/pull/5 Signed-off-by: Sam James gentoo.org> (cherry picked from commit 190300def3160ca39bd8590d1bbc7305ae07cc5b) configure.ac | 15 +-- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index ace4173..a274580 100644 --- a/configure.ac +++ b/configure.ac @@ -363,16 +363,11 @@ try_link() { ) 1>_MESSAGE_LOG_FD } LIBC_PATH=$(AS_IF( - dnl GNU linker (bfd & gold) searching for - dnl (bfd) "attempt to open /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../lib64/libc.so succeeded" - dnl (gold) "/usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../x86_64-pc-linux-gnu/bin/ld: Attempt to open /lib64/libc.so.6 succeeded" - dnl if log does not contain "attempt" word then it's not a GNU linker - [try_link -Wl,--verbose && grep -q '[[Aa]]ttempt' libctest.log], - [$AWK '/[[Aa]]ttempt to open/ { if (($(NF-1) ~ /\/libc\.so/) && ($NF == "succeeded")) LIBC = $(NF-1); }; END {print LIBC}' libctest.log], - dnl LLVM lld searching for latest (successful) entry of - dnl "ld.lld: /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../lib64/libc.so" - dnl "ld.lld: /lib64/libc.so.6" - [try_link -Wl,--verbose], + dnl GNU linkers (bfd, gold), LLVM lld, mold - searching for latest entry of: + dnl "/usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../lib64/libc.so" + dnl "/lib64/libc.so.6" + dnl Note that mold prefixes output with "trace: " whereas others do not. + [try_link -Wl,--trace], [$EGREP -o '/[[^ ]]*/libc.so.*' libctest.log | tail -n1], dnl Solaris linker [try_link -Wl,-m],
[gentoo-commits] proj/sandbox:stable-2.x commit in: .github/workflows/
commit: b5651178b925f3e1cd283ccf6336a068d53d6e7d Author: Sam James gentoo org> AuthorDate: Fri Jan 6 06:58:34 2023 + Commit: Sam James gentoo org> CommitDate: Fri Jan 6 07:15:00 2023 + URL:https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=b5651178 CI: add Github Actions Signed-off-by: Sam James gentoo.org> (cherry picked from commit cb63ad4fb4b8a21b269f330f2512da0a6ce7399e) .github/workflows/build-test-ci.yml | 58 + 1 file changed, 58 insertions(+) diff --git a/.github/workflows/build-test-ci.yml b/.github/workflows/build-test-ci.yml new file mode 100644 index 000..7ad056b --- /dev/null +++ b/.github/workflows/build-test-ci.yml @@ -0,0 +1,58 @@ +# GitHub actions workflow. +# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions + +name: Build+Test CI + +#on: +# push: +#branches: [master, gh-actions] +#tags: [v*] +# pull_request: +#types: [created, opened, edited, push] + +on: [pull_request, push] + +jobs: + make: +strategy: + matrix: +os: [ubuntu-latest] +cc: [gcc, clang] +sanitize: [none] # [none, asan, ubsan] + fail-fast: false +runs-on: ${{ matrix.os }} +env: + CC: ${{ matrix.cc }} + SANITIZER: ${{ matrix.sanitize }} + UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1" +steps: +- name: Install dependencies + run: | +sudo apt-get update -qq +sudo apt-get install build-essential gcc clang automake autoconf autoconf-archive libtool pax-utils -qy + +case "$SANITIZER" in + none) + ;; + asan) + echo CFLAGS="-O2 -ggdb3 -fsanitize=address" >> $GITHUB_ENV + echo CXXFLAGS="-O2 -ggdb3 -fsanitize=address" >> $GITHUB_ENV + echo LDFLAGS="-fsanitize=address" >> $GITHUB_ENV + ;; + ubsan) + echo CFLAGS="-O2 -ggdb3 -fsanitize=undefined" >> $GITHUB_ENV + echo CXXFLAGS="-O2 -ggdb3 -fsanitize=undefined" >> $GITHUB_ENV + echo LDFLAGS="-fsanitize=undefined" >> $GITHUB_ENV + ;; +esac + +- uses: actions/checkout@v3 + name: Checkout + +- name: Build + run: | +./autogen.sh +./configure || cat config.log +make V=1 +make V=1 check +make V=1 distcheck