diff options
author | Mike Frysinger <vapier@gentoo.org> | 2009-06-04 00:19:20 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2009-06-04 00:19:20 -0400 |
commit | 70f148095b7b9acd4e8329da0766aadc88b017d8 (patch) | |
tree | f9c69308721da245f85bf0f09dfffc6234d9ab61 /libsandbox/wrapper-funcs/mkdirat_pre_check.c | |
parent | libsandbox: make sure fopen64 uses 64bit funcs (diff) | |
download | sandbox-70f148095b7b9acd4e8329da0766aadc88b017d8.tar.gz sandbox-70f148095b7b9acd4e8329da0766aadc88b017d8.tar.bz2 sandbox-70f148095b7b9acd4e8329da0766aadc88b017d8.zip |
libsandbox: add pre checks to static tracing
The normal wrapped functions go through some "pre checks" where certain
normal conditions are not flagged as problematic. The static tracing
lacked those pre checks though.
URL: http://bugs.gentoo.org/265885
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Daniel Robbins <drobbins@funtoo.org>
Diffstat (limited to 'libsandbox/wrapper-funcs/mkdirat_pre_check.c')
-rw-r--r-- | libsandbox/wrapper-funcs/mkdirat_pre_check.c | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c new file mode 100644 index 0000000..ea9ff9a --- /dev/null +++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c @@ -0,0 +1,42 @@ +/* + * mkdir*() pre-check. + * + * Copyright 1999-2009 Gentoo Foundation + * Licensed under the GPL-2 + */ + +bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) +{ + char canonic[SB_PATH_MAX]; + + save_errno(); + + /* XXX: need to check pathname with dirfd */ + if (-1 == canonicalize(pathname, canonic)) + /* see comments in check_syscall() */ + if (ENAMETOOLONG != errno) { + if (is_env_on(ENV_SANDBOX_DEBUG)) + SB_EINFO("EARLY FAIL", " %s(%s) @ canonicalize: %s\n", + func, pathname, strerror(errno)); + return false; + } + + /* XXX: Hack to prevent errors if the directory exist, and are + * not writable - we rather return EEXIST than fail. This can + * occur if doing something like `mkdir -p /`. We certainly do + * not want to pass this attempt up to the higher levels as those + * will trigger a sandbox violation. + */ + struct stat st; + if (0 == lstat(canonic, &st)) { + if (is_env_on(ENV_SANDBOX_DEBUG)) + SB_EINFO("EARLY FAIL", " %s(%s[%s]) @ lstat: %s\n", + func, pathname, canonic, strerror(errno)); + errno = EEXIST; + return false; + } + + restore_errno(); + + return true; +} |