diff options
author | Mike Gilbert <floppym@gentoo.org> | 2021-06-08 11:08:54 -0400 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2021-09-07 17:31:07 +0200 |
commit | 96374d9bff64bcee64340f6572cca9f1cc3f696d (patch) | |
tree | 2e06ff8f1fbb2ae635a2798dc91c36cc7d3e429c | |
parent | configure.ac: release 2.24 (diff) | |
download | sandbox-96374d9b.tar.gz sandbox-96374d9b.tar.bz2 sandbox-96374d9b.zip |
libsandbox: adjust hard-coded denial for /var/log/sandbox
Move this hack after the read checks, but before the write checks. This
allows processes to read the log directory, but not write to it.
This is helpful in case a process does something like this:
find /var/log -name system.journal
Bug: https://bugs.gentoo.org/794949
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Closes: https://bugs.gentoo.org/794949
Signed-off-by: Michał Górny <mgorny@gentoo.org>
-rw-r--r-- | libsandbox/libsandbox.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c index 3d55dd7..758c0dc 100644 --- a/libsandbox/libsandbox.c +++ b/libsandbox/libsandbox.c @@ -714,15 +714,6 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, goto out; } - /* Hardcode denying write to the whole log dir. While this is a - * parial match and so rejects paths that also start with this - * string, that isn't going to happen in real life so live with - * it. We can't append a slash to this path either as that would - * allow people to open the dir itself for writing. - */ - if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, strlen(SANDBOX_LOG_LOCATION))) - goto out; - if (sbcontext->read_prefixes && (sb_nr == SB_NR_ACCESS_RD || sb_nr == SB_NR_OPEN_RD || @@ -754,6 +745,15 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, } } + /* Hardcode denying write to the whole log dir. While this is a + * parial match and so rejects paths that also start with this + * string, that isn't going to happen in real life so live with + * it. We can't append a slash to this path either as that would + * allow people to open the dir itself for writing. + */ + if (!strncmp(resolv_path, SANDBOX_LOG_LOCATION, strlen(SANDBOX_LOG_LOCATION))) + goto out; + if (sb_nr == SB_NR_ACCESS_WR || sb_nr == SB_NR_CHMOD || sb_nr == SB_NR_CHOWN || |