diff options
authorSergei Trofimovich <slyfox@gentoo.org>2019-12-25 00:39:13 +0000
committerMichał Górny <mgorny@gentoo.org>2020-05-31 09:38:28 +0200
commit24fd102c99763502a7ab0d1f6f26632673216371 (patch)
tree1303807819ea617e56985908a27ec26a06d378b8 /tests/script.at
parentlibsandbox/libsandbox.c: add errno output for internal sandbox violations (diff)
check_syscall(): turn internal sandbox violation into denywrite
In #590084 test suite performed to list files in a deleted directory: $ sandbox 'mkdir /tmp/zzz; cd /tmp/zzz; rmdir /tmp/zzz; ls' * sandbox-2.18/libsandbox/libsandbox.c:check_syscall():974: failure (No such file or directory): * ISE: opendir(.) abs_path: (null) res_path: (null) Another reproducer is to create file outside deleted directory relative to that directory: $ sandbox 'mkdir /tmp/zzz; cd /tmp/zzz; rmdir /tmp/zzz; touch ../foo' * sandbox-2.18/libsandbox/libsandbox.c:check_syscall():974: failure (No such file or directory): * ISE: open_wr(../foo) abs_path: (null) res_path: (null) sandbox can't validate safety of any of these operations as kernel does not provide a mechanism to resolve '.' back to an absolute path. As it's a rare condition let's turn it into a sandbox violation instead of internal sandbox error and link to the bug with details in the error message. Report after the change looks like: $ ./sandbox.sh 'mkdir /tmp/zzz; cd /tmp/zzz; rmdir /tmp/zzz; touch ../foo' * ACCESS DENIED: open_wr: '../foo' (from deleted directory, see https://bugs.gentoo.org/590084) * ACCESS DENIED: utimensat: '../foo' (from deleted directory, see https://bugs.gentoo.org/590084) touch: cannot touch '../foo': Permission denied Reported-by: Mike Gilbert Bug: https://bugs.gentoo.org/590084 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Signed-off-by: Michał Górny <mgorny@gentoo.org>
Diffstat (limited to 'tests/script.at')
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/script.at b/tests/script.at
index 8837bda..f1119ef 100644
--- a/tests/script.at
+++ b/tests/script.at
@@ -13,3 +13,4 @@ SB_CHECK(12)
+SB_CHECK(16) \ No newline at end of file