diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2013-02-23 00:28:42 -0500 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2013-02-23 00:28:42 -0500 |
| commit | 87f753cf677137f8d6c06c56ee6cc4db11ec71b0 (patch) | |
| tree | 260225644f2c2ebfdba2125fb135f411aaea9358 /tests | |
| parent | libsandbox: clean up open file handles in parent tracing process (diff) | |
| download | sandbox-87f753cf677137f8d6c06c56ee6cc4db11ec71b0.tar.gz sandbox-87f753cf677137f8d6c06c56ee6cc4db11ec71b0.tar.bz2 sandbox-87f753cf677137f8d6c06c56ee6cc4db11ec71b0.zip | |
libsandbox: preserve more SANDBOX env vars
While we took pains to preserve the LD_PRELOAD setting, this doesn't
help us too much in practice. If a process is going out of its way
to blow away LD_PRELOAD, chances are good it's blowing away all vars
it doesn't know about. That means all of our SANDBOX_XXX settings.
Since a preloaded libsandbox.so is useless w/out its SANDBOX_XXX
env vars, make sure we preserve those as well.
These changes also imply some behavioral differences from older
versions. Previously, you could `unset` a sandbox var in order
to disable it. That no longer works. If you wish to disable
things, you have to explicitly set it to "".
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rwxr-xr-x | tests/mkdir-3.sh | 2 | ||||
| -rwxr-xr-x | tests/script-10.sh | 21 | ||||
| -rw-r--r-- | tests/script.at | 1 |
4 files changed, 24 insertions, 2 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 1d32e2e..0f0c249 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -79,7 +79,7 @@ check_PROGRAMS = \ sigsuspend-zsh_static_tst dist_check_SCRIPTS = \ - $(wildcard $(srcdir)/*-?.sh) \ + $(wildcard $(srcdir)/*-[0-9]*.sh) \ script-0 \ trace-0 diff --git a/tests/mkdir-3.sh b/tests/mkdir-3.sh index 10e8723..e5b7899 100755 --- a/tests/mkdir-3.sh +++ b/tests/mkdir-3.sh @@ -18,7 +18,7 @@ chmod a-rx .. ln -s / root # this should trigger a sb violation -unset SANDBOX_PREDICT +SANDBOX_PREDICT="" (mkdir-0 -1 root/aksdfjasdfjaskdfjasdfla 0777) chmod a+rx .. diff --git a/tests/script-10.sh b/tests/script-10.sh new file mode 100755 index 0000000..801730e --- /dev/null +++ b/tests/script-10.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# make sure all the SANDBOX env vars make it back in. +[ "${at_xfail}" = "yes" ] && exit 77 # see script-0 + +ret=0 + +out=$(env -i env) +for var in LOG DEBUG_LOG MESSAGE_PATH DENY READ WRITE PREDICT ON ACTIVE ; do + var="SANDBOX_${var}" + oval=$(env | grep "^${var}=" | sed 's:^[^=]*=::') + + nval=$(echo "${out}" | sed -n "/^${var}=/s:[^=]*=::p") + + [ "${nval}" != "${oval}" ] && echo "!!! MISMATCH !!!" && ret=1 + echo "env [${var}]='${oval}'" + echo "env-i[${var}]='${nval}'" + [ "${nval}" != "${oval}" ] && echo "!!! MISMATCH !!!" + echo +done + +exit ${ret} diff --git a/tests/script.at b/tests/script.at index b095ce1..93e370a 100644 --- a/tests/script.at +++ b/tests/script.at @@ -7,3 +7,4 @@ SB_CHECK(6,,,8) SB_CHECK(7) SB_CHECK(8) SB_CHECK(9, [wait errpipe... done OK!]) +SB_CHECK(10) |