aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Bump to v2.20HEADv2.20masterMichał Górny2020-05-311-1/+1
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* tests/script-16.sh: mark as passing only for native ABISergei Trofimovich2020-05-311-1/+2
| | | | | | | | | | | | | All scripts assume that ran tools matck tested sandbox's ABI. Most scripts have a guard against ABI check, but script-16 was missing it. It's afollow-up commit to 24fd102c9976 ("check_syscall(): turn internal sandbox violation into denywrite") Reported-by: Michał Górny Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Closes: https://bugs.gentoo.org/590084 Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Bump version to 2.19v2.19Michał Górny2020-05-311-1/+1
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* check_syscall(): turn internal sandbox violation into denywriteSergei Trofimovich2020-05-313-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In #590084 test suite performed to list files in a deleted directory: $ sandbox 'mkdir /tmp/zzz; cd /tmp/zzz; rmdir /tmp/zzz; ls' * sandbox-2.18/libsandbox/libsandbox.c:check_syscall():974: failure (No such file or directory): * ISE: opendir(.) abs_path: (null) res_path: (null) Another reproducer is to create file outside deleted directory relative to that directory: $ sandbox 'mkdir /tmp/zzz; cd /tmp/zzz; rmdir /tmp/zzz; touch ../foo' * sandbox-2.18/libsandbox/libsandbox.c:check_syscall():974: failure (No such file or directory): * ISE: open_wr(../foo) abs_path: (null) res_path: (null) sandbox can't validate safety of any of these operations as kernel does not provide a mechanism to resolve '.' back to an absolute path. As it's a rare condition let's turn it into a sandbox violation instead of internal sandbox error and link to the bug with details in the error message. Report after the change looks like: $ ./sandbox.sh 'mkdir /tmp/zzz; cd /tmp/zzz; rmdir /tmp/zzz; touch ../foo' * ACCESS DENIED: open_wr: '../foo' (from deleted directory, see https://bugs.gentoo.org/590084) * ACCESS DENIED: utimensat: '../foo' (from deleted directory, see https://bugs.gentoo.org/590084) touch: cannot touch '../foo': Permission denied Reported-by: Mike Gilbert Bug: https://bugs.gentoo.org/590084 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Signed-off-by: Michał Górny <mgorny@gentoo.org>
* libsandbox/libsandbox.c: add errno output for internal sandbox violationsSergei Trofimovich2020-05-311-2/+8
| | | | | Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Stop installing the icon and .desktop fileMichał Górny2020-02-281-4/+2
| | | | | | | | The menu entry for Sandbox is not very useful, so stop installing it by default. Leave the files in place in case somebody wanted them. Bug: https://bugs.gentoo.org/710920 Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Bump version up to 2.18v2.18Sergei Trofimovich2019-07-121-1/+1
| | | | Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* tests: disable utimensat-3 on *-linux-muslSergei Trofimovich2019-06-272-0/+12
| | | | | | | | | | | | | | | | | | | x86_64-gentoo-linux-musl fails a single test: 83: utimensat/3 FAILED (utimensat.at:3) The test checks if sandbox does not crash when utimensat(<filefd>, NULL, NULL, 0) is called. The behaviour is not specified by POSIX but glibc returns EINVAL for such a case. Thus the test behaves differently on varius libs. https://www.openwall.com/lists/musl/2019/06/25/1 has a conversation with musl upstream. The change restricts test down to glibc targets. Bug: https://bugs.gentoo.org/549108 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* scripts/gen_symbol_header.awk: undefine libc symbol aliasesSergei Trofimovich2019-06-251-0/+4
| | | | | | | | | | | | | | Avoid libc's symbol rename via #define. musl defines aliases as: #define mkstemp64 mkstemp #define mkstemps64 mkstemps This causes libsandbox's aliases to clash with one another, like mkstemp and mkstemp64. The change does not break glibc and restores musl support. Bug: https://bugs.gentoo.org/549108 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* libsandbox/trace.c: tweak ptrace command type for muslSergei Trofimovich2019-06-251-2/+11
| | | | | | | | | | | | | | | | | | glibc defines ptrace as: long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data); musl defines ptrace as: long ptrace(int, ...); This causes build failure in for of: ../../sandbox-2.17/libsandbox/trace/linux/x86_64.c: In function 'trace_set_ret': ../../sandbox-2.17/libsandbox/trace/linux/x86_64.c:99:2: error: type of formal parameter 1 is incomplete trace_set_regs(regs); ^~~~~~~~~~~~~~ Let's clobber to 'int' lowest common denominator. Bug: https://bugs.gentoo.org/549108 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* Bump to 2.17v2.17Andreas K. Hüttel2019-03-131-1/+1
| | | | Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
* configure.ac: fix libc.so.6 detection on ld.goldSergei Trofimovich2019-03-131-3/+4
| | | | | | | | | | | | | | | | | | | | | | As reported by Mike Lothian below failed as: $ ./configure LDFLAGS=-fuse-ld=gold > checking libc path... configure: error: Unable to determine LIBC PATH (/lib64/libc.so.6") The regression happened in 3c0010366 ("configure.ac: add lld detection support") where "attempt" keyword in verbose linker log was used as a hint to use bfd or gold output parser. Unfortunately ld.gold uses "Attempt" spelling. The change is to use the "[Aa]ttempt" substring matcher. Tweak the parser to also match on "[Aa]ttempt" explicitly. Tested on bfd, gold and lld. Reported-by: Mike Lothian Bug: https://bugs.gentoo.org/680034 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
* Bump to 2.16v2.16Andreas K. Hüttel2019-03-101-1/+1
| | | | Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
* configure.ac: add lld detection supportSergei Trofimovich2019-03-081-2/+9
| | | | | | | | | | With this change $ ./configure CC=clang LDFLAGS='-Wl,--hash-style=gnu -fuse-ld=lld' $ make check exposes 35 test failures Bug: https://bugs.gentoo.org/672918 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* exec wrapper: add support for GNU_HASH parserSergei Trofimovich2019-03-021-37/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | In bug #672918 exec's ELF parser was going out of symbol table range. It happened to trigger on a binary linked by LLVM's lld. sandbox has no precise way to determine symbol table size and uses the heuristic of detecting SYMTAB dynamic section size: STRTAB (or GNU_LIBLIST for prelinked binaries). This is a weak assumption and does not hold for lld-linked binaries where the ordering is SYMTAB->GNU_HASH->STRTAB. As a result sandbox SIGSEGVs when parses GNU_HASH as SYMTAB entries. The change adds GNU_HASH parser to iterate exactly through exported symbols. That way we avoid heuristic code completely. While at it repobe GNU_LIBLIST hack as we should not rely on size heuristics anymore. This has a nice side-effect of speeding up ELF parsing as GHU_HASH only iterates through exported symbols. HASH comparison has all dynamic symbols: both exported and imported. Reported-by: Dennis Schridde Bug: https://bugs.gentoo.org/672918 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* m4: ax_* update via autogen.shMichał Górny2019-01-1310-234/+105
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Flatten data, etc & scripts MakefilesMichał Górny2019-01-136-26/+18
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Remove pointless .pch supportMichał Górny2019-01-132-44/+3
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* Bump to 2.15v2.15Michał Górny2019-01-091-1/+1
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* exec*() wrappers: never mutate 'environ' of host processSergei Trofimovich2019-01-087-55/+96
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In bug #669702 gcc exposed sandbox bug where execv() wrapper changed 'environ' global variable underneath. A few GNU projects (pex_unix_exec_child in gcc and gdb) use the following idiom: for (;;) { vfork(); char ** save_environ = environ; // [1] if (child) { environ = child_environ; // [2] execv(payload); // [3] } if (parent) { environ = save_environ; // [4] ... waitpid(child, ...); } } Code above assumes that execv() does not mutate 'environ'. In case of #669702 sandbox's execv() wrapper at '[3]' mutated 'environ' and relocated it (via maloc()/free() internally). This caused '[4]' to point 'environ' fo freed location. The change fixes it in a following way: - execv() call now works more like execve() call by mutating external array and substitutes 'environ' only for a period of 'execv()' execution. - add basic execv()/'environ' corruption test Tested on: - linux/glibc-2.28 - linux/uclibc-ng-1.0.31 Reported-and-tested-by: Walther Reported-by: 0x6d6174@posteo.de Reported-by: Andrey Korolyov Bug: https://bugs.gentoo.org/669702 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
* Bump to 2.14v2.14Michał Górny2018-12-021-1/+1
| | | | Signed-off-by: Michał Górny <mgorny@gentoo.org>
* libsandbox: resolve_dirfd_path /proc/<pid> namespace safetyZac Medico2018-12-021-1/+8
| | | | | | | | | | | | | | | | | | | | | If /proc was mounted by a process in a different pid namespace, getpid cannot be used create a valid /proc/<pid> path. Instead use sb_get_fd_dir() which works in any case. This implements option 3 of these choices: 1) Always create a mount namespace when creating a pid namespace, and remount /proc so that /proc/<pid> entries are always consistent with the current pid namespace. 2) Use readlink on /proc/self instead of getpid to determine the pid of self in the pid namespace of the /proc mount. 3) Use /proc/self or /dev/fd directly. Bug: https://bugs.gentoo.org/670966 Signed-off-by: Zac Medico <zmedico@gentoo.org> Closes: https://github.com/gentoo/sandbox/pull/1 Signed-off-by: Michał Górny <mgorny@gentoo.org>
* libsandbox: Remove meaningless/broken -nodefaultlibsMichał Górny2018-07-191-1/+0
| | | | | | | | | | | | | Remove '-nodefaultlibs' from linking flags for libsandbox as it is apparently meaningless and broken at the same time. When regular libtool is used, it silently strips the option, making it meaningless. When slibtool is used instead, it passes the option which causes linking to fail due to undefined symbols. Thanks to the bug reporter and slibtool devs from researching the problem in detail. Bug: https://bugs.gentoo.org/657184
* Update autotools filesv2.13Michał Górny2018-02-1916-237/+272
|
* tests: Add a test for LD_PRELOAD non-preserving (SANDBOX_ON=0)Michał Górny2018-02-192-0/+22
|
* Disable environment propagation if sandbox is disabledMichał Górny2018-02-121-0/+5
| | | | | | | | | | | | | | Do not enforce restoring sandbox variables in the environment if sandbox is explicitly disabled. This makes it possible to set SANDBOX_ON=0 and then unset LD_PRELOAD without having to resort to ugly hacks to prevent sandbox from restoring itself. The only limitation is that if user sets SANDBOX_ON=0 first, then wipes the environment, he will no longer be able to reenable sandbox via doing SANDBOX_ON=1. However, it is rather unlikely that such a thing would need to happen in real use. Bug: https://bugs.gentoo.org/592750
* Post-release bump to 2.13Michał Górny2017-10-031-1/+1
|
* Ensure LD_LIBRARY_PATH is copied to my_envv2.12Peter Levine2017-10-031-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Sandbox commit 55087abd8dc9802cf68cade776fe612a3f19f6a1 is for the purpose of preventing a loop or deadlock caused by a package implementing its own libc memory allocation functions, which themselves may call on a sandbox wrapped system calls, whose implementation depends on further calls to such memory functions. If any binaries export such symbols, sandbox assumes the worst and prevents loading of libsandbox.so and instead opts for ptrace. In preventing the loading of libsandbox, it removes all variables whose env_pair.name field matches the name of an environment variable from the environment, for all env_pairs of vars[] in char **sb_check_envp(char **envp, size_t *mod_cnt, bool insert) in "libsandbox/libsandbox.c". This includes not just the usual environment variables prefixed with 'SANDBOX_' but also LD_PRELOAD and LD_LIBRARY_PATH. LD_PRELOAD clearly should be removed. But LD_LIBRARY_PATH would only seem to be trouble if used with LD_PRELOAD. As such it makes sense to me to prevent the removal of LD_LIBRARY_PATH. Given the fact that the the positions of the env_pairs in vars[] are intended to be hard-coded (from libsandbox.c: /* Indices matter -- see init below */), this commit uses the index of the env_pair corresponding to LD_LIBRARY_PATH to prevent its removal.
* libsandbox: Fix path matching not to dumbly match prefixesMichał Górny2017-10-033-3/+40
| | | | | | Fix the path matching code to match prefixes component-wide rather than literally. This means that a path such as '/foo' will no longer match '/foobar' but only '/foo' and its subdirectories (if it is a directory).
* Remove no-longer-necessary symlink hack in ACLMichał Górny2017-10-031-40/+0
| | | | | | | | Remove the hack supposedly responsible for making it possible to remove symbolic links to protected files. The hack was probably necessary back when the write check was performed on fully resolved path. However, currently the path resolution is no longer performed when the operation does not resolve symlinks, effectively making the hack redundant.
* libsandbox: do not abort with a long name to opendirMart Raudsepp2017-09-265-0/+37
| | | | | | | | | | | | | | Add a pre-check for opendir that catches too long name arguments given to opendir, as it would get messed up and abort before it even gets to the open*() syscall (which would handle it correctly), due to opendir going through before_syscall/check_syscall, even though it isn't a true syscall and it getting cut to SB_PATH_MAX inbetween and getting confused somewhere. Test case added by Michał Górny <mgorny@gentoo.org>. Bug: https://bugs.gentoo.org/553092 Signed-off-by: Mart Raudsepp <leio@gentoo.org>
* libsandbox: whitelist renameat/symlinkat as symlink funcsMike Frysinger2017-03-107-1/+49
| | | | | | | These funcs don't deref their path args, so flag them as such. URL: https://bugs.gentoo.org/612202 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsbutil: elide sb_maybe_gdb when -DNDEBUG is usedGuenther Brunthaler2016-11-271-0/+2
| | | | | | | | Since sb_maybe_gdb is set up as a stub macro, make sure we don't define the function either to cut down on size and build failures (when the macro tries to expand the function prototype). URL: https://bugs.gentoo.org/600550
* libsandbox: fix symtab walking with prelinked ELFsMike Frysinger2016-11-161-11/+28
| | | | | | | | | | | | | | | | | | When prelink runs on an ELF, it moves the string table from right after the symbol table to the end, and then replaces the string table with its liblist table. This ends up breaking sandbox's assumption that the string table always follows the symbol table leading to prelinked ELFs crashing. Update the range check to use the liblist table when available. Since the prelink code has this logic hardcoded (swapping the string table for the liblist table), this should be OK for now. URL: https://bugs.gentoo.org/599894 Reported-by: Anders Larsson <anders.gentoo@larsson.xyz> Reported-by: Kenton Groombridge <rustyvega@comcast.net> Reported-by: Marien Zwart <marien.zwart@gmail.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: whitelist execvpeMike Frysinger2016-03-301-0/+1
| | | | | | URL: https://bugs.gentoo.org/578516 Reported-by: Toralf Förster <toralf.foerster@gmx.de> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix symtab walking with some ELFsMike Frysinger2016-03-291-13/+17
| | | | | | | | | The strtab assumption works if there is no SysV hash table. Add logic to handle that scenario. URL: https://bugs.gentoo.org/578524 Reported-by: Toralf Förster <toralf.foerster@gmx.de> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* bump to sandbox-2.12Mike Frysinger2016-03-291-1/+1
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix x86 tracing when schizo is activev2.11Mike Frysinger2016-03-291-0/+10
| | | | | | | | Commit 48520a35697aa39bed046b9668a3e3e5f8a8ba93 fixed the configure logic, but the build would fail to link for x86 systems as the syscall table was not actually set up. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* tests: make all shell scripts executableMike Frysinger2016-03-299-0/+0
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* sandbox: allow user to force SIGKILLMike Frysinger2016-03-291-2/+10
| | | | | | | Sometimes the child process can get wedged and not respond to CTRL+C, so add an escape hatch so the user can easily force SIGKILL. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: make check_syscall ISE a little more usefulMike Frysinger2016-03-291-2/+2
| | | | | | | | Showing just the resolved paths isn't too helpful when they're both NULL. Also include the failing func & original file path. URL: https://bugs.gentoo.org/553092 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: use ptrace on apps that interpose their own allocatorMike Frysinger2016-02-167-42/+210
| | | | | | | | | | | | | | | | | | | | | | | If an app installs its own memory allocator by overriding the internal glibc symbols, then we can easily hit a loop that cannot be broken: the dlsym functions can attempt to allocate memory, and sandbox relies on them to find the "real" functions. So when someone calls a symbol that the sandbox protects, we call dlsym, and that calls malloc, which calls back into the app, and their allocator might use another symbol such as open ... which is protected by the sandbox. So we hit the loop like: -> open -> libsandbox:open -> dlsym -> malloc -> open -> libsandbox:open -> dlsym -> malloc -> ... Change the exec checking logic to scan the ELF instead. If it exports these glibc symbols, then we have to assume it can trigger a loop, so scrub the sandbox environment to prevent us from being loaded. Then we use the out-of-process tracer (i.e. ptrace). This should generally be as robust anyways ... if it's not, that's a bug we want to fix as this is the same code used for static apps. URL: http://crbug.com/586444 Reported-by: Ryo Hashimoto <hashimoto@chromium.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* tests: add test for overriding mmapMike Frysinger2016-02-166-0/+56
| | | | | | URL: http://bugs.gentoo.org/290249 Reported-by: Diego E. Pettenò <flameeyes@gentoo.org> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsbutil: clean up same.h distdir usageMike Frysinger2016-01-181-1/+0
| | | | | | | In commit 7a923f646ce10b7dec3c7ae5fe2079c10aa21752, we dropped the same.h header, but the build still listed it. Drop it from the distdir list. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: add wrappers for execveat & execvpeMike Frysinger2015-12-223-0/+27
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: fix alpha ptrace error settingMike Frysinger2015-12-201-1/+6
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsandbox: new ia64 ptrace portMike Frysinger2015-12-203-0/+84
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* tests: check errno with more static testsMike Frysinger2015-12-203-3/+3
| | | | | | | This verifies the error code setting with ptrace logic -- if the ptrace code is broken, the errno will often be ENOSYS instead of EPERM. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* libsbutil: gnulib: hand disable same_name usageMike Frysinger2015-12-202-34/+0
| | | | | | | | We don't provide same_name because the one caller we don't use, but it relies on gc-sections to avoid link errors. That flag doesn't work on ia64 though, so we need to hand delete the one caller. Ugh. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* build: disable gc-sections on ia64 systemsMike Frysinger2015-12-201-1/+4
| | | | Signed-off-by: Mike Frysinger <vapier@gentoo.org>