| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
Bug: https://bugs.gentoo.org/910195
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit 12c24e7f990dec058563ca1ef954bfd8264f2f96)
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
arm64 has a dedicated regset to manipulate the system call number.
See kernel commit 766a85d7bc5d7f1ddd6de28bdb844eae45ec63b0.
Bug: https://bugs.gentoo.org/909416
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit f4c6bf434459d2d7b57c003e4eab81f2f8c21f51)
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running the test suite under portage, the entire build directory
will be writable because portage adds PORTAGE_TMPDIR to SANDBOX_WRITE
(thanks floppym). This breaks the tests for these two wrappers, since
they expect to fail when trying to write above $PWD.
To avoid that, we create a new file to call fchown/fchmod on, and then
explicitly deny access to it.
Closes: https://bugs.gentoo.org/909445
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit e5032c6b89621db0475e36fb06c2905b6a9c024c)
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit e2f8b0382aef54fd0827c61f05589b82ddfa8331)
|
| |
|
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit 8fd0fb9f956c65dab850895102b21a7fef92b753)
|
| |
|
|
|
|
|
| |
On Alpine, libc's SONAME is 'libc.musl-x86_64.so.1'.
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit 3ccc775d6f98c1917408bc3a370cfd6d3d789d50)
|
| |
|
|
|
|
|
|
|
| |
musl uses different names from glibc for the time64 symbols.
Add them to symbols.h, and use symlinks for the wrapper-func files.
Bug: https://bugs.gentoo.org/908970
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit 2911fdc0d72e37e99cac6609b4799ee06b29cd31)
|
| |
|
|
|
|
| |
Closes: https://bugs.gentoo.org/599706
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
Bug: https://bugs.gentoo.org/599706
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fchown/fchmod functions use a file descriptor obtained from
open(), and the sandbox relies on its open() wrapper for safety. But
it turns out that fchown/fchmod can operate on a descriptor opened
O_RDONLY, which the open() wrapper is happy to give you. Oops. This is
bug 599706.
There's no POSIX way to map the descriptor to a path once you've got
it, but on linux you can use the magic path "/proc/self/fd/%i" which
should be a symlink pointing to the path passed to open(). Once we
have that path, we can use the existing "is this path safe" machinery
in the sandbox. There is precedent for this approach in sandbox, and
the SANDBOX_PROC_SELF_FD macro already exists to indicate that the
feature is available.
Bug: https://bugs.gentoo.org/599706
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
This provides a central place to work around a bug on musl where
faccessat sets errno to EINVAL when the kernel does not support
faccessat2.
Bug: https://bugs.gentoo.org/908765
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit b55840ebe3278032777a3b52cecc6dac325dcf85)
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
lutimes operates on symlinks, so we should not check for access against
the symlink target.
Bug: https://bugs.gentoo.org/908105
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit cdc89a00ac0bc3170d4ca7bfc77bc2572ce076b0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bfd, gold, lld, and mold all support `-Wl,--trace`, which has cleaner
output than `-Wl,--verbose`. mold doesn't output anything with the
latter, so the test didn't support that until now. The only difference
between them now is that mold prefixes its output with `trace: ` whereas
the others do not.
I checked the Solaris linker, but that does not support `-Wl,--trace`.
Bug: https://bugs.gentoo.org/830463
Signed-off-by: James Le Cuirot <chewi@gentoo.org>
Closes: https://github.com/gentoo/sandbox/pull/5
Signed-off-by: Sam James <sam@gentoo.org>
(cherry picked from commit 190300def3160ca39bd8590d1bbc7305ae07cc5b)
|
| |
|
|
|
| |
Signed-off-by: Sam James <sam@gentoo.org>
(cherry picked from commit cb63ad4fb4b8a21b269f330f2512da0a6ce7399e)
|
| |
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
| |
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
(cherry picked from commit 8d999c4fd1c4f05af56e0f11cd5d9082a013ad74)
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we use 64-bit stat & lstat explicitly everywhere, we don't
need these dynamic redirects for 64-bit wrappers. The off_t define
is only used by one file anymore too, but we can inline that.
That leaves the SB64 define which we use inconsistently in places.
In some 64-bit modules that include the 32-bit, we use SB64 to switch
between the 64-bit & 32-bit APIs. In other places, the 64-bit file
is responsible for redefining the few relevant APIs. Let's switch
all the files away from SB64 and to defining the single thing that
the 64-bit module needs directly. It's either the same or fewer LOC
this way, and doesn't seem any more or less difficult to maintain.
The __64_{pre,post}.h & SB64 define weren't easily discoverable.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit 35459036a204bbf147b11631317aff9eb1804573)
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Make sure we use 64-bit FS interfaces when accessing the FS. This
is needed not only to stat or open large files, but even files with
64-bit inodes.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit 632cc66ba52eb6aa7fd3e457c64d9186389a20b4)
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
This is faster than using stat since it doesn't have to gather all
the metadata, and should avoid LFS issues as a result.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit 382f70b8d93d012648edc7a42087a6d4d5a103eb)
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Only copy in files that define the macros we need and not ones that
reference the macros. This avoids copying a lot unused files in.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit 34bd750be930dee47ba6114f211aa97935939ecc)
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Portage runs commands through sandbox like:
$ sandbox "/usr/lib/portage/python3.9/ebuild.sh unpack"
That means we can't break the CLI without breaking portage and forcing
everyone to upgrade together. That'll be pretty disruptive for people,
so add a hack to detect this situation: if a single argument is passed
on the CLI, and it doesn't appear to be a file, then fallback to running
it through the shell. This keeps portage working while allowing the new
interface style to launch. If/when we can update portage to always use
the -c option, maybe we can drop this in the future. Or not ... it's
not exactly the worst hack for users.
Bug: https://bugs.gentoo.org/265907
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This should make it a little more clear that this summary is coming
from the sandbox and not somewhere else.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
QEMU's linux-user does not implement ptrace for any architecture, and
any attempt to call it fails with ENOSYS. Detect that scenario.
Closes: https://bugs.gentoo.org/648516
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The filename was only used for a single debug print, and the args
ignored completely. Don't bother passing them down at all.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The sandbox command line is passed to a shell for execution. This can
be a bit awkward to quote right if you weren't expecting it, and even
if you were. Change the default behavior to be more like `env` where
the arguments, as they are, get passed through and run. If people want
the old shell behavior, they can use the -c option akin to `bash -c`.
Bug: https://bugs.gentoo.org/265907
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reason we put these in wrapper-funcs/ is because we normally
dynamically include them when the corresponding symbol is available.
For example, if the C library supports symbol foo, and there is a
wrapper-funcs/foo_pre_check.c, we'll automatically include it based
on the assumption that wrapper-funcs/foo.c needs it. But if the C
library doesn't have a symbol foo, we won't include foo.c or the
foo_pre_check.c file at all. Sounds fine.
The *at family of functions is a bit different because we end up
using them both in the wrapper-funcs/ files, and in the trace code,
the latter of which we use unconditionally. This lead to a build
issue early on (see commit b27df46f349e850067ae388fe067b043abf3aecb
("libsandbox: fix missing *at pre_checks")) whereby we hacked in
these *at pre-check symbols all the time. At which point, having
them be in wrapper-funcs/ was more out of convention with how we
manage all our other APIs.
We want to support running ptrace from the sandbox binary directly
which requires linking (most of) libsandbox into it, and to that
end, hoist these pre-check functions out of wrapper-funcs. This
makes it a bit clearer that we always want to compile these.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Commit ef35a16d1b5dcc1a99d17470799e680879278600 ("build: create
libsandbox dir before writing files") added a mkdir call to most
targets, but trace_syscalls.h was missed.
Bug: https://issuetracker.google.com/issues/204404822
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The C library has a dprintf function too, and it might be a define
that clashes with ours, so undefine it to avoid warnings.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we're notified that the child has received a signal, we need to
pass it through since we don't care about signals. We did that, but
using PTRACE_CONT which causes the process to just resume, and then
we'd call PTRACE_SYSCALL on that resumed state. When the pass thru
logic was a signal handler, PTRACE_CONT was correct since it would
come in while in the middle of PTRACE_SYSCALL, but after the rewrite
of the main loop, it's now the wrong call. Pass the signal back to
the existing PTRACE_SYSCALL call so that we stay in the main loop
and get notified on the next syscall event.
Closes: https://bugs.gentoo.org/820407
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When checking paths for violations, we need to know whether the path
is a symlink, and whether the current function dereferences them. If
it dereferences, we have to check the symlink and its target. If it
doesn't, we can skip the target check.
The helper to see if the function operates on symlinks ends with an
lstat on the path itself -- if it exists and is a symlink, we will
skip the target check. If it doesn't exist, or isn't a symlink, we
check the target. This logic doesn't make sense since (1) if it
doesn't exist, or isn't a symlink, there is no "target" and (2) the
symlink nature of the function is unchanged.
In practice, this largely doesn't matter. If the path wasn't a
symlink, and it (as the source) already passed checks, then it's
also going to pass checks (as the target) since they're the same
path.
However, we get into a fun TOCTOU race: if there are multiple things
trying to create a symlink at the same path, then we can get into a
state where:
- process 1 calls a symlink func on a path doesn't exist
- lstat fails, so symlink_func() returns false
- the kernel contexts switches away from process 1
- process 2 calls a symlink func on the same path
- lstat fails, so symlink_func() returns false
- the target path is "resolved" and passes validation
- process 2 creates the symlink to a place like /usr/bin/foo
- process 1 resumes
- the target path is resolved since it now actually exists
- the target is a bad path (/usr/bin/foo)
- sandbox denies the access even though it's a func that only
operates on symlinks and never dereferences
This scenario too rarely happens (causes it's so weird), but it is
possible. A quick way to reproduce is with:
while [[ ! -e $SANDBOX_LOG ]] ; do
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
rm -f f
wait
done
Eventually this will manage to trigger the TOCTOU race.
So just delete the lstat check in the symlink_func() helper. If the
path doesn't exist, we can safely let it fail. If the path shows up
in parallel, either as a symlink or not, we already validated it as
being safe, so letting the func be called is safe.
Bug: https://issuetracker.google.com/issues/204375293
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Seems to pass (almost all) unittests on Linux 4.19. The unlink_static
doesn't seem to actually block the call, but it blocks others. Still,
better than nothing at all at this point.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This is a generic interface for all arches, but it only supports
reading settings currently. We can at least detect failures which
is better than nothing.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows tracing of sparc32 in a sparc64 multilib setup.
Although it doesn't quite work -- the syscall table needs to be
reloaded after the exec commits. We leave that out for now since
there isn't actually a sparc32+sparc64 multilib port currently.
Bug: https://bugs.gentoo.org/293632
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Now that we have a real dev system & userland running sparc64,
port the logic to it and make sure tests pass on 32-bit & 64-bit.
Hopefully the trace main loop rewrite to avoid signals should
address the instability issues we saw.
Closes: https://bugs.gentoo.org/293632
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This will lock down the ability to use set*id programs (like sudo),
and will allow us to utilize seccomp bpf to speed up ptrace.
Closes: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This enables support for 64-bit time_t syscalls where the glibc symbol
name is not the same as the kernel syscall name.
Closes: https://bugs.gentoo.org/751241
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Rather than always set undefined symbols to the same constant, expand
it to a range of constants, and give every symbol a unique value. For
dynamic symbol processing, this isn't a big deal as such symbols will
never show up, but when handling syscalls that don't have a matching C
library symbol, we need to make sure that we have unique entries.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In preparation for extending the symbol format, move parsing out of
the makefile (which is a basic sed expression) to the awk scripts.
This also has a nice side benefit of removing one automake warning.
It is slightly more code, but the scripts will be diverging shortly,
so it's unavoidable.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The awk scripts iterate over all the possible symbols for each line of
readelf output. As we add more symbols, and as the C library grows,
the number of iterations explodes.
We iterate over the list of possible symbols by creating a regex to
match against the readelf output. We could create a large regex at
the start of the script to match all possible symbols, and then run
that against the readelf lines. This avoids the nested loop logic,
and speeds up the scripts significantly: from ~1.5sec to ~0.05sec.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Mike Gilbert
Michael Orlitzky
Michael Orlitzky
James Le Cuirot
Sam James
Mike Frysinger
Mike Frysinger
GitWeb