| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The C library has a dprintf function too, and it might be a define
that clashes with ours, so undefine it to avoid warnings.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we're notified that the child has received a signal, we need to
pass it through since we don't care about signals. We did that, but
using PTRACE_CONT which causes the process to just resume, and then
we'd call PTRACE_SYSCALL on that resumed state. When the pass thru
logic was a signal handler, PTRACE_CONT was correct since it would
come in while in the middle of PTRACE_SYSCALL, but after the rewrite
of the main loop, it's now the wrong call. Pass the signal back to
the existing PTRACE_SYSCALL call so that we stay in the main loop
and get notified on the next syscall event.
Closes: https://bugs.gentoo.org/820407
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When checking paths for violations, we need to know whether the path
is a symlink, and whether the current function dereferences them. If
it dereferences, we have to check the symlink and its target. If it
doesn't, we can skip the target check.
The helper to see if the function operates on symlinks ends with an
lstat on the path itself -- if it exists and is a symlink, we will
skip the target check. If it doesn't exist, or isn't a symlink, we
check the target. This logic doesn't make sense since (1) if it
doesn't exist, or isn't a symlink, there is no "target" and (2) the
symlink nature of the function is unchanged.
In practice, this largely doesn't matter. If the path wasn't a
symlink, and it (as the source) already passed checks, then it's
also going to pass checks (as the target) since they're the same
path.
However, we get into a fun TOCTOU race: if there are multiple things
trying to create a symlink at the same path, then we can get into a
state where:
- process 1 calls a symlink func on a path doesn't exist
- lstat fails, so symlink_func() returns false
- the kernel contexts switches away from process 1
- process 2 calls a symlink func on the same path
- lstat fails, so symlink_func() returns false
- the target path is "resolved" and passes validation
- process 2 creates the symlink to a place like /usr/bin/foo
- process 1 resumes
- the target path is resolved since it now actually exists
- the target is a bad path (/usr/bin/foo)
- sandbox denies the access even though it's a func that only
operates on symlinks and never dereferences
This scenario too rarely happens (causes it's so weird), but it is
possible. A quick way to reproduce is with:
while [[ ! -e $SANDBOX_LOG ]] ; do
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
ln -s /bin/bash ./f &
rm -f f
wait
done
Eventually this will manage to trigger the TOCTOU race.
So just delete the lstat check in the symlink_func() helper. If the
path doesn't exist, we can safely let it fail. If the path shows up
in parallel, either as a symlink or not, we already validated it as
being safe, so letting the func be called is safe.
Bug: https://issuetracker.google.com/issues/204375293
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Seems to pass (almost all) unittests on Linux 4.19. The unlink_static
doesn't seem to actually block the call, but it blocks others. Still,
better than nothing at all at this point.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This is a generic interface for all arches, but it only supports
reading settings currently. We can at least detect failures which
is better than nothing.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows tracing of sparc32 in a sparc64 multilib setup.
Although it doesn't quite work -- the syscall table needs to be
reloaded after the exec commits. We leave that out for now since
there isn't actually a sparc32+sparc64 multilib port currently.
Bug: https://bugs.gentoo.org/293632
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Now that we have a real dev system & userland running sparc64,
port the logic to it and make sure tests pass on 32-bit & 64-bit.
Hopefully the trace main loop rewrite to avoid signals should
address the instability issues we saw.
Closes: https://bugs.gentoo.org/293632
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This will lock down the ability to use set*id programs (like sudo),
and will allow us to utilize seccomp bpf to speed up ptrace.
Closes: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This enables support for 64-bit time_t syscalls where the glibc symbol
name is not the same as the kernel syscall name.
Closes: https://bugs.gentoo.org/751241
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Rather than always set undefined symbols to the same constant, expand
it to a range of constants, and give every symbol a unique value. For
dynamic symbol processing, this isn't a big deal as such symbols will
never show up, but when handling syscalls that don't have a matching C
library symbol, we need to make sure that we have unique entries.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In preparation for extending the symbol format, move parsing out of
the makefile (which is a basic sed expression) to the awk scripts.
This also has a nice side benefit of removing one automake warning.
It is slightly more code, but the scripts will be diverging shortly,
so it's unavoidable.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The awk scripts iterate over all the possible symbols for each line of
readelf output. As we add more symbols, and as the C library grows,
the number of iterations explodes.
We iterate over the list of possible symbols by creating a regex to
match against the readelf output. We could create a large regex at
the start of the script to match all possible symbols, and then run
that against the readelf lines. This avoids the nested loop logic,
and speeds up the scripts significantly: from ~1.5sec to ~0.05sec.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This intercepts the C library 64-bit time_t interfaces. The syscall
trace side will need more work first.
Bug: https://bugs.gentoo.org/751241
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While many syscalls follow similar patterns for dirfd & path handling,
the flags argument is less consistent -- it tends to be last with all
other arguments in between. As a result, a few syscalls were pulling
the wrong argument for the flags settings:
* fchmodat: the syscall interface has no flags at all
* fchownat: the flags come after uid & gid
* utimensat: the flags come after the timespec
These syscalls haven't been a problem in practice because no one ever
tries to chmod/chown/utimes on symlinks themselves.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The paths listed in EXTRA_DIST must be the targets that we define
exactly, or running distcheck can fail with stale targets -- they
should have been generated before creating the dist, but they get
updated afterwards. This is easy to repro with:
touch tests/testsuite.at && make distcheck
Let's split the relative & absolute path logic a bit to help with
this. We should only use relative paths in dependency related
settings, but use absolute paths when running tools after a cd to
a different location.
Also add testsuite.list.at to the dist explicitly. We were getting
this implicitly via testsuite depending on it, but better to list
all the files exactly.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
When setting up sandbox on a new system for development, it helps to
be able to build the new sandbox checkout in the same way as it is
currently installed in the system. Add a command line option for
this explicitly to speed up development.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This kills off recursive make entirely.
Closes: https://bugs.gentoo.org/819411
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Every subdir sets this var this way, so might as well unify it.
We keep very few files in here, so shouldn't be a future problem.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
The ptrace API does not guarantee the syscall number lookup will be
valid on syscall exit (since the underlying register might have been
clobbered), so stop trying to look it up then. We only used it when
decoding entry anyways, so this is more minor housekeeping.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Since it uses the symbols header as input, make sure we regen on
changes to it so we don't get stuck in weird stale states.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This reverts commit 53ffbaeb24f6ee22a2dcd70fad29c86a4dd863c2.
These files are supposed to be in here.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Forcing errors in the powerpc interface is a little finicky.
Fix it up so all the tests pass now on ppc32 & ppc64.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
| |
Needed for new xattr tests.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
With our eclasses & python frameworks responsible for generating
these files now, we should be able to reject write attempts to these
again. Lets turn it back on and see what blows up.
Bug: http://bugs.gentoo.org/256953
Closes: https://bugs.gentoo.org/775416
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
These modify the filesystem, so don't let them do their business.
Fixes: https://bugs.gentoo.org/672566
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Newer versions of binutils will truncate symbol output weirdly unless
the --wide option is used. This manifests itself as libsandbox not
including symbols when their name and symbol version is too long.
The new removexattr symbol tests were failing because of this, but
it seems the others were either not too long, or we didn't have any
test coverage for them (oops).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
It's basically renameat at this point as we don't care about the flags.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
It's basically renameat at this point as we don't care about the flags.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the ptrace code crashes/aborts for any reason, don't let the tracee
leak out. No one will be expecting this, and it could lead to zombie
processes hanging around.
This option is new to Linux 3.8. We could code this so that it would
fallback automatically to older versions of Linux, but with 3.8 being
released in 2013, doesn't seem like we need to support anyone that old.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Since we can get all the details we need from the existing waitpid
call, there's no need for an async signal handler. We can merge
that logic into the main synchronous loop. This makes the code a
lot easier to reason about as we know it's fully contained here.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
This fixes compiler warnings, but shouldn't make a difference otherwise.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Merging subdir Makefile.am files up meant that creation of those
dirs for outputs is no longer handled immediately by autoconf, so
make sure our custom rules have mkdir calls.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
These dirs have -I paths to the top-level, so these redirects aren't
that useful anymore.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This makes it easy to quickly compile all the tools without actually
running the testsuite.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Provides a bit of a speed up.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The README file rename has broken compatibility with older versions
of autoconf. Mark the package as foreign to fix that.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Current versions of GNU make (at least v4.3) seem to be leaking its
jobserver fds to children which breaks some tests that expect fd 3
and higher to be free. Add some startup logic to clean those to fix
`make -j check` failures.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
We don't need to lookup the register set twice, so drop the 2nd call.
These parts of the code were merged during a refactor and while they
made sense when they were in separate places, they don't here.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Mike Frysinger
Mike Frysinger
Michał Górny
GitWeb