| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
"schizo" isn't a particularly sensitive term, and it's not very clear what it
means to non-native English speakers anyway. Name it after what the feature
really does: multiple (Linux) personality support using ptrace.
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
sbio_faccessat allows libsbutil to access the unwrapped version of
faccessat when called from libsandbox.
Using faccessat in place of fstatat seems to give a small boost in
performance.
Pass AT_EACCESS faccessat to enable a faster path if uid != euid.
Bug: https://bugs.gentoo.org/910273
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Make sure we use 64-bit FS interfaces when accessing the FS. This
is needed not only to stat or open large files, but even files with
64-bit inodes.
Bug: https://bugs.gentoo.org/583282
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since this is only used by sandbox, and is not usable by libsandbox,
move it out of libsbutil. Leave a note behind for possible future
macros too.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
These messages aren't super useful to most people, nor are needed on
every invocation, so put them behind a debug knob to reduce log spam.x
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
I incorrectly dropped this as unused a while back, but the bashrc hook
definitely still relies on it for checking portage settings. I think
I got confused by the interaction with SANDBOX_TESTING.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
This code has been buggy since it was first added years ago -- it
would read the right value out of the config file, but then always
just set $SANDBOX_VERBOSE to it instead of the right env var. This
prevented the basic loading of sandbox settings from sandbox.conf.
Bug: https://bugs.gentoo.org/821403
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Portage runs commands through sandbox like:
$ sandbox "/usr/lib/portage/python3.9/ebuild.sh unpack"
That means we can't break the CLI without breaking portage and forcing
everyone to upgrade together. That'll be pretty disruptive for people,
so add a hack to detect this situation: if a single argument is passed
on the CLI, and it doesn't appear to be a file, then fallback to running
it through the shell. This keeps portage working while allowing the new
interface style to launch. If/when we can update portage to always use
the -c option, maybe we can drop this in the future. Or not ... it's
not exactly the worst hack for users.
Bug: https://bugs.gentoo.org/265907
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This should make it a little more clear that this summary is coming
from the sandbox and not somewhere else.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The sandbox command line is passed to a shell for execution. This can
be a bit awkward to quote right if you weren't expecting it, and even
if you were. Change the default behavior to be more like `env` where
the arguments, as they are, get passed through and run. If people want
the old shell behavior, they can use the -c option akin to `bash -c`.
Bug: https://bugs.gentoo.org/265907
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The C library has a dprintf function too, and it might be a define
that clashes with ours, so undefine it to avoid warnings.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This will lock down the ability to use set*id programs (like sudo),
and will allow us to utilize seccomp bpf to speed up ptrace.
Closes: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
When setting up sandbox on a new system for development, it helps to
be able to build the new sandbox checkout in the same way as it is
currently installed in the system. Add a command line option for
this explicitly to speed up development.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Every subdir sets this var this way, so might as well unify it.
We keep very few files in here, so shouldn't be a future problem.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This reverts commit 53ffbaeb24f6ee22a2dcd70fad29c86a4dd863c2.
These files are supposed to be in here.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Provides a bit of a speed up.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
This allows people to disable use of ptrace if their configuration
does not support it. This forces older sandbox behavior where we
cannot protect against static or set*id programs.
Bug: https://bugs.gentoo.org/648516
Bug: https://bugs.gentoo.org/771360
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Sometimes the child process can get wedged and not respond to CTRL+C,
so add an escape hatch so the user can easily force SIGKILL.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This initial version doesn't enable their use by default.
URL: https://bugs.gentoo.org/512794
Reported-by: Matthew Thode <prometheanfire@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
All sandbox settings thus far have been for libsandbox.so to process.
With newer features though, we have settings that might only apply to
the main sandbox program. Add some helper functions for parsing out
those settings (which a later commit will utilize).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
This lays the groundwork for adding more runtime options.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
We were incorrectly passing signal information back up to the parent.
See the URL for more information.
URL: http://www.cons.org/cracauer/sigint.html
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
The recent e12fee192ac8b0343a468e5a8f7811a7b029ff9a commit does not
handle things when stderr is connected to a real file (e.g. a pipe
or a socket or fifo or ...). It also does not play well to have
multiple things writing to the same file through different fds.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is used whenever sandbox wants to display an informational message.
For example, early notification of a path violation, or debugging output.
We can't just pop open an fd and pass that around as apps consider that
leakage and will often break assumptions in terms of free fds. Or apps
that start up and cleanse all of their open fds.
So instead, we just pass around an env var that holds the full path to
the file we want will write to. Since these messages are infrequent
(compared to overall runtime), opening/writing/closing the path every
time is fine.
This also avoids all the problems associated with using external portage
helpers for writing messages.
A follow up commit will take care of the situation where apps (such as
scons) attempt to also cleanse the env before forking.
URL: http://bugs.gentoo.org/278761
URL: http://bugs.gentoo.org/431638
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
| |
Nothing uses or cares about these vars, so punt them.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
This is laying the ground work for processing more vars in the
future than just LD_PRELOAD.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Since non-root users typically do not have write access to /var/log,
allow it to fallback to standard tmpdirs. This makes testing locally
a lot easier.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a few major points we want to hit here:
- have all output from libsandbox go through portage helpers when we are
in the portage environment so that output is properly logged
- convert SB_E{info,warn,error} to sb_e{info,warn,error} to match style
of other functions and cut down on confusion
- move all abort/output helpers to libsbutil so it can be used in all
source trees and not just by libsandbox
- migrate all abort points to the centralized sb_ebort helper
Unfortunately, it's not terribly easy to untangle these into separate
patches, but hopefully this shouldn't be too messy as much of it is
mechanical: move funcs between files, and change the name of funcs
that get called.
URL: http://bugs.gentoo.org/278761
Reported-by: Mounir Lamouri <volkmar@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To simplify testing, do not mung exit(0) to exit(1) just because the log
file exists. In many of our tests, we will be doing things to generate
a log file, but we explicitly test for exit values ourselves.
This is also needed to make log file handling more resilient where we
get the name at startup, but don't allow live env changes after that.
The changing of the log name to sb.log on the fly no longer works.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Almost no one has beep support turned on anymore, and ebeep in the main
tree has been deprecated (meaning it wasn't found useful while building
packages). So punt support for it from sandbox too.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since every consumer of sb_open gets a copy of the sbio_open data, push
the init of this into the .data section of the respective consumers to
avoid the runtime overhead.
This just leaves sandbox_lib setup in the constructor function, but that
is only needed by the execve wrapper, so push down init of that to the
existing sb_init logic which happens before our execve wrapper gets used.
URL: http://bugs.gentoo.org/404013
Reported-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Inheriting signals are normal/fine, so don't warn about those since they
aren't a problem.
URL: http://bugs.gentoo.org/285341
Reported-by: Paul Varner <fuzzyray@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
The autotool build system already adds PIC where needed, so don't force
our own -D/-f options.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Always use local sandbox.d copy to avoid random /etc/sandbox.d issues like
it doesn't exist, or has permission problems, or anything else.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Initial support for tracing non-default personalities. For example,
tracing a 32bit binary from a 64bit environment.
URL: http://bugs.gentoo.org/264399
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Patrick Lauer <patrick@gentoo.org>
|
| |
|
|
|
|
|
|
| |
The very old method of loading sandbox was via ld.so.preload, so it was
added to default deny list. However, that's long dead, and since it does
not conflict with LD_PRELOAD, no point in preventing access.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
If launching another sandbox instance, don't blindly append LD_PRELOAD
with the sandbox lib.
URL: http://bugs.gentoo.org/216942
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Brian Harring <ferringb@gmail.com>
|
| |
|
|
|
|
|
| |
If the command sandbox was instructed to execute failed, make sure we pass
that exact exit status back up instead of normalizing everything to 0/1.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
We don't want people to bypass normal mechanisms with the testing var, so
zero out the name when installing the sandbox binary.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The sandbox.sh file is generated now, so do not mark it as a dist target.
To make this kind of error easier to figure out in the future, have all
sandbox errors related to files include the full filename that is causing
an error.
URL: http://bugs.gentoo.org/258690
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Alexis Ballier <aballier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the SIGHUP signal is already set to SIG_IGN, then do not replace it
with our own handler as most likely this means the user is using `nohup`.
As for the other signals, check the return value and warn if something
weird happens (like they aren't all set to SIG_DFL).
URL: http://bugs.gentoo.org/217898
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Ken Bloom <kbloom@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Make sure we source the local sandbox.{bashrc,conf} and we always make the
helper functions available when testing even if we aren't interactive. Now
we can run `make check` and test the local version of sandbox even when we
are running under another sandbox env.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
Sam James
Mike Gilbert
Mike Frysinger
Michał Górny
GitWeb