| # ChangeLog for Path Sandbox |
| # Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2 |
| # $Id: /var/cvsroot/gentoo-src/portage/src/sandbox-1.1/Attic/ChangeLog,v 1.37.2.3 2004/12/01 22:14:09 carpaski Exp $ |
| |
| 01 Dec 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: |
| Added ferringb's code to handle the sandbox pid overflow problem. |
| |
| 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard |
| allowing data and code mixing in code isn't available for gcc 2.95- should fix |
| bug #70351. |
| |
| 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c: |
| Fixups, and a hole closed regarding verifying SANDBOX_(|DEBUG_)LOG is sane. |
| |
| 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from |
| Seth Robertson that tracked down all adjuct flags for read operations that |
| do not invoke a write operation. |
| |
| 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: |
| Another fix from jstubbs regarding a free() on a stack variable for the |
| environment -- tracking now prevents extraneous free()'s segfault. |
| |
| 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: |
| J. Stubbs tracked down a new bug where mkdir was failing to the patch on |
| the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir. |
| Also remove the errno = ESUCCESS settings as documentation points out that |
| a library isn't allowed to do that. |
| |
| 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a |
| file_security_check() function to check random potential exploits on files |
| that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes |
| the 'system-crippling' exploits (bug 21923) and catches a few other |
| potential problems. |
| |
| 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for |
| 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work. |
| |
| 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: |
| bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>. |
| Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>. |
| |
| 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c : |
| Fix permissions and group of pids file and logs. Permissions should be 0664 |
| and group should be 'portage'. Bug #34260. |
| |
| 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
| Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed |
| to the real execve (in our execve wrapper). Seems that on some arches (sparc |
| among others) do not allow us to tamper with the readonly copy passed to |
| execve, so pass our own copy of the environment. Bug #42290. |
| |
| 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls: |
| Changed tail to head and added a notice about duration of glibc check. |
| |
| 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls: |
| Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh |
| as there isn't a guarentee that it is dynamic. |
| |
| 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
| If 'file' passed to before_syscall(const char *func, const char *file) is |
| invalid, we should set errno to ENOENT, and not EINVAL. This should |
| close bug #32238. |
| |
| 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
| Fix a bug that occurs mainly on 64bit arch, where the file passed to |
| the functions we wrap, is invalid, and then cause canonicalize to pass |
| garbage to before_syscall(), thanks to great detective work from |
| Andrea Luzzardi <al@sig11.org> (bug #29846). |
| |
| 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : |
| Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>. |
| |
| 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
| Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically |
| only checked the destination patch, and not the source, so we could move |
| a protected file to a unprotected directory, and then delete/modify it. |
| Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix. |
| |
| 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c : |
| Added python2.3 to the predict section/variable. |
| |
| 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, |
| sandbox.h, sandbox_futils.c : |
| Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If |
| it is not set, it will revert to its old value. |
| |
| 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
| Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so, |
| rather than failing with a violation, bug #29748. |
| |
| 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
| Fix canonicalize() to ignore calls with path = "". |
| |
| 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c, |
| sandbox_futils.c, canonicalize.c : |
| Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system |
| call handled strings larger than PATH_MAX (bug #21766). It however does not |
| work the same on 2.4 kernels. |
| |
| To fix, I added the posix implementation of getcwd() (from glibc cvs) that |
| do not need the system call. We use the default getcwd() function via a |
| wrapper (egetcwd), and then lstat the returned path. If lstat fails, it |
| means the current directory was removed, OR that the the system call for |
| getcwd failed (curious is that it do not fail and return NULL or set |
| errno, but rather just truncate the retured directory - usually from the |
| start), and if so, we use the generic getcwd() function (__egetcwd). Note |
| that we do not use the generic version all the time, as it calls lstat() |
| a great number of times, and performance degrade much. |
| |
| 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls, |
| libsandbox.c : |
| Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks. |
| |
| 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c |
| create-localdecls : |
| When checking path names of files accessed, we need to canonicalize it, else |
| it may be a symlink in a 'write allowed' directory pointing to a file in a |
| directory we should not have write access to. |
| |
| With something like coreutils-5.0, we have two problems: |
| 1) One of the tests checks if getcwd() can return a path longer than |
| PATH_MAX. This test then tries to create a dir which even while |
| created local (mkdir("conftest2")), it ends up being resolved with |
| a name that is much larger than PATH_MAX. The problem now is that |
| canonicalize() have undefined behaviour when the path was too long |
| (returned wrongly truncated paths, etc), and pass the wrong path to |
| before_syscall() (causing the bogus sandbox violations). |
| 2) The ecanonicalize() function we used, along with the canonicalize() |
| function did not support longer than PATH_MAX. This is partly a |
| cause for 1), but the error checking (rather lack of it) of calls |
| to erealpath() in canonicalize() was the prime reason for 1). |
| |
| As we do not use this canonicalized name to call the function, we resolve this |
| by fixing canonicalize() to do better error checking, and ecanonicalize() as |
| well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'. |
| While they will resolve paths properly now, and can check if a write/read is |
| allowed, the functions called from the sandboxed environment will still work |
| as expected. |
| |
| This should resolve bug #21766. |
| |
| 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
| For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under |
| it (bug #16298). |
| |
| Problem is that for some reason locale fopen's locale.alias with mode "rm". |
| |
| ------------------------------------------------------- |
| nosferatu root # grep fopen locale.log |
| fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias |
| nosferatu root # |
| -------------------------------------------------------- |
| |
| I checked the source of locale, but it have fopen with mode 'r', so |
| not sure where the "rm" mode comes from. Anyhow, changed the check in |
| before_syscall_open_char() to also see mode "rm" as readonly. |
| |
| 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : |
| |
| Add glibc-2.3 support. |
| |
| 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c : |
| |
| Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all |
| operations releated to preload, as well as only try to modify ld.so.preload |
| if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when |
| not using ld.so.preload. Fix to not write this instance of sandbox's pid |
| to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running. |
| |
| 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile : |
| |
| Changed the LD to CC for hppa. |
| |
| 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : |
| |
| Killed the previous changes I made. |
| |
| 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : |
| |
| Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs. |
| |
| 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c : |
| |
| Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868. |
| |
| 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls : |
| |
| Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro> |
| for this fix. |
| |
| 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c : |
| |
| sandbox_futils defined a dirname() function that was masking the same |
| function in glibc and was broken (e.g.: SANDBOX_DIR was being set to |
| '/usr/lib/portage/bi/'). Fixed function to return expected results and |
| renamed it to sb_dirname() to no longer mask the glibc function. Closes bug |
| 11231. |
| |
| 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Fix a segfault in libsandbox.c if canonicalize() was called with |
| first parameter = NULL. |
| |
| 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Fix my braindead 'return 1;' in a void function. Updated sandbox.c, |
| cleanup() for this. |
| |
| Change cleanup() in sandbox.c not to exit with fail status if |
| the pidsfile is missing. We really should still display sandbox |
| violations if they occured. |
| |
| 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Update cleanup() in sandbox.c to remove the PIDSFILE if this is |
| the last sandbox running. |
| |
| 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Major cleanups to mainly libsandbox.c again. |
| |
| 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the |
| parties involved should please contact me so that we can fix it. |
| |
| Add opendir wrapper to libsandbox.c. |
| |
| 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Do some more cleanups to ecanonicalize(), as it dropped filenames in |
| rare cases (after my symlink cleanups), and caused glibc to bork. |
| These fixes went into canonicalize.c. |
| |
| 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Fix spawn_shell() and main() in sandbox.c to properly return fail |
| status. |
| |
| 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| The new canonicalize() function in libsandbox.c also resolved symlinks, |
| which caused on cleaning sandbox errors if the symlink pointed to a |
| file in the live root. Ripped out canonicalize() and realpath() from |
| glibc; removed the symlink stuff, and changed them to ecanonicalize() |
| and erealpath(). |
| |
| 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
| |
| Ripped out all the wrappers, and implemented those of InstallWatch. |
| Losts of cleanups and bugfixes. Implement a execve that forces |
| $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared |
| /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c, |
| sandbox.h and sandbox_futils.c. Rewrote the Makefile for most |
| parts; it now have an install target. |
| |
| Reformat the whole thing to look somewhat like the reworked sandbox.c |
| and new sandbox.h and sandbox_futils.c from: |
| |
| Brad House <brad@mainstreetsoftworks.com>. |
| |
| Additional Copyrights now due to the InstallWatch code: |
| |
| Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net> |
| |