/[path-sandbox]/trunk/ChangeLog.0
Gentoo

Contents of /trunk/ChangeLog.0

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2 - (hide annotations) (download)
Fri Nov 19 22:03:42 2004 UTC (10 years ago) by ferringb
Original Path: trunk/ChangeLog
File size: 12201 byte(s)
Initial revision

1 ferringb 2 # ChangeLog for Path Sandbox
2     # Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2
3     # $Header$
4    
5     14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c:
6     closing out bug #70225, potential overflow of the sandbox_pids_file var.
7    
8     07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard,
9     (think it was at least) allows intermixing of code and data segments. bug #70351
10     should be fixed by this.
11    
12     03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c:
13     futils fix from bug #65201 via solar, and libsandbox log path checks via #69137
14    
15     02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from
16     Seth Robertson that tracked down all adjuct flags for read operations that
17     do not invoke a write operation.
18    
19     04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
20     Another fix from jstubbs regarding a free() on a stack variable for the
21     environment -- tracking now prevents extraneous free()'s segfault.
22    
23     04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
24     J. Stubbs tracked down a new bug where mkdir was failing to the patch on
25     the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir.
26     Also remove the errno = ESUCCESS settings as documentation points out that
27     a library isn't allowed to do that.
28    
29     04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a
30     file_security_check() function to check random potential exploits on files
31     that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes
32     the 'system-crippling' exploits (bug 21923) and catches a few other
33     potential problems.
34    
35     20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for
36     32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work.
37    
38     20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c:
39     bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>.
40     Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>.
41    
42     29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c :
43     Fix permissions and group of pids file and logs. Permissions should be 0664
44     and group should be 'portage'. Bug #34260.
45    
46     28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
47     Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed
48     to the real execve (in our execve wrapper). Seems that on some arches (sparc
49     among others) do not allow us to tamper with the readonly copy passed to
50     execve, so pass our own copy of the environment. Bug #42290.
51    
52     11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls:
53     Changed tail to head and added a notice about duration of glibc check.
54    
55     21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls:
56     Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh
57     as there isn't a guarentee that it is dynamic.
58    
59     02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
60     If 'file' passed to before_syscall(const char *func, const char *file) is
61     invalid, we should set errno to ENOENT, and not EINVAL. This should
62     close bug #32238.
63    
64     14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
65     Fix a bug that occurs mainly on 64bit arch, where the file passed to
66     the functions we wrap, is invalid, and then cause canonicalize to pass
67     garbage to before_syscall(), thanks to great detective work from
68     Andrea Luzzardi <al@sig11.org> (bug #29846).
69    
70     13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
71     Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>.
72    
73     13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
74     Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically
75     only checked the destination patch, and not the source, so we could move
76     a protected file to a unprotected directory, and then delete/modify it.
77     Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix.
78    
79     12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c :
80     Added python2.3 to the predict section/variable.
81    
82     28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
83     sandbox.h, sandbox_futils.c :
84     Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If
85     it is not set, it will revert to its old value.
86    
87     27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
88     Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so,
89     rather than failing with a violation, bug #29748.
90    
91     27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
92     Fix canonicalize() to ignore calls with path = "".
93    
94     27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
95     sandbox_futils.c, canonicalize.c :
96     Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system
97     call handled strings larger than PATH_MAX (bug #21766). It however does not
98     work the same on 2.4 kernels.
99    
100     To fix, I added the posix implementation of getcwd() (from glibc cvs) that
101     do not need the system call. We use the default getcwd() function via a
102     wrapper (egetcwd), and then lstat the returned path. If lstat fails, it
103     means the current directory was removed, OR that the the system call for
104     getcwd failed (curious is that it do not fail and return NULL or set
105     errno, but rather just truncate the retured directory - usually from the
106     start), and if so, we use the generic getcwd() function (__egetcwd). Note
107     that we do not use the generic version all the time, as it calls lstat()
108     a great number of times, and performance degrade much.
109    
110     29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls,
111     libsandbox.c :
112     Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks.
113    
114     22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c
115     create-localdecls :
116     When checking path names of files accessed, we need to canonicalize it, else
117     it may be a symlink in a 'write allowed' directory pointing to a file in a
118     directory we should not have write access to.
119    
120     With something like coreutils-5.0, we have two problems:
121     1) One of the tests checks if getcwd() can return a path longer than
122     PATH_MAX. This test then tries to create a dir which even while
123     created local (mkdir("conftest2")), it ends up being resolved with
124     a name that is much larger than PATH_MAX. The problem now is that
125     canonicalize() have undefined behaviour when the path was too long
126     (returned wrongly truncated paths, etc), and pass the wrong path to
127     before_syscall() (causing the bogus sandbox violations).
128     2) The ecanonicalize() function we used, along with the canonicalize()
129     function did not support longer than PATH_MAX. This is partly a
130     cause for 1), but the error checking (rather lack of it) of calls
131     to erealpath() in canonicalize() was the prime reason for 1).
132    
133     As we do not use this canonicalized name to call the function, we resolve this
134     by fixing canonicalize() to do better error checking, and ecanonicalize() as
135     well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'.
136     While they will resolve paths properly now, and can check if a write/read is
137     allowed, the functions called from the sandboxed environment will still work
138     as expected.
139    
140     This should resolve bug #21766.
141    
142     06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
143     For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under
144     it (bug #16298).
145    
146     Problem is that for some reason locale fopen's locale.alias with mode "rm".
147    
148     -------------------------------------------------------
149     nosferatu root # grep fopen locale.log
150     fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias
151     nosferatu root #
152     --------------------------------------------------------
153    
154     I checked the source of locale, but it have fopen with mode 'r', so
155     not sure where the "rm" mode comes from. Anyhow, changed the check in
156     before_syscall_open_char() to also see mode "rm" as readonly.
157    
158     23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
159    
160     Add glibc-2.3 support.
161    
162     22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c :
163    
164     Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all
165     operations releated to preload, as well as only try to modify ld.so.preload
166     if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when
167     not using ld.so.preload. Fix to not write this instance of sandbox's pid
168     to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running.
169    
170     22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile :
171    
172     Changed the LD to CC for hppa.
173    
174     22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
175    
176     Killed the previous changes I made.
177    
178     17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
179    
180     Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs.
181    
182     09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c :
183    
184     Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868.
185    
186     16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
187    
188     Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro>
189     for this fix.
190    
191     4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c :
192    
193     sandbox_futils defined a dirname() function that was masking the same
194     function in glibc and was broken (e.g.: SANDBOX_DIR was being set to
195     '/usr/lib/portage/bi/'). Fixed function to return expected results and
196     renamed it to sb_dirname() to no longer mask the glibc function. Closes bug
197     11231.
198    
199     4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> :
200    
201     Fix a segfault in libsandbox.c if canonicalize() was called with
202     first parameter = NULL.
203    
204     1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> :
205    
206     Fix my braindead 'return 1;' in a void function. Updated sandbox.c,
207     cleanup() for this.
208    
209     Change cleanup() in sandbox.c not to exit with fail status if
210     the pidsfile is missing. We really should still display sandbox
211     violations if they occured.
212    
213     31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
214    
215     Update cleanup() in sandbox.c to remove the PIDSFILE if this is
216     the last sandbox running.
217    
218     25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
219    
220     Major cleanups to mainly libsandbox.c again.
221    
222     22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
223    
224     Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the
225     parties involved should please contact me so that we can fix it.
226    
227     Add opendir wrapper to libsandbox.c.
228    
229     21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
230    
231     Do some more cleanups to ecanonicalize(), as it dropped filenames in
232     rare cases (after my symlink cleanups), and caused glibc to bork.
233     These fixes went into canonicalize.c.
234    
235     20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
236    
237     Fix spawn_shell() and main() in sandbox.c to properly return fail
238     status.
239    
240     19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
241    
242     The new canonicalize() function in libsandbox.c also resolved symlinks,
243     which caused on cleaning sandbox errors if the symlink pointed to a
244     file in the live root. Ripped out canonicalize() and realpath() from
245     glibc; removed the symlink stuff, and changed them to ecanonicalize()
246     and erealpath().
247    
248     18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
249    
250     Ripped out all the wrappers, and implemented those of InstallWatch.
251     Losts of cleanups and bugfixes. Implement a execve that forces
252     $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared
253     /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c,
254     sandbox.h and sandbox_futils.c. Rewrote the Makefile for most
255     parts; it now have an install target.
256    
257     Reformat the whole thing to look somewhat like the reworked sandbox.c
258     and new sandbox.h and sandbox_futils.c from:
259    
260     Brad House <brad@mainstreetsoftworks.com>.
261    
262     Additional Copyrights now due to the InstallWatch code:
263    
264     Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Revision

  ViewVC Help
Powered by ViewVC 1.1.20