/[path-sandbox]/trunk/ChangeLog.0
Gentoo

Contents of /trunk/ChangeLog.0

Parent Directory Parent Directory | Revision Log Revision Log


Revision 35 - (hide annotations) (download)
Sun Mar 13 23:23:00 2005 UTC (9 years, 5 months ago) by azarah
Original Path: trunk/ChangeLog
File size: 15959 byte(s)
Fixup the constructor/destructor function names again (they should be _init()
and _fini() it seems, and not being called caused sandbox_lib_path to be
unset, and thus breaking the execve() wrapper's LD_PRELOAD protection).
Add both the path in given SANDBOX_x variable, as well as its symlink
resolved path in init_env_entries().  Modify filter_path() to be able to
resolve paths without resolving symlinks, as well as to be able to resolve
symlinks.  Fix a possible segfault in check_access().  Add symlink resolving
to check_access() resolving bug #31019.  Add 'hack' for unlink, as the fix
for bug #31019 cause access violations if we try to remove a symlink that is
not in protected path, but points to a protected path.  Fix a memory leak in
sandbox.c (sandbox_pids_file in main()).  Fix the realpath() calls in main()
(sandbox.c) being unchecked.  Fix the debug logname not having the pid in it
(pid_string was uninitialized).  General syntax cleanups.

1 ferringb 2 # ChangeLog for Path Sandbox
2     # Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2
3     # $Header$
4    
5 azarah 35 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
6     Fixup the constructor/destructor function names again (they should be _init()
7     and _fini() it seems, and not being called caused sandbox_lib_path to be
8     unset, and thus breaking the execve() wrapper's LD_PRELOAD protection).
9     Add both the path in given SANDBOX_x variable, as well as its symlink
10     resolved path in init_env_entries(). Modify filter_path() to be able to
11     resolve paths without resolving symlinks, as well as to be able to resolve
12     symlinks. Fix a possible segfault in check_access(). Add symlink resolving
13     to check_access() resolving bug #31019. Add 'hack' for unlink, as the fix
14     for bug #31019 cause access violations if we try to remove a symlink that is
15     not in protected path, but points to a protected path. Fix a memory leak in
16     sandbox.c (sandbox_pids_file in main()). Fix the realpath() calls in main()
17     (sandbox.c) being unchecked. Fix the debug logname not having the pid in it
18     (pid_string was uninitialized). General syntax cleanups.
19    
20 ferringb 34 09 Mar 2005; Brian Harring <ferringb@gentoo.org> sandbox.c: Fixed the
21     infamous "pids file is not a regular file" w/out newline bug.
22    
23 ferringb 33 09 Mar 2005; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in:
24     Correct libc_version path detection, since it was screwing up if libdir !=
25     "/lib/".
26    
27     02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
28 azarah 32 Hack to make sure sandboxed process cannot remove a device node, bug #79836.
29    
30 ferringb 33 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am:
31 azarah 31 Fix symbols.in not added to dist.
32    
33 ferringb 33 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
34 azarah 30 getcwd.c, libsandbox.c, sandbox.c, sandbox.h, sandbox_futils.c:
35     White space fixes.
36    
37 ferringb 33 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
38 azarah 30 configure.in, getcwd.c, libsandbox.c, symbols.in:
39 azarah 29 Fix inverse test logic in canonicalize.c, use a strncpy. Fix gcc warning in
40     getcwd.c. Add symbols.in and logic to Makefile.am to generate symbol versions
41     for glibc and other libc's that use this. Update libsandbox.c to use these
42     symbol versions if available. Fix exec wrapper to re-export LD_PRELOAD if the
43     process unset it.
44    
45 ferringb 33 01 Mar 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
46 ferringb 28 killed off _init and _fini in favor of
47     void __attribute__ ((constructor)) init_func and
48     void __attribute__ ((destructor)) closing_func. _(init|func) were deprecated.
49    
50 ferringb 26 06 Dec 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, libsandbox.c,
51     canonicalize.c, getcwd.c: Fixed compilation *again*. Hopefully cvs is done
52     having the hick-ups.
53    
54 ferringb 24 04 Dec 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, getcwd.c,
55     Makefile.am: Fixed compilation.
56    
57 ferringb 18 01 Dec 2004; Brian Harring <ferringb@gentoo.org> aclocal.m4:
58     Gutted the bugger so it stops checking for a c++ and fortran compiler.
59     Do *not* regenerate aclocal.m4 for making a release until a better
60     solution is created.
61    
62 ferringb 16 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, sandbox_futils.c:
63     Removal of more hardcoded paths.
64    
65 ferringb 13 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in,
66     sandbox_futils.c: tweaks to install sandbox.bashrc, and use it.
67    
68     19 Nov 2004; Brian Harring <ferringb@gentoo.org>:
69 ferringb 6 Sandbox is now autotooled, create-localdecls needs to be killed and the code
70     shifted into configure.in. Currently builds *one* libsandbox.so- if multiple
71     are desired (-m64 and -m32 for amd64), the ebuild should do it (imo).
72     To get to a point of testing, automake && autoconf; created requisite files w/
73     a(utomake|clocal)-1.8, and autoconf 2.59. Installs to /usr/, instead of
74     /lib and /usr/lib/portage/bin.
75    
76 ferringb 2 14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c:
77     closing out bug #70225, potential overflow of the sandbox_pids_file var.
78    
79     07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard,
80     (think it was at least) allows intermixing of code and data segments. bug #70351
81     should be fixed by this.
82    
83     03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c:
84     futils fix from bug #65201 via solar, and libsandbox log path checks via #69137
85    
86     02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from
87     Seth Robertson that tracked down all adjuct flags for read operations that
88     do not invoke a write operation.
89    
90     04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
91     Another fix from jstubbs regarding a free() on a stack variable for the
92     environment -- tracking now prevents extraneous free()'s segfault.
93    
94     04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
95     J. Stubbs tracked down a new bug where mkdir was failing to the patch on
96     the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir.
97     Also remove the errno = ESUCCESS settings as documentation points out that
98     a library isn't allowed to do that.
99    
100     04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a
101     file_security_check() function to check random potential exploits on files
102     that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes
103     the 'system-crippling' exploits (bug 21923) and catches a few other
104     potential problems.
105    
106     20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for
107     32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work.
108    
109     20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c:
110     bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>.
111     Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>.
112    
113     29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c :
114     Fix permissions and group of pids file and logs. Permissions should be 0664
115     and group should be 'portage'. Bug #34260.
116    
117     28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
118     Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed
119     to the real execve (in our execve wrapper). Seems that on some arches (sparc
120     among others) do not allow us to tamper with the readonly copy passed to
121     execve, so pass our own copy of the environment. Bug #42290.
122    
123     11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls:
124     Changed tail to head and added a notice about duration of glibc check.
125    
126     21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls:
127     Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh
128     as there isn't a guarentee that it is dynamic.
129    
130     02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
131     If 'file' passed to before_syscall(const char *func, const char *file) is
132     invalid, we should set errno to ENOENT, and not EINVAL. This should
133     close bug #32238.
134    
135     14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
136     Fix a bug that occurs mainly on 64bit arch, where the file passed to
137     the functions we wrap, is invalid, and then cause canonicalize to pass
138     garbage to before_syscall(), thanks to great detective work from
139     Andrea Luzzardi <al@sig11.org> (bug #29846).
140    
141     13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
142     Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>.
143    
144     13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
145     Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically
146     only checked the destination patch, and not the source, so we could move
147     a protected file to a unprotected directory, and then delete/modify it.
148     Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix.
149    
150     12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c :
151     Added python2.3 to the predict section/variable.
152    
153     28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
154     sandbox.h, sandbox_futils.c :
155     Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If
156     it is not set, it will revert to its old value.
157    
158     27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
159     Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so,
160     rather than failing with a violation, bug #29748.
161    
162     27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
163     Fix canonicalize() to ignore calls with path = "".
164    
165     27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
166     sandbox_futils.c, canonicalize.c :
167     Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system
168     call handled strings larger than PATH_MAX (bug #21766). It however does not
169     work the same on 2.4 kernels.
170    
171     To fix, I added the posix implementation of getcwd() (from glibc cvs) that
172     do not need the system call. We use the default getcwd() function via a
173     wrapper (egetcwd), and then lstat the returned path. If lstat fails, it
174     means the current directory was removed, OR that the the system call for
175     getcwd failed (curious is that it do not fail and return NULL or set
176     errno, but rather just truncate the retured directory - usually from the
177     start), and if so, we use the generic getcwd() function (__egetcwd). Note
178     that we do not use the generic version all the time, as it calls lstat()
179     a great number of times, and performance degrade much.
180    
181     29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls,
182     libsandbox.c :
183     Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks.
184    
185     22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c
186     create-localdecls :
187     When checking path names of files accessed, we need to canonicalize it, else
188     it may be a symlink in a 'write allowed' directory pointing to a file in a
189     directory we should not have write access to.
190    
191     With something like coreutils-5.0, we have two problems:
192     1) One of the tests checks if getcwd() can return a path longer than
193     PATH_MAX. This test then tries to create a dir which even while
194     created local (mkdir("conftest2")), it ends up being resolved with
195     a name that is much larger than PATH_MAX. The problem now is that
196     canonicalize() have undefined behaviour when the path was too long
197     (returned wrongly truncated paths, etc), and pass the wrong path to
198     before_syscall() (causing the bogus sandbox violations).
199     2) The ecanonicalize() function we used, along with the canonicalize()
200     function did not support longer than PATH_MAX. This is partly a
201     cause for 1), but the error checking (rather lack of it) of calls
202     to erealpath() in canonicalize() was the prime reason for 1).
203    
204     As we do not use this canonicalized name to call the function, we resolve this
205     by fixing canonicalize() to do better error checking, and ecanonicalize() as
206     well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'.
207     While they will resolve paths properly now, and can check if a write/read is
208     allowed, the functions called from the sandboxed environment will still work
209     as expected.
210    
211     This should resolve bug #21766.
212    
213     06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
214     For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under
215     it (bug #16298).
216    
217     Problem is that for some reason locale fopen's locale.alias with mode "rm".
218    
219     -------------------------------------------------------
220     nosferatu root # grep fopen locale.log
221     fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias
222     nosferatu root #
223     --------------------------------------------------------
224    
225     I checked the source of locale, but it have fopen with mode 'r', so
226     not sure where the "rm" mode comes from. Anyhow, changed the check in
227     before_syscall_open_char() to also see mode "rm" as readonly.
228    
229     23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
230    
231     Add glibc-2.3 support.
232    
233     22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c :
234    
235     Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all
236     operations releated to preload, as well as only try to modify ld.so.preload
237     if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when
238     not using ld.so.preload. Fix to not write this instance of sandbox's pid
239     to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running.
240    
241     22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile :
242    
243     Changed the LD to CC for hppa.
244    
245     22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
246    
247     Killed the previous changes I made.
248    
249     17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
250    
251     Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs.
252    
253     09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c :
254    
255     Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868.
256    
257     16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
258    
259     Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro>
260     for this fix.
261    
262     4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c :
263    
264     sandbox_futils defined a dirname() function that was masking the same
265     function in glibc and was broken (e.g.: SANDBOX_DIR was being set to
266     '/usr/lib/portage/bi/'). Fixed function to return expected results and
267     renamed it to sb_dirname() to no longer mask the glibc function. Closes bug
268     11231.
269    
270     4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> :
271    
272     Fix a segfault in libsandbox.c if canonicalize() was called with
273     first parameter = NULL.
274    
275     1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> :
276    
277     Fix my braindead 'return 1;' in a void function. Updated sandbox.c,
278     cleanup() for this.
279    
280     Change cleanup() in sandbox.c not to exit with fail status if
281     the pidsfile is missing. We really should still display sandbox
282     violations if they occured.
283    
284     31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
285    
286     Update cleanup() in sandbox.c to remove the PIDSFILE if this is
287     the last sandbox running.
288    
289     25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
290    
291     Major cleanups to mainly libsandbox.c again.
292    
293     22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
294    
295     Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the
296     parties involved should please contact me so that we can fix it.
297    
298     Add opendir wrapper to libsandbox.c.
299    
300     21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
301    
302     Do some more cleanups to ecanonicalize(), as it dropped filenames in
303     rare cases (after my symlink cleanups), and caused glibc to bork.
304     These fixes went into canonicalize.c.
305    
306     20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
307    
308     Fix spawn_shell() and main() in sandbox.c to properly return fail
309     status.
310    
311     19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
312    
313     The new canonicalize() function in libsandbox.c also resolved symlinks,
314     which caused on cleaning sandbox errors if the symlink pointed to a
315     file in the live root. Ripped out canonicalize() and realpath() from
316     glibc; removed the symlink stuff, and changed them to ecanonicalize()
317     and erealpath().
318    
319     18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
320    
321     Ripped out all the wrappers, and implemented those of InstallWatch.
322     Losts of cleanups and bugfixes. Implement a execve that forces
323     $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared
324     /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c,
325     sandbox.h and sandbox_futils.c. Rewrote the Makefile for most
326     parts; it now have an install target.
327    
328     Reformat the whole thing to look somewhat like the reworked sandbox.c
329     and new sandbox.h and sandbox_futils.c from:
330    
331     Brad House <brad@mainstreetsoftworks.com>.
332    
333     Additional Copyrights now due to the InstallWatch code:
334    
335     Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Revision

  ViewVC Help
Powered by ViewVC 1.1.20