/[path-sandbox]/trunk/ChangeLog.0
Gentoo

Contents of /trunk/ChangeLog.0

Parent Directory Parent Directory | Revision Log Revision Log


Revision 183 - (show annotations) (download)
Wed Nov 30 22:54:36 2005 UTC (9 years ago) by azarah
Original Path: trunk/ChangeLog
File size: 30316 byte(s)
Use versioned symbols on supported libc's for functions we wrap, as well as
provide all versions of specific functions.  Some syntax cleanups.

1 # ChangeLog for Path Sandbox
2 # Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
3 # $Header$
4
5 01 Dec 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, Makefile.am,
6 localdecls.h, scripts/Makefile.am, scripts/gen_symbol_version_map.awk,
7 scripts/gen_symbol_header.awk, src/Makefile.am, src/symbols.in,
8 src/libsandbox.c, src/getcwd.c:
9
10 Use versioned symbols on supported libc's for functions we wrap, as well as
11 provide all versions of specific functions. Some syntax cleanups.
12
13 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, sandbox.c,
14 sandbox_fdutils.c:
15
16 Detect if we on 64bit arch automatically.
17
18 Update contact email. Fix quoting.
19
20 Revert 64bit arch test, as we should build the 32bit version without full
21 path checking as well, and add --enable-multilib switch to configure.
22
23 * sandbox-1.2.14 (2005/11/28)
24
25 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
26 sandbox.c, sandbox.h, sandbox.bashrc:
27
28 Check generic getcwd()'s return as well for validity, bug #101728.
29
30 Cleanup environ variables.
31
32 Rather check SANDBOX_ACTIVE if we are already running. Set SANDBOX_ACTIVE
33 to readonly in sandbox.bashrc.
34
35 Make sure we use our bashrc.
36
37 01 Nov 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
38
39 Do not pass mode to true_open and true_open64 if not needed. Should fix a
40 segfault in some cases.
41
42 * sandbox-1.2.13 (2005/09/12)
43
44 12 Sep 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, libsandbox.c:
45
46 Do not handle adding working directory to SANDBOX_WRITE, as portage does it
47 itself.
48
49 Make libsb_fini() do cleanup a bit more complete just in case we get another
50 uClibc 'call preloaded library fini before that of app' issue ... probably
51 will not help much, but we try.
52
53 04 Sep 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
54
55 Also allow symlink() system call to operate on a symlink in a writable path
56 that points to non-writable path, bug #104711.
57
58 * sandbox-1.2.12 (2005/08/05)
59
60 05 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
61 sandbox.h:
62
63 Do not give an access violation if the access() system call do not have
64 write/read access - it does not actually modify, so we only need to return
65 not being able to write/read. Noted by Andres Loeh <kosmikus@gentoo.org>,
66 bug #101433.
67
68 If we are called from the command line, do not care about PORTAGE_TMPDIR,
69 and make the current directory the work directory. Also rename the variable
70 portage_tmp_dir to work_dir.
71
72 Remove the tmp_dir variable - we do not need it.
73
74 Improve error handling for get_sandbox_*_envvar() functions.
75
76 01 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
77
78 Still do normal log if debugging is requested.
79
80 Add support for SANDBOX_VERBOSE (enabled by default). Adjust SANDBOX_DEBUG
81 to only enable if equal to "1" or "yes".
82
83 Add /dev/tts to write permit, bug #42809.
84
85 27 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
86 sandbox_futils.c:
87
88 Do not resolve symlinks in PORTAGE_TMPDIR in sandbox .. we will handle that
89 in libsandbox .. bug #100309.
90
91 22 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h:
92
93 Print all logging to stderr, bug #90343, comment #15, by Zac Medico.
94
95 * sandbox-1.2.11 (2005/07/14)
96
97 14 July 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c:
98 Fix getcwd, bug #98419.
99
100 08 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c,
101 libsandbox.c:
102 - Try to cleanup and make error handling/printing consistent.
103 - Remove old logs if present and conflicting with current.
104 - Fix compile error with previous change, and return rather then exit().
105
106 07 July 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
107 sandbox.h, sandbox_futils.c:
108 - Fix possible segfault in env init code.
109 - Major cleanup of sandbox_futils.c. Removed most of the functions as we now
110 write to /var/log/sandbox/, so in theory do not need all that.
111 - Redo the interface of the get_* functions so that we do not leak memory.
112 - Remove sandbox_dir and co - we are not using it anymore.
113 - Remove unused includes and variables.
114 - Only declare functions in sandbox_futils.c that are used in libsandbox.c when
115 OUTSIDE_LIBSANDBOX is not defined.
116 - Cleanup access/log printing. Make access printing honour NOCOLOR. Fix log
117 printing's last line not honouring NOCOLOR.
118
119 06 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h, sandbox_futils.c,
120 libsandbox.c:
121 - Change log dir to /var/log/sandbox/. Make sure the sandboxed process cannot
122 write to it.
123 - Clean up logging in libsandbox.c, and hopefully make it more consistant.
124 - Add check_prefixes() with major cleanup on check_access().
125 - Cleanup init_env_entries() and check_prefixes().
126
127 05 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
128 sandbox_futils.c, libsandbox.c:
129 Remove unused 'pids file' code.
130
131 * sandbox-1.2.10 (2005/07/03)
132
133 03 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
134 Add PREDICT items for nss-db, bug #92079. Patch from Robin Johnson.
135
136 17 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
137 General cleanups:
138 - Remove fooling around with exit codes - we error out on presence of a log
139 anyhow.
140 - Move get_sandbox_*_envvar() to sandbox_setup_environ(), as its more
141 appropriate there.
142
143 12 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
144 Cleanup the fail_nametoolong stuff a bit more.
145
146 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
147 Remove hopefully the last ld.so.preload bits we do not use anymore.
148
149 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
150 Remove the unneeded canonicalize() calls in the wrappers - we do it anyhow
151 in check_syscall(). Should speed things up a bit (at least for the getcwd()
152 and long path name test it goes down to under a second, and not 10+ seconds
153 like before). Also warn if we skip checking due to the canonicalized path
154 being too long.
155
156 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
157 More comment/readability cleanups.
158
159 10 June 2005; Martin Schlemmer <azarah@gentoo.org> canonicalize.c, getcwd.c,
160 sandbox_futils.c, libsandbox.c:
161 Some strncpy/strncat and other cleanups.
162
163 * sandbox-1.2.9 (2005/06/09)
164
165 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
166 Move symlink hack down a bit to try and minimize on the amount of lstat()
167 calls we do.
168
169 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
170 Add hack to allow writing to /proc/self/fd (or /dev/fd), bug #91516.
171
172 09 June 2005; Martin Schlemmer <azarah@gentoo.org> symbols.in, libsandbox.c:
173 Add wrapper for access() function, bug #85413.
174
175 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c:
176 Use generic getcwd() implementation from uclibc - should be more portable
177 and looks a bit cleaner.
178
179 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c:
180 Make sure our true_* pointers are initialized to NULL, and that we check for
181 all references that they are valid.
182
183 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
184 Be default we will fail if the path name we try to canonicalize is too long.
185 This however could cause issues with some things (bug #94630 and #21766), so
186 if fail_nametoolong == 0, canonicalize() will return a null length string and
187 do not fail.
188
189 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c:
190 Do not abort if TMPDIR is not valid, but rather use '/tmp', bug #94360. Also
191 make sure we re-export the new TMPDIR environment variable.
192
193 08 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
194 Fix incorrect free of non-malloc'd array, bug #92313 and #94020. Fix noted
195 by Marcus D. Hanwell <cryos@gentoo.org>.
196
197 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
198 Add /dev/console to write list, bug #38588.
199
200 * sandbox-1.2.8 (2005/05/13)
201
202 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
203 sandbox.h, sandbox_futils.c:
204 General cleanups.
205
206 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
207 sandbox.h:
208 Various LD_PRELOAD cleanups. Do not unset LD_PRELOAD for parent.
209
210 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
211 sandbox.h, sandbox_futils.c:
212 Modify get_sandbox_pids_file(), get_sandbox_log() and get_sandbox_debug_log()
213 to use TMPDIR if present in environment.
214
215 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
216 Remove sandbox_log_file from main() as its no longer used.
217
218 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
219 sandbox_futils.c:
220 Add get_sandbox_debug_log(), and use it (add behaviour similar to SANDBOX_LOG
221 if already exported when sandbox started). Fix get_sandbox_log() and new
222 get_sandbox_debug_log() to not use already exported environment variables if
223 they have '/' in them. Use snprintf()'s instead of strncpy()'s. More
224 SB_PATH_MAX fixes.
225
226 * sandbox-1.2.7 (2005/05/12)
227
228 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
229 sandbox_futils.c:
230 More path limit fixes. Declare SB_BUF_LEN global and use it where needed.
231
232 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c:
233 Fix paths limited to 255 chars. Fix get_sandbox_dir() returning a string
234 with '(null)' in it if we did not call sandbox with absolute path.
235
236 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
237 Set SANDBOX_ON *before* doing the child's env stuff, else its not set
238 for the child.
239
240 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
241 Remove global preload_adaptable as it is no longer used.
242
243 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
244 Rewrite environment stuff to only be set when execve'ing the child process
245 to try and avoid issues like bug #91541 that causes sandbox to crash if
246 we set LD_PRELOAD sandbox side already.
247
248 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
249 Move print_sandbox_log() up to make things neater.
250
251 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
252 Remove load_preload_libs(), as its not used anymore.
253
254 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
255 Remove NO_FORK stuff, as its not used, and 'strace -f' works just fine.
256
257 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
258 Remove USE_SYSTEM_SHELL stuff, as it is not secure, and not in use.
259
260 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
261 Remove ld.so.preload crap - we are not going to use it again.
262
263 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c:
264 Fix typo in code that checks if we got valid group information, causing a
265 segmentation fault, bug #91637.
266
267 * sandbox-1.2.6 (2005/05/10)
268
269 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
270 Do not use LD_PRELOAD if it contains libtsocks.so, as it breaks sandbox
271 for some odd reason, bug #91541.
272
273 09 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
274 Fix typo (sizeof -> strlen).
275
276 08 May 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
277 rewrote the sbcontext caching code so it accounts for env changes since lib
278 initialization.
279
280 05 May 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, libctest.c:
281 We create libctest.c via configure, so no need to keep it around. Do some
282 cleanup related to libctest.c and libctest during configure.
283
284 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
285 Add rename support of symlinks pointing to protected files/directories.
286
287 * sandbox-1.2.5 (2005/05/04)
288
289 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
290 sandbox.bashrc:
291 Do not reset already set LD_PRELOAD when starting sandbox. If LD_PRELOAD is
292 already set, init of the env vars fails for some reason, so do this later on,
293 and do not warn (bug #91431).
294
295 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
296 sandbox.bashrc:
297 Fixup sandbox and sandbox.bashrc to call bash with the proper .bashrc.
298
299 * sandbox-1.2.4 (2005/05/03)
300
301 03 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
302 Do not init the env entries with each call, as it creates too many calls to
303 lstat, etc. Should speedup things a bit, bug #91040.
304
305 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
306 Add /dev/pty to default write list. Noticed by Morfic.
307
308 02 May 2005; Mike Frysinger <vapier@gentoo.org> configure.in, localdecls.h,
309 sandbox.h:
310 uClibc doesn't support dlvsym() so add a configure check to make sure it doesn't
311 exist. Also update localdecls.h so BROKEN_RTLD_NEXT isn't defined in uClibc.
312
313 * sandbox-1.2.3 (2005/04/29)
314
315 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> configure.in:
316 Do not check for (*&#$(* CXX or F77.
317
318 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
319 Do not append '/' to pathname in filter_path() if it already ends with it.
320
321 28 Apr 2005; Mike Frysinger <vapier@gentoo.org> Makefile.am, configure.in:
322 With az's help, clean up autotools to work with cross-compiling.
323
324 * sandbox-1.2.2 (2005/04/28)
325
326 28 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
327 Only check for /dev/{null,zero} for unlink hack, else ricers using /dev/shm
328 have issues; bug #90592.
329
330 * sandbox-1.2.1 (2005/04/23)
331
332 23 Apr 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
333 getcwd.c, libsandbox.c, localdecls.h, sandbox.h, sandbox_futils.c:
334 Make sure all functions used in libsandbox.c is declared static. Define
335 SB_STATIC in localdecls.h for this. Include sandbox_futils.c rather than
336 linking with its object. Hopefully this will fix bug #90153.
337
338 * sandbox-1.2 (2005/04/23)
339
340 22 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
341 Allow lchown a symlink in write-allowed path pointing to write-denied
342 target.
343
344 21 Mar 2005; Marius Mauch <genone@gentoo.org> libsandbox.c:
345 Also show resolved symlink names in the log.
346
347 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, libsandbox.c:
348 Seems -nostdlib was the problem with the constructor/destructor - remove it
349 from Makefile.am, and change the constructor/destructor names again.
350
351 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
352 Also rename the _init() and _fini() declarations.
353
354 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
355 Fixup the constructor/destructor function names again (they should be _init()
356 and _fini() it seems, and not being called caused sandbox_lib_path to be
357 unset, and thus breaking the execve() wrapper's LD_PRELOAD protection).
358 Add both the path in given SANDBOX_x variable, as well as its symlink
359 resolved path in init_env_entries(). Modify filter_path() to be able to
360 resolve paths without resolving symlinks, as well as to be able to resolve
361 symlinks. Fix a possible segfault in check_access(). Add symlink resolving
362 to check_access() resolving bug #31019. Add 'hack' for unlink, as the fix
363 for bug #31019 cause access violations if we try to remove a symlink that is
364 not in protected path, but points to a protected path. Fix a memory leak in
365 sandbox.c (sandbox_pids_file in main()). Fix the realpath() calls in main()
366 (sandbox.c) being unchecked. Fix the debug logname not having the pid in it
367 (pid_string was uninitialized). General syntax cleanups.
368
369 09 Mar 2005; Brian Harring <ferringb@gentoo.org> sandbox.c: Fixed the
370 infamous "pids file is not a regular file" w/out newline bug.
371
372 09 Mar 2005; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in:
373 Correct libc_version path detection, since it was screwing up if libdir !=
374 "/lib/".
375
376 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
377 Hack to make sure sandboxed process cannot remove a device node, bug #79836.
378
379 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am:
380 Fix symbols.in not added to dist.
381
382 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
383 getcwd.c, libsandbox.c, sandbox.c, sandbox.h, sandbox_futils.c:
384 White space fixes.
385
386 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
387 configure.in, getcwd.c, libsandbox.c, symbols.in:
388 Fix inverse test logic in canonicalize.c, use a strncpy. Fix gcc warning in
389 getcwd.c. Add symbols.in and logic to Makefile.am to generate symbol versions
390 for glibc and other libc's that use this. Update libsandbox.c to use these
391 symbol versions if available. Fix exec wrapper to re-export LD_PRELOAD if the
392 process unset it.
393
394 01 Mar 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
395 killed off _init and _fini in favor of
396 void __attribute__ ((constructor)) init_func and
397 void __attribute__ ((destructor)) closing_func. _(init|func) were deprecated.
398
399 06 Dec 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, libsandbox.c,
400 canonicalize.c, getcwd.c: Fixed compilation *again*. Hopefully cvs is done
401 having the hick-ups.
402
403 04 Dec 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, getcwd.c,
404 Makefile.am: Fixed compilation.
405
406 01 Dec 2004; Brian Harring <ferringb@gentoo.org> aclocal.m4:
407 Gutted the bugger so it stops checking for a c++ and fortran compiler.
408 Do *not* regenerate aclocal.m4 for making a release until a better
409 solution is created.
410
411 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, sandbox_futils.c:
412 Removal of more hardcoded paths.
413
414 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in,
415 sandbox_futils.c: tweaks to install sandbox.bashrc, and use it.
416
417 19 Nov 2004; Brian Harring <ferringb@gentoo.org>:
418 Sandbox is now autotooled, create-localdecls needs to be killed and the code
419 shifted into configure.in. Currently builds *one* libsandbox.so- if multiple
420 are desired (-m64 and -m32 for amd64), the ebuild should do it (imo).
421 To get to a point of testing, automake && autoconf; created requisite files w/
422 a(utomake|clocal)-1.8, and autoconf 2.59. Installs to /usr/, instead of
423 /lib and /usr/lib/portage/bin.
424
425 14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c:
426 closing out bug #70225, potential overflow of the sandbox_pids_file var.
427
428 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard,
429 (think it was at least) allows intermixing of code and data segments. bug #70351
430 should be fixed by this.
431
432 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c:
433 futils fix from bug #65201 via solar, and libsandbox log path checks via #69137
434
435 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from
436 Seth Robertson that tracked down all adjuct flags for read operations that
437 do not invoke a write operation.
438
439 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
440 Another fix from jstubbs regarding a free() on a stack variable for the
441 environment -- tracking now prevents extraneous free()'s segfault.
442
443 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
444 J. Stubbs tracked down a new bug where mkdir was failing to the patch on
445 the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir.
446 Also remove the errno = ESUCCESS settings as documentation points out that
447 a library isn't allowed to do that.
448
449 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a
450 file_security_check() function to check random potential exploits on files
451 that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes
452 the 'system-crippling' exploits (bug 21923) and catches a few other
453 potential problems.
454
455 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for
456 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work.
457
458 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c:
459 bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>.
460 Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>.
461
462 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c :
463 Fix permissions and group of pids file and logs. Permissions should be 0664
464 and group should be 'portage'. Bug #34260.
465
466 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
467 Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed
468 to the real execve (in our execve wrapper). Seems that on some arches (sparc
469 among others) do not allow us to tamper with the readonly copy passed to
470 execve, so pass our own copy of the environment. Bug #42290.
471
472 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls:
473 Changed tail to head and added a notice about duration of glibc check.
474
475 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls:
476 Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh
477 as there isn't a guarentee that it is dynamic.
478
479 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
480 If 'file' passed to before_syscall(const char *func, const char *file) is
481 invalid, we should set errno to ENOENT, and not EINVAL. This should
482 close bug #32238.
483
484 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
485 Fix a bug that occurs mainly on 64bit arch, where the file passed to
486 the functions we wrap, is invalid, and then cause canonicalize to pass
487 garbage to before_syscall(), thanks to great detective work from
488 Andrea Luzzardi <al@sig11.org> (bug #29846).
489
490 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
491 Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>.
492
493 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
494 Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically
495 only checked the destination patch, and not the source, so we could move
496 a protected file to a unprotected directory, and then delete/modify it.
497 Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix.
498
499 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c :
500 Added python2.3 to the predict section/variable.
501
502 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
503 sandbox.h, sandbox_futils.c :
504 Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If
505 it is not set, it will revert to its old value.
506
507 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
508 Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so,
509 rather than failing with a violation, bug #29748.
510
511 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
512 Fix canonicalize() to ignore calls with path = "".
513
514 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
515 sandbox_futils.c, canonicalize.c :
516 Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system
517 call handled strings larger than PATH_MAX (bug #21766). It however does not
518 work the same on 2.4 kernels.
519
520 To fix, I added the posix implementation of getcwd() (from glibc cvs) that
521 do not need the system call. We use the default getcwd() function via a
522 wrapper (egetcwd), and then lstat the returned path. If lstat fails, it
523 means the current directory was removed, OR that the the system call for
524 getcwd failed (curious is that it do not fail and return NULL or set
525 errno, but rather just truncate the retured directory - usually from the
526 start), and if so, we use the generic getcwd() function (__egetcwd). Note
527 that we do not use the generic version all the time, as it calls lstat()
528 a great number of times, and performance degrade much.
529
530 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls,
531 libsandbox.c :
532 Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks.
533
534 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c
535 create-localdecls :
536 When checking path names of files accessed, we need to canonicalize it, else
537 it may be a symlink in a 'write allowed' directory pointing to a file in a
538 directory we should not have write access to.
539
540 With something like coreutils-5.0, we have two problems:
541 1) One of the tests checks if getcwd() can return a path longer than
542 PATH_MAX. This test then tries to create a dir which even while
543 created local (mkdir("conftest2")), it ends up being resolved with
544 a name that is much larger than PATH_MAX. The problem now is that
545 canonicalize() have undefined behaviour when the path was too long
546 (returned wrongly truncated paths, etc), and pass the wrong path to
547 before_syscall() (causing the bogus sandbox violations).
548 2) The ecanonicalize() function we used, along with the canonicalize()
549 function did not support longer than PATH_MAX. This is partly a
550 cause for 1), but the error checking (rather lack of it) of calls
551 to erealpath() in canonicalize() was the prime reason for 1).
552
553 As we do not use this canonicalized name to call the function, we resolve this
554 by fixing canonicalize() to do better error checking, and ecanonicalize() as
555 well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'.
556 While they will resolve paths properly now, and can check if a write/read is
557 allowed, the functions called from the sandboxed environment will still work
558 as expected.
559
560 This should resolve bug #21766.
561
562 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
563 For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under
564 it (bug #16298).
565
566 Problem is that for some reason locale fopen's locale.alias with mode "rm".
567
568 -------------------------------------------------------
569 nosferatu root # grep fopen locale.log
570 fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias
571 nosferatu root #
572 --------------------------------------------------------
573
574 I checked the source of locale, but it have fopen with mode 'r', so
575 not sure where the "rm" mode comes from. Anyhow, changed the check in
576 before_syscall_open_char() to also see mode "rm" as readonly.
577
578 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
579
580 Add glibc-2.3 support.
581
582 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c :
583
584 Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all
585 operations releated to preload, as well as only try to modify ld.so.preload
586 if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when
587 not using ld.so.preload. Fix to not write this instance of sandbox's pid
588 to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running.
589
590 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile :
591
592 Changed the LD to CC for hppa.
593
594 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
595
596 Killed the previous changes I made.
597
598 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
599
600 Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs.
601
602 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c :
603
604 Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868.
605
606 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
607
608 Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro>
609 for this fix.
610
611 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c :
612
613 sandbox_futils defined a dirname() function that was masking the same
614 function in glibc and was broken (e.g.: SANDBOX_DIR was being set to
615 '/usr/lib/portage/bi/'). Fixed function to return expected results and
616 renamed it to sb_dirname() to no longer mask the glibc function. Closes bug
617 11231.
618
619 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> :
620
621 Fix a segfault in libsandbox.c if canonicalize() was called with
622 first parameter = NULL.
623
624 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> :
625
626 Fix my braindead 'return 1;' in a void function. Updated sandbox.c,
627 cleanup() for this.
628
629 Change cleanup() in sandbox.c not to exit with fail status if
630 the pidsfile is missing. We really should still display sandbox
631 violations if they occured.
632
633 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
634
635 Update cleanup() in sandbox.c to remove the PIDSFILE if this is
636 the last sandbox running.
637
638 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
639
640 Major cleanups to mainly libsandbox.c again.
641
642 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
643
644 Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the
645 parties involved should please contact me so that we can fix it.
646
647 Add opendir wrapper to libsandbox.c.
648
649 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
650
651 Do some more cleanups to ecanonicalize(), as it dropped filenames in
652 rare cases (after my symlink cleanups), and caused glibc to bork.
653 These fixes went into canonicalize.c.
654
655 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
656
657 Fix spawn_shell() and main() in sandbox.c to properly return fail
658 status.
659
660 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
661
662 The new canonicalize() function in libsandbox.c also resolved symlinks,
663 which caused on cleaning sandbox errors if the symlink pointed to a
664 file in the live root. Ripped out canonicalize() and realpath() from
665 glibc; removed the symlink stuff, and changed them to ecanonicalize()
666 and erealpath().
667
668 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
669
670 Ripped out all the wrappers, and implemented those of InstallWatch.
671 Losts of cleanups and bugfixes. Implement a execve that forces
672 $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared
673 /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c,
674 sandbox.h and sandbox_futils.c. Rewrote the Makefile for most
675 parts; it now have an install target.
676
677 Reformat the whole thing to look somewhat like the reworked sandbox.c
678 and new sandbox.h and sandbox_futils.c from:
679
680 Brad House <brad@mainstreetsoftworks.com>.
681
682 Additional Copyrights now due to the InstallWatch code:
683
684 Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Revision

  ViewVC Help
Powered by ViewVC 1.1.20