/[path-sandbox]/trunk/ChangeLog.0
Gentoo

Contents of /trunk/ChangeLog.0

Parent Directory Parent Directory | Revision Log Revision Log


Revision 184 - (show annotations) (download)
Wed Nov 30 23:11:34 2005 UTC (9 years ago) by azarah
Original Path: trunk/ChangeLog
File size: 30423 byte(s)
Only check SANDBOX_ACTIVE, and not its value.  More BASH_ENV fixes.
1 # ChangeLog for Path Sandbox
2 # Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
3 # $Header$
4
5 01 Dec 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, Makefile.am,
6 localdecls.h, scripts/Makefile.am, scripts/gen_symbol_version_map.awk,
7 scripts/gen_symbol_header.awk, src/Makefile.am, src/symbols.in,
8 src/libsandbox.c, src/getcwd.c, src/sandbox.c, data/sandbox.bashrc:
9
10 Use versioned symbols on supported libc's for functions we wrap, as well as
11 provide all versions of specific functions. Some syntax cleanups.
12
13 Only check SANDBOX_ACTIVE, and not its value. More BASH_ENV fixes.
14
15 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, sandbox.c,
16 sandbox_fdutils.c:
17
18 Detect if we on 64bit arch automatically.
19
20 Update contact email. Fix quoting.
21
22 Revert 64bit arch test, as we should build the 32bit version without full
23 path checking as well, and add --enable-multilib switch to configure.
24
25 * sandbox-1.2.14 (2005/11/28)
26
27 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
28 sandbox.c, sandbox.h, sandbox.bashrc:
29
30 Check generic getcwd()'s return as well for validity, bug #101728.
31
32 Cleanup environ variables.
33
34 Rather check SANDBOX_ACTIVE if we are already running. Set SANDBOX_ACTIVE
35 to readonly in sandbox.bashrc.
36
37 Make sure we use our bashrc.
38
39 01 Nov 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
40
41 Do not pass mode to true_open and true_open64 if not needed. Should fix a
42 segfault in some cases.
43
44 * sandbox-1.2.13 (2005/09/12)
45
46 12 Sep 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, libsandbox.c:
47
48 Do not handle adding working directory to SANDBOX_WRITE, as portage does it
49 itself.
50
51 Make libsb_fini() do cleanup a bit more complete just in case we get another
52 uClibc 'call preloaded library fini before that of app' issue ... probably
53 will not help much, but we try.
54
55 04 Sep 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
56
57 Also allow symlink() system call to operate on a symlink in a writable path
58 that points to non-writable path, bug #104711.
59
60 * sandbox-1.2.12 (2005/08/05)
61
62 05 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
63 sandbox.h:
64
65 Do not give an access violation if the access() system call do not have
66 write/read access - it does not actually modify, so we only need to return
67 not being able to write/read. Noted by Andres Loeh <kosmikus@gentoo.org>,
68 bug #101433.
69
70 If we are called from the command line, do not care about PORTAGE_TMPDIR,
71 and make the current directory the work directory. Also rename the variable
72 portage_tmp_dir to work_dir.
73
74 Remove the tmp_dir variable - we do not need it.
75
76 Improve error handling for get_sandbox_*_envvar() functions.
77
78 01 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
79
80 Still do normal log if debugging is requested.
81
82 Add support for SANDBOX_VERBOSE (enabled by default). Adjust SANDBOX_DEBUG
83 to only enable if equal to "1" or "yes".
84
85 Add /dev/tts to write permit, bug #42809.
86
87 27 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
88 sandbox_futils.c:
89
90 Do not resolve symlinks in PORTAGE_TMPDIR in sandbox .. we will handle that
91 in libsandbox .. bug #100309.
92
93 22 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h:
94
95 Print all logging to stderr, bug #90343, comment #15, by Zac Medico.
96
97 * sandbox-1.2.11 (2005/07/14)
98
99 14 July 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c:
100 Fix getcwd, bug #98419.
101
102 08 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c,
103 libsandbox.c:
104 - Try to cleanup and make error handling/printing consistent.
105 - Remove old logs if present and conflicting with current.
106 - Fix compile error with previous change, and return rather then exit().
107
108 07 July 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
109 sandbox.h, sandbox_futils.c:
110 - Fix possible segfault in env init code.
111 - Major cleanup of sandbox_futils.c. Removed most of the functions as we now
112 write to /var/log/sandbox/, so in theory do not need all that.
113 - Redo the interface of the get_* functions so that we do not leak memory.
114 - Remove sandbox_dir and co - we are not using it anymore.
115 - Remove unused includes and variables.
116 - Only declare functions in sandbox_futils.c that are used in libsandbox.c when
117 OUTSIDE_LIBSANDBOX is not defined.
118 - Cleanup access/log printing. Make access printing honour NOCOLOR. Fix log
119 printing's last line not honouring NOCOLOR.
120
121 06 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h, sandbox_futils.c,
122 libsandbox.c:
123 - Change log dir to /var/log/sandbox/. Make sure the sandboxed process cannot
124 write to it.
125 - Clean up logging in libsandbox.c, and hopefully make it more consistant.
126 - Add check_prefixes() with major cleanup on check_access().
127 - Cleanup init_env_entries() and check_prefixes().
128
129 05 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
130 sandbox_futils.c, libsandbox.c:
131 Remove unused 'pids file' code.
132
133 * sandbox-1.2.10 (2005/07/03)
134
135 03 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
136 Add PREDICT items for nss-db, bug #92079. Patch from Robin Johnson.
137
138 17 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
139 General cleanups:
140 - Remove fooling around with exit codes - we error out on presence of a log
141 anyhow.
142 - Move get_sandbox_*_envvar() to sandbox_setup_environ(), as its more
143 appropriate there.
144
145 12 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
146 Cleanup the fail_nametoolong stuff a bit more.
147
148 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
149 Remove hopefully the last ld.so.preload bits we do not use anymore.
150
151 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
152 Remove the unneeded canonicalize() calls in the wrappers - we do it anyhow
153 in check_syscall(). Should speed things up a bit (at least for the getcwd()
154 and long path name test it goes down to under a second, and not 10+ seconds
155 like before). Also warn if we skip checking due to the canonicalized path
156 being too long.
157
158 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
159 More comment/readability cleanups.
160
161 10 June 2005; Martin Schlemmer <azarah@gentoo.org> canonicalize.c, getcwd.c,
162 sandbox_futils.c, libsandbox.c:
163 Some strncpy/strncat and other cleanups.
164
165 * sandbox-1.2.9 (2005/06/09)
166
167 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
168 Move symlink hack down a bit to try and minimize on the amount of lstat()
169 calls we do.
170
171 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
172 Add hack to allow writing to /proc/self/fd (or /dev/fd), bug #91516.
173
174 09 June 2005; Martin Schlemmer <azarah@gentoo.org> symbols.in, libsandbox.c:
175 Add wrapper for access() function, bug #85413.
176
177 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c:
178 Use generic getcwd() implementation from uclibc - should be more portable
179 and looks a bit cleaner.
180
181 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c:
182 Make sure our true_* pointers are initialized to NULL, and that we check for
183 all references that they are valid.
184
185 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
186 Be default we will fail if the path name we try to canonicalize is too long.
187 This however could cause issues with some things (bug #94630 and #21766), so
188 if fail_nametoolong == 0, canonicalize() will return a null length string and
189 do not fail.
190
191 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c:
192 Do not abort if TMPDIR is not valid, but rather use '/tmp', bug #94360. Also
193 make sure we re-export the new TMPDIR environment variable.
194
195 08 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
196 Fix incorrect free of non-malloc'd array, bug #92313 and #94020. Fix noted
197 by Marcus D. Hanwell <cryos@gentoo.org>.
198
199 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
200 Add /dev/console to write list, bug #38588.
201
202 * sandbox-1.2.8 (2005/05/13)
203
204 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
205 sandbox.h, sandbox_futils.c:
206 General cleanups.
207
208 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
209 sandbox.h:
210 Various LD_PRELOAD cleanups. Do not unset LD_PRELOAD for parent.
211
212 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
213 sandbox.h, sandbox_futils.c:
214 Modify get_sandbox_pids_file(), get_sandbox_log() and get_sandbox_debug_log()
215 to use TMPDIR if present in environment.
216
217 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
218 Remove sandbox_log_file from main() as its no longer used.
219
220 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
221 sandbox_futils.c:
222 Add get_sandbox_debug_log(), and use it (add behaviour similar to SANDBOX_LOG
223 if already exported when sandbox started). Fix get_sandbox_log() and new
224 get_sandbox_debug_log() to not use already exported environment variables if
225 they have '/' in them. Use snprintf()'s instead of strncpy()'s. More
226 SB_PATH_MAX fixes.
227
228 * sandbox-1.2.7 (2005/05/12)
229
230 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
231 sandbox_futils.c:
232 More path limit fixes. Declare SB_BUF_LEN global and use it where needed.
233
234 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c:
235 Fix paths limited to 255 chars. Fix get_sandbox_dir() returning a string
236 with '(null)' in it if we did not call sandbox with absolute path.
237
238 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
239 Set SANDBOX_ON *before* doing the child's env stuff, else its not set
240 for the child.
241
242 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
243 Remove global preload_adaptable as it is no longer used.
244
245 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
246 Rewrite environment stuff to only be set when execve'ing the child process
247 to try and avoid issues like bug #91541 that causes sandbox to crash if
248 we set LD_PRELOAD sandbox side already.
249
250 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
251 Move print_sandbox_log() up to make things neater.
252
253 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
254 Remove load_preload_libs(), as its not used anymore.
255
256 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
257 Remove NO_FORK stuff, as its not used, and 'strace -f' works just fine.
258
259 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
260 Remove USE_SYSTEM_SHELL stuff, as it is not secure, and not in use.
261
262 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
263 Remove ld.so.preload crap - we are not going to use it again.
264
265 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c:
266 Fix typo in code that checks if we got valid group information, causing a
267 segmentation fault, bug #91637.
268
269 * sandbox-1.2.6 (2005/05/10)
270
271 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
272 Do not use LD_PRELOAD if it contains libtsocks.so, as it breaks sandbox
273 for some odd reason, bug #91541.
274
275 09 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
276 Fix typo (sizeof -> strlen).
277
278 08 May 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
279 rewrote the sbcontext caching code so it accounts for env changes since lib
280 initialization.
281
282 05 May 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, libctest.c:
283 We create libctest.c via configure, so no need to keep it around. Do some
284 cleanup related to libctest.c and libctest during configure.
285
286 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
287 Add rename support of symlinks pointing to protected files/directories.
288
289 * sandbox-1.2.5 (2005/05/04)
290
291 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
292 sandbox.bashrc:
293 Do not reset already set LD_PRELOAD when starting sandbox. If LD_PRELOAD is
294 already set, init of the env vars fails for some reason, so do this later on,
295 and do not warn (bug #91431).
296
297 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
298 sandbox.bashrc:
299 Fixup sandbox and sandbox.bashrc to call bash with the proper .bashrc.
300
301 * sandbox-1.2.4 (2005/05/03)
302
303 03 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
304 Do not init the env entries with each call, as it creates too many calls to
305 lstat, etc. Should speedup things a bit, bug #91040.
306
307 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
308 Add /dev/pty to default write list. Noticed by Morfic.
309
310 02 May 2005; Mike Frysinger <vapier@gentoo.org> configure.in, localdecls.h,
311 sandbox.h:
312 uClibc doesn't support dlvsym() so add a configure check to make sure it doesn't
313 exist. Also update localdecls.h so BROKEN_RTLD_NEXT isn't defined in uClibc.
314
315 * sandbox-1.2.3 (2005/04/29)
316
317 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> configure.in:
318 Do not check for (*&#$(* CXX or F77.
319
320 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
321 Do not append '/' to pathname in filter_path() if it already ends with it.
322
323 28 Apr 2005; Mike Frysinger <vapier@gentoo.org> Makefile.am, configure.in:
324 With az's help, clean up autotools to work with cross-compiling.
325
326 * sandbox-1.2.2 (2005/04/28)
327
328 28 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
329 Only check for /dev/{null,zero} for unlink hack, else ricers using /dev/shm
330 have issues; bug #90592.
331
332 * sandbox-1.2.1 (2005/04/23)
333
334 23 Apr 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
335 getcwd.c, libsandbox.c, localdecls.h, sandbox.h, sandbox_futils.c:
336 Make sure all functions used in libsandbox.c is declared static. Define
337 SB_STATIC in localdecls.h for this. Include sandbox_futils.c rather than
338 linking with its object. Hopefully this will fix bug #90153.
339
340 * sandbox-1.2 (2005/04/23)
341
342 22 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
343 Allow lchown a symlink in write-allowed path pointing to write-denied
344 target.
345
346 21 Mar 2005; Marius Mauch <genone@gentoo.org> libsandbox.c:
347 Also show resolved symlink names in the log.
348
349 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, libsandbox.c:
350 Seems -nostdlib was the problem with the constructor/destructor - remove it
351 from Makefile.am, and change the constructor/destructor names again.
352
353 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
354 Also rename the _init() and _fini() declarations.
355
356 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
357 Fixup the constructor/destructor function names again (they should be _init()
358 and _fini() it seems, and not being called caused sandbox_lib_path to be
359 unset, and thus breaking the execve() wrapper's LD_PRELOAD protection).
360 Add both the path in given SANDBOX_x variable, as well as its symlink
361 resolved path in init_env_entries(). Modify filter_path() to be able to
362 resolve paths without resolving symlinks, as well as to be able to resolve
363 symlinks. Fix a possible segfault in check_access(). Add symlink resolving
364 to check_access() resolving bug #31019. Add 'hack' for unlink, as the fix
365 for bug #31019 cause access violations if we try to remove a symlink that is
366 not in protected path, but points to a protected path. Fix a memory leak in
367 sandbox.c (sandbox_pids_file in main()). Fix the realpath() calls in main()
368 (sandbox.c) being unchecked. Fix the debug logname not having the pid in it
369 (pid_string was uninitialized). General syntax cleanups.
370
371 09 Mar 2005; Brian Harring <ferringb@gentoo.org> sandbox.c: Fixed the
372 infamous "pids file is not a regular file" w/out newline bug.
373
374 09 Mar 2005; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in:
375 Correct libc_version path detection, since it was screwing up if libdir !=
376 "/lib/".
377
378 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
379 Hack to make sure sandboxed process cannot remove a device node, bug #79836.
380
381 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am:
382 Fix symbols.in not added to dist.
383
384 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
385 getcwd.c, libsandbox.c, sandbox.c, sandbox.h, sandbox_futils.c:
386 White space fixes.
387
388 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
389 configure.in, getcwd.c, libsandbox.c, symbols.in:
390 Fix inverse test logic in canonicalize.c, use a strncpy. Fix gcc warning in
391 getcwd.c. Add symbols.in and logic to Makefile.am to generate symbol versions
392 for glibc and other libc's that use this. Update libsandbox.c to use these
393 symbol versions if available. Fix exec wrapper to re-export LD_PRELOAD if the
394 process unset it.
395
396 01 Mar 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
397 killed off _init and _fini in favor of
398 void __attribute__ ((constructor)) init_func and
399 void __attribute__ ((destructor)) closing_func. _(init|func) were deprecated.
400
401 06 Dec 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, libsandbox.c,
402 canonicalize.c, getcwd.c: Fixed compilation *again*. Hopefully cvs is done
403 having the hick-ups.
404
405 04 Dec 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, getcwd.c,
406 Makefile.am: Fixed compilation.
407
408 01 Dec 2004; Brian Harring <ferringb@gentoo.org> aclocal.m4:
409 Gutted the bugger so it stops checking for a c++ and fortran compiler.
410 Do *not* regenerate aclocal.m4 for making a release until a better
411 solution is created.
412
413 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, sandbox_futils.c:
414 Removal of more hardcoded paths.
415
416 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in,
417 sandbox_futils.c: tweaks to install sandbox.bashrc, and use it.
418
419 19 Nov 2004; Brian Harring <ferringb@gentoo.org>:
420 Sandbox is now autotooled, create-localdecls needs to be killed and the code
421 shifted into configure.in. Currently builds *one* libsandbox.so- if multiple
422 are desired (-m64 and -m32 for amd64), the ebuild should do it (imo).
423 To get to a point of testing, automake && autoconf; created requisite files w/
424 a(utomake|clocal)-1.8, and autoconf 2.59. Installs to /usr/, instead of
425 /lib and /usr/lib/portage/bin.
426
427 14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c:
428 closing out bug #70225, potential overflow of the sandbox_pids_file var.
429
430 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard,
431 (think it was at least) allows intermixing of code and data segments. bug #70351
432 should be fixed by this.
433
434 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c:
435 futils fix from bug #65201 via solar, and libsandbox log path checks via #69137
436
437 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from
438 Seth Robertson that tracked down all adjuct flags for read operations that
439 do not invoke a write operation.
440
441 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
442 Another fix from jstubbs regarding a free() on a stack variable for the
443 environment -- tracking now prevents extraneous free()'s segfault.
444
445 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
446 J. Stubbs tracked down a new bug where mkdir was failing to the patch on
447 the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir.
448 Also remove the errno = ESUCCESS settings as documentation points out that
449 a library isn't allowed to do that.
450
451 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a
452 file_security_check() function to check random potential exploits on files
453 that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes
454 the 'system-crippling' exploits (bug 21923) and catches a few other
455 potential problems.
456
457 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for
458 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work.
459
460 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c:
461 bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>.
462 Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>.
463
464 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c :
465 Fix permissions and group of pids file and logs. Permissions should be 0664
466 and group should be 'portage'. Bug #34260.
467
468 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
469 Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed
470 to the real execve (in our execve wrapper). Seems that on some arches (sparc
471 among others) do not allow us to tamper with the readonly copy passed to
472 execve, so pass our own copy of the environment. Bug #42290.
473
474 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls:
475 Changed tail to head and added a notice about duration of glibc check.
476
477 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls:
478 Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh
479 as there isn't a guarentee that it is dynamic.
480
481 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
482 If 'file' passed to before_syscall(const char *func, const char *file) is
483 invalid, we should set errno to ENOENT, and not EINVAL. This should
484 close bug #32238.
485
486 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
487 Fix a bug that occurs mainly on 64bit arch, where the file passed to
488 the functions we wrap, is invalid, and then cause canonicalize to pass
489 garbage to before_syscall(), thanks to great detective work from
490 Andrea Luzzardi <al@sig11.org> (bug #29846).
491
492 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
493 Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>.
494
495 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
496 Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically
497 only checked the destination patch, and not the source, so we could move
498 a protected file to a unprotected directory, and then delete/modify it.
499 Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix.
500
501 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c :
502 Added python2.3 to the predict section/variable.
503
504 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
505 sandbox.h, sandbox_futils.c :
506 Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If
507 it is not set, it will revert to its old value.
508
509 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
510 Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so,
511 rather than failing with a violation, bug #29748.
512
513 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
514 Fix canonicalize() to ignore calls with path = "".
515
516 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
517 sandbox_futils.c, canonicalize.c :
518 Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system
519 call handled strings larger than PATH_MAX (bug #21766). It however does not
520 work the same on 2.4 kernels.
521
522 To fix, I added the posix implementation of getcwd() (from glibc cvs) that
523 do not need the system call. We use the default getcwd() function via a
524 wrapper (egetcwd), and then lstat the returned path. If lstat fails, it
525 means the current directory was removed, OR that the the system call for
526 getcwd failed (curious is that it do not fail and return NULL or set
527 errno, but rather just truncate the retured directory - usually from the
528 start), and if so, we use the generic getcwd() function (__egetcwd). Note
529 that we do not use the generic version all the time, as it calls lstat()
530 a great number of times, and performance degrade much.
531
532 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls,
533 libsandbox.c :
534 Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks.
535
536 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c
537 create-localdecls :
538 When checking path names of files accessed, we need to canonicalize it, else
539 it may be a symlink in a 'write allowed' directory pointing to a file in a
540 directory we should not have write access to.
541
542 With something like coreutils-5.0, we have two problems:
543 1) One of the tests checks if getcwd() can return a path longer than
544 PATH_MAX. This test then tries to create a dir which even while
545 created local (mkdir("conftest2")), it ends up being resolved with
546 a name that is much larger than PATH_MAX. The problem now is that
547 canonicalize() have undefined behaviour when the path was too long
548 (returned wrongly truncated paths, etc), and pass the wrong path to
549 before_syscall() (causing the bogus sandbox violations).
550 2) The ecanonicalize() function we used, along with the canonicalize()
551 function did not support longer than PATH_MAX. This is partly a
552 cause for 1), but the error checking (rather lack of it) of calls
553 to erealpath() in canonicalize() was the prime reason for 1).
554
555 As we do not use this canonicalized name to call the function, we resolve this
556 by fixing canonicalize() to do better error checking, and ecanonicalize() as
557 well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'.
558 While they will resolve paths properly now, and can check if a write/read is
559 allowed, the functions called from the sandboxed environment will still work
560 as expected.
561
562 This should resolve bug #21766.
563
564 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
565 For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under
566 it (bug #16298).
567
568 Problem is that for some reason locale fopen's locale.alias with mode "rm".
569
570 -------------------------------------------------------
571 nosferatu root # grep fopen locale.log
572 fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias
573 nosferatu root #
574 --------------------------------------------------------
575
576 I checked the source of locale, but it have fopen with mode 'r', so
577 not sure where the "rm" mode comes from. Anyhow, changed the check in
578 before_syscall_open_char() to also see mode "rm" as readonly.
579
580 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
581
582 Add glibc-2.3 support.
583
584 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c :
585
586 Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all
587 operations releated to preload, as well as only try to modify ld.so.preload
588 if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when
589 not using ld.so.preload. Fix to not write this instance of sandbox's pid
590 to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running.
591
592 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile :
593
594 Changed the LD to CC for hppa.
595
596 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
597
598 Killed the previous changes I made.
599
600 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
601
602 Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs.
603
604 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c :
605
606 Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868.
607
608 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
609
610 Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro>
611 for this fix.
612
613 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c :
614
615 sandbox_futils defined a dirname() function that was masking the same
616 function in glibc and was broken (e.g.: SANDBOX_DIR was being set to
617 '/usr/lib/portage/bi/'). Fixed function to return expected results and
618 renamed it to sb_dirname() to no longer mask the glibc function. Closes bug
619 11231.
620
621 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> :
622
623 Fix a segfault in libsandbox.c if canonicalize() was called with
624 first parameter = NULL.
625
626 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> :
627
628 Fix my braindead 'return 1;' in a void function. Updated sandbox.c,
629 cleanup() for this.
630
631 Change cleanup() in sandbox.c not to exit with fail status if
632 the pidsfile is missing. We really should still display sandbox
633 violations if they occured.
634
635 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
636
637 Update cleanup() in sandbox.c to remove the PIDSFILE if this is
638 the last sandbox running.
639
640 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
641
642 Major cleanups to mainly libsandbox.c again.
643
644 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
645
646 Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the
647 parties involved should please contact me so that we can fix it.
648
649 Add opendir wrapper to libsandbox.c.
650
651 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
652
653 Do some more cleanups to ecanonicalize(), as it dropped filenames in
654 rare cases (after my symlink cleanups), and caused glibc to bork.
655 These fixes went into canonicalize.c.
656
657 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
658
659 Fix spawn_shell() and main() in sandbox.c to properly return fail
660 status.
661
662 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
663
664 The new canonicalize() function in libsandbox.c also resolved symlinks,
665 which caused on cleaning sandbox errors if the symlink pointed to a
666 file in the live root. Ripped out canonicalize() and realpath() from
667 glibc; removed the symlink stuff, and changed them to ecanonicalize()
668 and erealpath().
669
670 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
671
672 Ripped out all the wrappers, and implemented those of InstallWatch.
673 Losts of cleanups and bugfixes. Implement a execve that forces
674 $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared
675 /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c,
676 sandbox.h and sandbox_futils.c. Rewrote the Makefile for most
677 parts; it now have an install target.
678
679 Reformat the whole thing to look somewhat like the reworked sandbox.c
680 and new sandbox.h and sandbox_futils.c from:
681
682 Brad House <brad@mainstreetsoftworks.com>.
683
684 Additional Copyrights now due to the InstallWatch code:
685
686 Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Revision

  ViewVC Help
Powered by ViewVC 1.1.20