/[path-sandbox]/trunk/ChangeLog.0
Gentoo

Contents of /trunk/ChangeLog.0

Parent Directory Parent Directory | Revision Log Revision Log


Revision 369 - (show annotations) (download)
Sun Nov 9 09:48:28 2008 UTC (5 years, 10 months ago) by vapier
File size: 31256 byte(s)
cleanup whitespace and comments -- no functional changes
1 # ChangeLog for Path Sandbox
2 # Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
3
4 01 Dec 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, Makefile.am,
5 localdecls.h, scripts/Makefile.am, scripts/gen_symbol_version_map.awk,
6 scripts/gen_symbol_header.awk, src/Makefile.am, src/symbols.in,
7 src/libsandbox.c, src/getcwd.c, src/sandbox.c, data/sandbox.bashrc:
8
9 Use versioned symbols on supported libc's for functions we wrap, as well as
10 provide all versions of specific functions. Some syntax cleanups.
11
12 Only check SANDBOX_ACTIVE, and not its value. More BASH_ENV fixes.
13
14 Rename configure.in to configure.ac.
15
16 Fix non-versioned libc's to also prepend '__' to internal symbols by using
17 strong aliases.
18
19 Remove the SB_STATIC and including of getcwd.c, etc voodoo, as we new use a
20 symbol map, and all non-exported symbols are local. Cleanup getcwd.c, as
21 the generic getcwd for older 2.4 kernels do not work properly anyhow, and
22 just makes things slower. Some other warning fixes.
23
24 Rename src/symbols.in to src/symbols.h.in.
25
26 Cleanup local defines for egetcwd() and erealpath().
27
28 Rename filter_path() to resolve_path() and other renames for clarity.
29
30 Fixup SANDBOX_ON handling after already running changes.
31
32 Use egetcwd() in sandbox.c.
33
34 Rather use fstat() to get file size in file_length() than lseek().
35
36 Wrap mknod() as well. Misc cleanups.
37
38 Wrap mkfifo() as it seems it was missing.
39
40 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, sandbox.c,
41 sandbox_fdutils.c:
42
43 Detect if we on 64bit arch automatically.
44
45 Update contact email. Fix quoting.
46
47 Revert 64bit arch test, as we should build the 32bit version without full
48 path checking as well, and add --enable-multilib switch to configure.
49
50 * sandbox-1.2.14 (2005/11/28)
51
52 28 Nov 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
53 sandbox.c, sandbox.h, sandbox.bashrc:
54
55 Check generic getcwd()'s return as well for validity, bug #101728.
56
57 Cleanup environ variables.
58
59 Rather check SANDBOX_ACTIVE if we are already running. Set SANDBOX_ACTIVE
60 to readonly in sandbox.bashrc.
61
62 Make sure we use our bashrc.
63
64 01 Nov 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
65
66 Do not pass mode to true_open and true_open64 if not needed. Should fix a
67 segfault in some cases.
68
69 * sandbox-1.2.13 (2005/09/12)
70
71 12 Sep 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, libsandbox.c:
72
73 Do not handle adding working directory to SANDBOX_WRITE, as portage does it
74 itself.
75
76 Make libsb_fini() do cleanup a bit more complete just in case we get another
77 uClibc 'call preloaded library fini before that of app' issue ... probably
78 will not help much, but we try.
79
80 04 Sep 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
81
82 Also allow symlink() system call to operate on a symlink in a writable path
83 that points to non-writable path, bug #104711.
84
85 * sandbox-1.2.12 (2005/08/05)
86
87 05 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
88 sandbox.h:
89
90 Do not give an access violation if the access() system call do not have
91 write/read access - it does not actually modify, so we only need to return
92 not being able to write/read. Noted by Andres Loeh <kosmikus@gentoo.org>,
93 bug #101433.
94
95 If we are called from the command line, do not care about PORTAGE_TMPDIR,
96 and make the current directory the work directory. Also rename the variable
97 portage_tmp_dir to work_dir.
98
99 Remove the tmp_dir variable - we do not need it.
100
101 Improve error handling for get_sandbox_*_envvar() functions.
102
103 01 Aug 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
104
105 Still do normal log if debugging is requested.
106
107 Add support for SANDBOX_VERBOSE (enabled by default). Adjust SANDBOX_DEBUG
108 to only enable if equal to "1" or "yes".
109
110 Add /dev/tts to write permit, bug #42809.
111
112 27 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
113 sandbox_futils.c:
114
115 Do not resolve symlinks in PORTAGE_TMPDIR in sandbox .. we will handle that
116 in libsandbox .. bug #100309.
117
118 22 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h:
119
120 Print all logging to stderr, bug #90343, comment #15, by Zac Medico.
121
122 * sandbox-1.2.11 (2005/07/14)
123
124 14 July 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c:
125 Fix getcwd, bug #98419.
126
127 08 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c,
128 libsandbox.c:
129 - Try to cleanup and make error handling/printing consistent.
130 - Remove old logs if present and conflicting with current.
131 - Fix compile error with previous change, and return rather then exit().
132
133 07 July 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
134 sandbox.h, sandbox_futils.c:
135 - Fix possible segfault in env init code.
136 - Major cleanup of sandbox_futils.c. Removed most of the functions as we now
137 write to /var/log/sandbox/, so in theory do not need all that.
138 - Redo the interface of the get_* functions so that we do not leak memory.
139 - Remove sandbox_dir and co - we are not using it anymore.
140 - Remove unused includes and variables.
141 - Only declare functions in sandbox_futils.c that are used in libsandbox.c when
142 OUTSIDE_LIBSANDBOX is not defined.
143 - Cleanup access/log printing. Make access printing honour NOCOLOR. Fix log
144 printing's last line not honouring NOCOLOR.
145
146 06 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.h, sandbox_futils.c,
147 libsandbox.c:
148 - Change log dir to /var/log/sandbox/. Make sure the sandboxed process cannot
149 write to it.
150 - Clean up logging in libsandbox.c, and hopefully make it more consistant.
151 - Add check_prefixes() with major cleanup on check_access().
152 - Cleanup init_env_entries() and check_prefixes().
153
154 05 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
155 sandbox_futils.c, libsandbox.c:
156 Remove unused 'pids file' code.
157
158 * sandbox-1.2.10 (2005/07/03)
159
160 03 July 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
161 Add PREDICT items for nss-db, bug #92079. Patch from Robin Johnson.
162
163 17 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
164 General cleanups:
165 - Remove fooling around with exit codes - we error out on presence of a log
166 anyhow.
167 - Move get_sandbox_*_envvar() to sandbox_setup_environ(), as its more
168 appropriate there.
169
170 12 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
171 Cleanup the fail_nametoolong stuff a bit more.
172
173 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
174 Remove hopefully the last ld.so.preload bits we do not use anymore.
175
176 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
177 Remove the unneeded canonicalize() calls in the wrappers - we do it anyhow
178 in check_syscall(). Should speed things up a bit (at least for the getcwd()
179 and long path name test it goes down to under a second, and not 10+ seconds
180 like before). Also warn if we skip checking due to the canonicalized path
181 being too long.
182
183 11 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
184 More comment/readability cleanups.
185
186 10 June 2005; Martin Schlemmer <azarah@gentoo.org> canonicalize.c, getcwd.c,
187 sandbox_futils.c, libsandbox.c:
188 Some strncpy/strncat and other cleanups.
189
190 * sandbox-1.2.9 (2005/06/09)
191
192 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
193 Move symlink hack down a bit to try and minimize on the amount of lstat()
194 calls we do.
195
196 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
197 Add hack to allow writing to /proc/self/fd (or /dev/fd), bug #91516.
198
199 09 June 2005; Martin Schlemmer <azarah@gentoo.org> symbols.in, libsandbox.c:
200 Add wrapper for access() function, bug #85413.
201
202 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c:
203 Use generic getcwd() implementation from uclibc - should be more portable
204 and looks a bit cleaner.
205
206 09 June 2005; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c:
207 Make sure our true_* pointers are initialized to NULL, and that we check for
208 all references that they are valid.
209
210 09 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
211 Be default we will fail if the path name we try to canonicalize is too long.
212 This however could cause issues with some things (bug #94630 and #21766), so
213 if fail_nametoolong == 0, canonicalize() will return a null length string and
214 do not fail.
215
216 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c:
217 Do not abort if TMPDIR is not valid, but rather use '/tmp', bug #94360. Also
218 make sure we re-export the new TMPDIR environment variable.
219
220 08 June 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
221 Fix incorrect free of non-malloc'd array, bug #92313 and #94020. Fix noted
222 by Marcus D. Hanwell <cryos@gentoo.org>.
223
224 08 June 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
225 Add /dev/console to write list, bug #38588.
226
227 * sandbox-1.2.8 (2005/05/13)
228
229 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
230 sandbox.h, sandbox_futils.c:
231 General cleanups.
232
233 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
234 sandbox.h:
235 Various LD_PRELOAD cleanups. Do not unset LD_PRELOAD for parent.
236
237 13 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
238 sandbox.h, sandbox_futils.c:
239 Modify get_sandbox_pids_file(), get_sandbox_log() and get_sandbox_debug_log()
240 to use TMPDIR if present in environment.
241
242 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
243 Remove sandbox_log_file from main() as its no longer used.
244
245 13 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
246 sandbox_futils.c:
247 Add get_sandbox_debug_log(), and use it (add behaviour similar to SANDBOX_LOG
248 if already exported when sandbox started). Fix get_sandbox_log() and new
249 get_sandbox_debug_log() to not use already exported environment variables if
250 they have '/' in them. Use snprintf()'s instead of strncpy()'s. More
251 SB_PATH_MAX fixes.
252
253 * sandbox-1.2.7 (2005/05/12)
254
255 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
256 sandbox_futils.c:
257 More path limit fixes. Declare SB_BUF_LEN global and use it where needed.
258
259 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c:
260 Fix paths limited to 255 chars. Fix get_sandbox_dir() returning a string
261 with '(null)' in it if we did not call sandbox with absolute path.
262
263 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
264 Set SANDBOX_ON *before* doing the child's env stuff, else its not set
265 for the child.
266
267 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
268 Remove global preload_adaptable as it is no longer used.
269
270 12 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
271 Rewrite environment stuff to only be set when execve'ing the child process
272 to try and avoid issues like bug #91541 that causes sandbox to crash if
273 we set LD_PRELOAD sandbox side already.
274
275 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
276 Move print_sandbox_log() up to make things neater.
277
278 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
279 Remove load_preload_libs(), as its not used anymore.
280
281 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
282 Remove NO_FORK stuff, as its not used, and 'strace -f' works just fine.
283
284 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
285 Remove USE_SYSTEM_SHELL stuff, as it is not secure, and not in use.
286
287 11 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h:
288 Remove ld.so.preload crap - we are not going to use it again.
289
290 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox_futils.c:
291 Fix typo in code that checks if we got valid group information, causing a
292 segmentation fault, bug #91637.
293
294 * sandbox-1.2.6 (2005/05/10)
295
296 10 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
297 Do not use LD_PRELOAD if it contains libtsocks.so, as it breaks sandbox
298 for some odd reason, bug #91541.
299
300 09 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
301 Fix typo (sizeof -> strlen).
302
303 08 May 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
304 rewrote the sbcontext caching code so it accounts for env changes since lib
305 initialization.
306
307 05 May 2005; Martin Schlemmer <azarah@gentoo.org> configure.in, libctest.c:
308 We create libctest.c via configure, so no need to keep it around. Do some
309 cleanup related to libctest.c and libctest during configure.
310
311 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
312 Add rename support of symlinks pointing to protected files/directories.
313
314 * sandbox-1.2.5 (2005/05/04)
315
316 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
317 sandbox.bashrc:
318 Do not reset already set LD_PRELOAD when starting sandbox. If LD_PRELOAD is
319 already set, init of the env vars fails for some reason, so do this later on,
320 and do not warn (bug #91431).
321
322 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
323 sandbox.bashrc:
324 Fixup sandbox and sandbox.bashrc to call bash with the proper .bashrc.
325
326 * sandbox-1.2.4 (2005/05/03)
327
328 03 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
329 Do not init the env entries with each call, as it creates too many calls to
330 lstat, etc. Should speedup things a bit, bug #91040.
331
332 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
333 Add /dev/pty to default write list. Noticed by Morfic.
334
335 02 May 2005; Mike Frysinger <vapier@gentoo.org> configure.in, localdecls.h,
336 sandbox.h:
337 uClibc doesn't support dlvsym() so add a configure check to make sure it doesn't
338 exist. Also update localdecls.h so BROKEN_RTLD_NEXT isn't defined in uClibc.
339
340 * sandbox-1.2.3 (2005/04/29)
341
342 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> configure.in:
343 Do not check for (*&#$(* CXX or F77.
344
345 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
346 Do not append '/' to pathname in filter_path() if it already ends with it.
347
348 28 Apr 2005; Mike Frysinger <vapier@gentoo.org> Makefile.am, configure.in:
349 With az's help, clean up autotools to work with cross-compiling.
350
351 * sandbox-1.2.2 (2005/04/28)
352
353 28 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
354 Only check for /dev/{null,zero} for unlink hack, else ricers using /dev/shm
355 have issues; bug #90592.
356
357 * sandbox-1.2.1 (2005/04/23)
358
359 23 Apr 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
360 getcwd.c, libsandbox.c, localdecls.h, sandbox.h, sandbox_futils.c:
361 Make sure all functions used in libsandbox.c is declared static. Define
362 SB_STATIC in localdecls.h for this. Include sandbox_futils.c rather than
363 linking with its object. Hopefully this will fix bug #90153.
364
365 * sandbox-1.2 (2005/04/23)
366
367 22 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
368 Allow lchown a symlink in write-allowed path pointing to write-denied
369 target.
370
371 21 Mar 2005; Marius Mauch <genone@gentoo.org> libsandbox.c:
372 Also show resolved symlink names in the log.
373
374 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, libsandbox.c:
375 Seems -nostdlib was the problem with the constructor/destructor - remove it
376 from Makefile.am, and change the constructor/destructor names again.
377
378 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
379 Also rename the _init() and _fini() declarations.
380
381 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
382 Fixup the constructor/destructor function names again (they should be _init()
383 and _fini() it seems, and not being called caused sandbox_lib_path to be
384 unset, and thus breaking the execve() wrapper's LD_PRELOAD protection).
385 Add both the path in given SANDBOX_x variable, as well as its symlink
386 resolved path in init_env_entries(). Modify filter_path() to be able to
387 resolve paths without resolving symlinks, as well as to be able to resolve
388 symlinks. Fix a possible segfault in check_access(). Add symlink resolving
389 to check_access() resolving bug #31019. Add 'hack' for unlink, as the fix
390 for bug #31019 cause access violations if we try to remove a symlink that is
391 not in protected path, but points to a protected path. Fix a memory leak in
392 sandbox.c (sandbox_pids_file in main()). Fix the realpath() calls in main()
393 (sandbox.c) being unchecked. Fix the debug logname not having the pid in it
394 (pid_string was uninitialized). General syntax cleanups.
395
396 09 Mar 2005; Brian Harring <ferringb@gentoo.org> sandbox.c: Fixed the
397 infamous "pids file is not a regular file" w/out newline bug.
398
399 09 Mar 2005; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in:
400 Correct libc_version path detection, since it was screwing up if libdir !=
401 "/lib/".
402
403 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
404 Hack to make sure sandboxed process cannot remove a device node, bug #79836.
405
406 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am:
407 Fix symbols.in not added to dist.
408
409 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
410 getcwd.c, libsandbox.c, sandbox.c, sandbox.h, sandbox_futils.c:
411 White space fixes.
412
413 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
414 configure.in, getcwd.c, libsandbox.c, symbols.in:
415 Fix inverse test logic in canonicalize.c, use a strncpy. Fix gcc warning in
416 getcwd.c. Add symbols.in and logic to Makefile.am to generate symbol versions
417 for glibc and other libc's that use this. Update libsandbox.c to use these
418 symbol versions if available. Fix exec wrapper to re-export LD_PRELOAD if the
419 process unset it.
420
421 01 Mar 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
422 killed off _init and _fini in favor of
423 void __attribute__ ((constructor)) init_func and
424 void __attribute__ ((destructor)) closing_func. _(init|func) were deprecated.
425
426 06 Dec 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, libsandbox.c,
427 canonicalize.c, getcwd.c: Fixed compilation *again*. Hopefully cvs is done
428 having the hick-ups.
429
430 04 Dec 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, getcwd.c,
431 Makefile.am: Fixed compilation.
432
433 01 Dec 2004; Brian Harring <ferringb@gentoo.org> aclocal.m4:
434 Gutted the bugger so it stops checking for a c++ and fortran compiler.
435 Do *not* regenerate aclocal.m4 for making a release until a better
436 solution is created.
437
438 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, sandbox_futils.c:
439 Removal of more hardcoded paths.
440
441 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in,
442 sandbox_futils.c: tweaks to install sandbox.bashrc, and use it.
443
444 19 Nov 2004; Brian Harring <ferringb@gentoo.org>:
445 Sandbox is now autotooled, create-localdecls needs to be killed and the code
446 shifted into configure.in. Currently builds *one* libsandbox.so- if multiple
447 are desired (-m64 and -m32 for amd64), the ebuild should do it (imo).
448 To get to a point of testing, automake && autoconf; created requisite files w/
449 a(utomake|clocal)-1.8, and autoconf 2.59. Installs to /usr/, instead of
450 /lib and /usr/lib/portage/bin.
451
452 14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c:
453 closing out bug #70225, potential overflow of the sandbox_pids_file var.
454
455 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard,
456 (think it was at least) allows intermixing of code and data segments. bug #70351
457 should be fixed by this.
458
459 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c:
460 futils fix from bug #65201 via solar, and libsandbox log path checks via #69137
461
462 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from
463 Seth Robertson that tracked down all adjuct flags for read operations that
464 do not invoke a write operation.
465
466 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
467 Another fix from jstubbs regarding a free() on a stack variable for the
468 environment -- tracking now prevents extraneous free()'s segfault.
469
470 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
471 J. Stubbs tracked down a new bug where mkdir was failing to the patch on
472 the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir.
473 Also remove the errno = ESUCCESS settings as documentation points out that
474 a library isn't allowed to do that.
475
476 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a
477 file_security_check() function to check random potential exploits on files
478 that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes
479 the 'system-crippling' exploits (bug 21923) and catches a few other
480 potential problems.
481
482 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for
483 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work.
484
485 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c:
486 bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>.
487 Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>.
488
489 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c :
490 Fix permissions and group of pids file and logs. Permissions should be 0664
491 and group should be 'portage'. Bug #34260.
492
493 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
494 Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed
495 to the real execve (in our execve wrapper). Seems that on some arches (sparc
496 among others) do not allow us to tamper with the readonly copy passed to
497 execve, so pass our own copy of the environment. Bug #42290.
498
499 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls:
500 Changed tail to head and added a notice about duration of glibc check.
501
502 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls:
503 Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh
504 as there isn't a guarentee that it is dynamic.
505
506 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
507 If 'file' passed to before_syscall(const char *func, const char *file) is
508 invalid, we should set errno to ENOENT, and not EINVAL. This should
509 close bug #32238.
510
511 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
512 Fix a bug that occurs mainly on 64bit arch, where the file passed to
513 the functions we wrap, is invalid, and then cause canonicalize to pass
514 garbage to before_syscall(), thanks to great detective work from
515 Andrea Luzzardi <al@sig11.org> (bug #29846).
516
517 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
518 Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>.
519
520 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
521 Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically
522 only checked the destination patch, and not the source, so we could move
523 a protected file to a unprotected directory, and then delete/modify it.
524 Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix.
525
526 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c :
527 Added python2.3 to the predict section/variable.
528
529 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
530 sandbox.h, sandbox_futils.c :
531 Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If
532 it is not set, it will revert to its old value.
533
534 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
535 Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so,
536 rather than failing with a violation, bug #29748.
537
538 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
539 Fix canonicalize() to ignore calls with path = "".
540
541 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
542 sandbox_futils.c, canonicalize.c :
543 Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system
544 call handled strings larger than PATH_MAX (bug #21766). It however does not
545 work the same on 2.4 kernels.
546
547 To fix, I added the posix implementation of getcwd() (from glibc cvs) that
548 do not need the system call. We use the default getcwd() function via a
549 wrapper (egetcwd), and then lstat the returned path. If lstat fails, it
550 means the current directory was removed, OR that the the system call for
551 getcwd failed (curious is that it do not fail and return NULL or set
552 errno, but rather just truncate the retured directory - usually from the
553 start), and if so, we use the generic getcwd() function (__egetcwd). Note
554 that we do not use the generic version all the time, as it calls lstat()
555 a great number of times, and performance degrade much.
556
557 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls,
558 libsandbox.c :
559 Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks.
560
561 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c
562 create-localdecls :
563 When checking path names of files accessed, we need to canonicalize it, else
564 it may be a symlink in a 'write allowed' directory pointing to a file in a
565 directory we should not have write access to.
566
567 With something like coreutils-5.0, we have two problems:
568 1) One of the tests checks if getcwd() can return a path longer than
569 PATH_MAX. This test then tries to create a dir which even while
570 created local (mkdir("conftest2")), it ends up being resolved with
571 a name that is much larger than PATH_MAX. The problem now is that
572 canonicalize() have undefined behaviour when the path was too long
573 (returned wrongly truncated paths, etc), and pass the wrong path to
574 before_syscall() (causing the bogus sandbox violations).
575 2) The ecanonicalize() function we used, along with the canonicalize()
576 function did not support longer than PATH_MAX. This is partly a
577 cause for 1), but the error checking (rather lack of it) of calls
578 to erealpath() in canonicalize() was the prime reason for 1).
579
580 As we do not use this canonicalized name to call the function, we resolve this
581 by fixing canonicalize() to do better error checking, and ecanonicalize() as
582 well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'.
583 While they will resolve paths properly now, and can check if a write/read is
584 allowed, the functions called from the sandboxed environment will still work
585 as expected.
586
587 This should resolve bug #21766.
588
589 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
590 For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under
591 it (bug #16298).
592
593 Problem is that for some reason locale fopen's locale.alias with mode "rm".
594
595 -------------------------------------------------------
596 nosferatu root # grep fopen locale.log
597 fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias
598 nosferatu root #
599 --------------------------------------------------------
600
601 I checked the source of locale, but it have fopen with mode 'r', so
602 not sure where the "rm" mode comes from. Anyhow, changed the check in
603 before_syscall_open_char() to also see mode "rm" as readonly.
604
605 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
606
607 Add glibc-2.3 support.
608
609 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c :
610
611 Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all
612 operations releated to preload, as well as only try to modify ld.so.preload
613 if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when
614 not using ld.so.preload. Fix to not write this instance of sandbox's pid
615 to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running.
616
617 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile :
618
619 Changed the LD to CC for hppa.
620
621 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
622
623 Killed the previous changes I made.
624
625 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
626
627 Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs.
628
629 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c :
630
631 Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868.
632
633 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
634
635 Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro>
636 for this fix.
637
638 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c :
639
640 sandbox_futils defined a dirname() function that was masking the same
641 function in glibc and was broken (e.g.: SANDBOX_DIR was being set to
642 '/usr/lib/portage/bi/'). Fixed function to return expected results and
643 renamed it to sb_dirname() to no longer mask the glibc function. Closes bug
644 11231.
645
646 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> :
647
648 Fix a segfault in libsandbox.c if canonicalize() was called with
649 first parameter = NULL.
650
651 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> :
652
653 Fix my braindead 'return 1;' in a void function. Updated sandbox.c,
654 cleanup() for this.
655
656 Change cleanup() in sandbox.c not to exit with fail status if
657 the pidsfile is missing. We really should still display sandbox
658 violations if they occured.
659
660 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
661
662 Update cleanup() in sandbox.c to remove the PIDSFILE if this is
663 the last sandbox running.
664
665 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
666
667 Major cleanups to mainly libsandbox.c again.
668
669 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
670
671 Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the
672 parties involved should please contact me so that we can fix it.
673
674 Add opendir wrapper to libsandbox.c.
675
676 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
677
678 Do some more cleanups to ecanonicalize(), as it dropped filenames in
679 rare cases (after my symlink cleanups), and caused glibc to bork.
680 These fixes went into canonicalize.c.
681
682 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
683
684 Fix spawn_shell() and main() in sandbox.c to properly return fail
685 status.
686
687 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
688
689 The new canonicalize() function in libsandbox.c also resolved symlinks,
690 which caused on cleaning sandbox errors if the symlink pointed to a
691 file in the live root. Ripped out canonicalize() and realpath() from
692 glibc; removed the symlink stuff, and changed them to ecanonicalize()
693 and erealpath().
694
695 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
696
697 Ripped out all the wrappers, and implemented those of InstallWatch.
698 Losts of cleanups and bugfixes. Implement a execve that forces
699 $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared
700 /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c,
701 sandbox.h and sandbox_futils.c. Rewrote the Makefile for most
702 parts; it now have an install target.
703
704 Reformat the whole thing to look somewhat like the reworked sandbox.c
705 and new sandbox.h and sandbox_futils.c from:
706
707 Brad House <brad@mainstreetsoftworks.com>.
708
709 Additional Copyrights now due to the InstallWatch code:
710
711 Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Revision

  ViewVC Help
Powered by ViewVC 1.1.20