/[path-sandbox]/trunk/ChangeLog.0
Gentoo

Contents of /trunk/ChangeLog.0

Parent Directory Parent Directory | Revision Log Revision Log


Revision 74 - (show annotations) (download)
Wed May 4 15:33:47 2005 UTC (9 years, 7 months ago) by azarah
Original Path: trunk/ChangeLog
File size: 18851 byte(s)
Add rename support of symlinks pointing to protected files/directories.

1 # ChangeLog for Path Sandbox
2 # Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
3 # $Header$
4
5 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
6 Add rename support of symlinks pointing to protected files/directories.
7
8 * sandbox-1.2.5 (2005/05/04)
9
10 04 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
11 sandbox.bashrc:
12 Do not reset already set LD_PRELOAD when starting sandbox. If LD_PRELOAD is
13 already set, init of the env vars fails for some reason, so do this later on,
14 and do not warn (bug #91431).
15
16 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox.h,
17 sandbox.bashrc:
18 Fixup sandbox and sandbox.bashrc to call bash with the proper .bashrc.
19
20 * sandbox-1.2.4 (2005/05/03)
21
22 03 May 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
23 Do not init the env entries with each call, as it creates too many calls to
24 lstat, etc. Should speedup things a bit, bug #91040.
25
26 03 May 2005; Martin Schlemmer <azarah@gentoo.org> sandbox.c:
27 Add /dev/pty to default write list. Noticed by Morfic.
28
29 02 May 2005; Mike Frysinger <vapier@gentoo.org> configure.in, localdecls.h,
30 sandbox.h:
31 uClibc doesn't support dlvsym() so add a configure check to make sure it doesn't
32 exist. Also update localdecls.h so BROKEN_RTLD_NEXT isn't defined in uClibc.
33
34 * sandbox-1.2.3 (2005/04/29)
35
36 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> configure.in:
37 Do not check for (*&#$(* CXX or F77.
38
39 29 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
40 Do not append '/' to pathname in filter_path() if it already ends with it.
41
42 28 Apr 2005; Mike Frysinger <vapier@gentoo.org> Makefile.am, configure.in:
43 With az's help, clean up autotools to work with cross-compiling.
44
45 * sandbox-1.2.2 (2005/04/28)
46
47 28 Apr 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
48 Only check for /dev/{null,zero} for unlink hack, else ricers using /dev/shm
49 have issues; bug #90592.
50
51 * sandbox-1.2.1 (2005/04/23)
52
53 23 Apr 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
54 getcwd.c, libsandbox.c, localdecls.h, sandbox.h, sandbox_futils.c:
55 Make sure all functions used in libsandbox.c is declared static. Define
56 SB_STATIC in localdecls.h for this. Include sandbox_futils.c rather than
57 linking with its object. Hopefully this will fix bug #90153.
58
59 * sandbox-1.2 (2005/04/23)
60
61 22 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
62 Allow lchown a symlink in write-allowed path pointing to write-denied
63 target.
64
65 21 Mar 2005; Marius Mauch <genone@gentoo.org> libsandbox.c:
66 Also show resolved symlink names in the log.
67
68 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, libsandbox.c:
69 Seems -nostdlib was the problem with the constructor/destructor - remove it
70 from Makefile.am, and change the constructor/destructor names again.
71
72 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
73 Also rename the _init() and _fini() declarations.
74
75 14 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c:
76 Fixup the constructor/destructor function names again (they should be _init()
77 and _fini() it seems, and not being called caused sandbox_lib_path to be
78 unset, and thus breaking the execve() wrapper's LD_PRELOAD protection).
79 Add both the path in given SANDBOX_x variable, as well as its symlink
80 resolved path in init_env_entries(). Modify filter_path() to be able to
81 resolve paths without resolving symlinks, as well as to be able to resolve
82 symlinks. Fix a possible segfault in check_access(). Add symlink resolving
83 to check_access() resolving bug #31019. Add 'hack' for unlink, as the fix
84 for bug #31019 cause access violations if we try to remove a symlink that is
85 not in protected path, but points to a protected path. Fix a memory leak in
86 sandbox.c (sandbox_pids_file in main()). Fix the realpath() calls in main()
87 (sandbox.c) being unchecked. Fix the debug logname not having the pid in it
88 (pid_string was uninitialized). General syntax cleanups.
89
90 09 Mar 2005; Brian Harring <ferringb@gentoo.org> sandbox.c: Fixed the
91 infamous "pids file is not a regular file" w/out newline bug.
92
93 09 Mar 2005; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in:
94 Correct libc_version path detection, since it was screwing up if libdir !=
95 "/lib/".
96
97 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c:
98 Hack to make sure sandboxed process cannot remove a device node, bug #79836.
99
100 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am:
101 Fix symbols.in not added to dist.
102
103 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
104 getcwd.c, libsandbox.c, sandbox.c, sandbox.h, sandbox_futils.c:
105 White space fixes.
106
107 02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c,
108 configure.in, getcwd.c, libsandbox.c, symbols.in:
109 Fix inverse test logic in canonicalize.c, use a strncpy. Fix gcc warning in
110 getcwd.c. Add symbols.in and logic to Makefile.am to generate symbol versions
111 for glibc and other libc's that use this. Update libsandbox.c to use these
112 symbol versions if available. Fix exec wrapper to re-export LD_PRELOAD if the
113 process unset it.
114
115 01 Mar 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c:
116 killed off _init and _fini in favor of
117 void __attribute__ ((constructor)) init_func and
118 void __attribute__ ((destructor)) closing_func. _(init|func) were deprecated.
119
120 06 Dec 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, libsandbox.c,
121 canonicalize.c, getcwd.c: Fixed compilation *again*. Hopefully cvs is done
122 having the hick-ups.
123
124 04 Dec 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, getcwd.c,
125 Makefile.am: Fixed compilation.
126
127 01 Dec 2004; Brian Harring <ferringb@gentoo.org> aclocal.m4:
128 Gutted the bugger so it stops checking for a c++ and fortran compiler.
129 Do *not* regenerate aclocal.m4 for making a release until a better
130 solution is created.
131
132 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, sandbox_futils.c:
133 Removal of more hardcoded paths.
134
135 20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in,
136 sandbox_futils.c: tweaks to install sandbox.bashrc, and use it.
137
138 19 Nov 2004; Brian Harring <ferringb@gentoo.org>:
139 Sandbox is now autotooled, create-localdecls needs to be killed and the code
140 shifted into configure.in. Currently builds *one* libsandbox.so- if multiple
141 are desired (-m64 and -m32 for amd64), the ebuild should do it (imo).
142 To get to a point of testing, automake && autoconf; created requisite files w/
143 a(utomake|clocal)-1.8, and autoconf 2.59. Installs to /usr/, instead of
144 /lib and /usr/lib/portage/bin.
145
146 14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c:
147 closing out bug #70225, potential overflow of the sandbox_pids_file var.
148
149 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard,
150 (think it was at least) allows intermixing of code and data segments. bug #70351
151 should be fixed by this.
152
153 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c:
154 futils fix from bug #65201 via solar, and libsandbox log path checks via #69137
155
156 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from
157 Seth Robertson that tracked down all adjuct flags for read operations that
158 do not invoke a write operation.
159
160 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
161 Another fix from jstubbs regarding a free() on a stack variable for the
162 environment -- tracking now prevents extraneous free()'s segfault.
163
164 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c:
165 J. Stubbs tracked down a new bug where mkdir was failing to the patch on
166 the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir.
167 Also remove the errno = ESUCCESS settings as documentation points out that
168 a library isn't allowed to do that.
169
170 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a
171 file_security_check() function to check random potential exploits on files
172 that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes
173 the 'system-crippling' exploits (bug 21923) and catches a few other
174 potential problems.
175
176 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for
177 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work.
178
179 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c:
180 bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>.
181 Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>.
182
183 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c :
184 Fix permissions and group of pids file and logs. Permissions should be 0664
185 and group should be 'portage'. Bug #34260.
186
187 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
188 Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed
189 to the real execve (in our execve wrapper). Seems that on some arches (sparc
190 among others) do not allow us to tamper with the readonly copy passed to
191 execve, so pass our own copy of the environment. Bug #42290.
192
193 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls:
194 Changed tail to head and added a notice about duration of glibc check.
195
196 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls:
197 Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh
198 as there isn't a guarentee that it is dynamic.
199
200 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
201 If 'file' passed to before_syscall(const char *func, const char *file) is
202 invalid, we should set errno to ENOENT, and not EINVAL. This should
203 close bug #32238.
204
205 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
206 Fix a bug that occurs mainly on 64bit arch, where the file passed to
207 the functions we wrap, is invalid, and then cause canonicalize to pass
208 garbage to before_syscall(), thanks to great detective work from
209 Andrea Luzzardi <al@sig11.org> (bug #29846).
210
211 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
212 Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>.
213
214 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
215 Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically
216 only checked the destination patch, and not the source, so we could move
217 a protected file to a unprotected directory, and then delete/modify it.
218 Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix.
219
220 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c :
221 Added python2.3 to the predict section/variable.
222
223 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c,
224 sandbox.h, sandbox_futils.c :
225 Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If
226 it is not set, it will revert to its old value.
227
228 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
229 Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so,
230 rather than failing with a violation, bug #29748.
231
232 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
233 Fix canonicalize() to ignore calls with path = "".
234
235 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c,
236 sandbox_futils.c, canonicalize.c :
237 Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system
238 call handled strings larger than PATH_MAX (bug #21766). It however does not
239 work the same on 2.4 kernels.
240
241 To fix, I added the posix implementation of getcwd() (from glibc cvs) that
242 do not need the system call. We use the default getcwd() function via a
243 wrapper (egetcwd), and then lstat the returned path. If lstat fails, it
244 means the current directory was removed, OR that the the system call for
245 getcwd failed (curious is that it do not fail and return NULL or set
246 errno, but rather just truncate the retured directory - usually from the
247 start), and if so, we use the generic getcwd() function (__egetcwd). Note
248 that we do not use the generic version all the time, as it calls lstat()
249 a great number of times, and performance degrade much.
250
251 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls,
252 libsandbox.c :
253 Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks.
254
255 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c
256 create-localdecls :
257 When checking path names of files accessed, we need to canonicalize it, else
258 it may be a symlink in a 'write allowed' directory pointing to a file in a
259 directory we should not have write access to.
260
261 With something like coreutils-5.0, we have two problems:
262 1) One of the tests checks if getcwd() can return a path longer than
263 PATH_MAX. This test then tries to create a dir which even while
264 created local (mkdir("conftest2")), it ends up being resolved with
265 a name that is much larger than PATH_MAX. The problem now is that
266 canonicalize() have undefined behaviour when the path was too long
267 (returned wrongly truncated paths, etc), and pass the wrong path to
268 before_syscall() (causing the bogus sandbox violations).
269 2) The ecanonicalize() function we used, along with the canonicalize()
270 function did not support longer than PATH_MAX. This is partly a
271 cause for 1), but the error checking (rather lack of it) of calls
272 to erealpath() in canonicalize() was the prime reason for 1).
273
274 As we do not use this canonicalized name to call the function, we resolve this
275 by fixing canonicalize() to do better error checking, and ecanonicalize() as
276 well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'.
277 While they will resolve paths properly now, and can check if a write/read is
278 allowed, the functions called from the sandboxed environment will still work
279 as expected.
280
281 This should resolve bug #21766.
282
283 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c :
284 For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under
285 it (bug #16298).
286
287 Problem is that for some reason locale fopen's locale.alias with mode "rm".
288
289 -------------------------------------------------------
290 nosferatu root # grep fopen locale.log
291 fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias
292 nosferatu root #
293 --------------------------------------------------------
294
295 I checked the source of locale, but it have fopen with mode 'r', so
296 not sure where the "rm" mode comes from. Anyhow, changed the check in
297 before_syscall_open_char() to also see mode "rm" as readonly.
298
299 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
300
301 Add glibc-2.3 support.
302
303 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c :
304
305 Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all
306 operations releated to preload, as well as only try to modify ld.so.preload
307 if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when
308 not using ld.so.preload. Fix to not write this instance of sandbox's pid
309 to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running.
310
311 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile :
312
313 Changed the LD to CC for hppa.
314
315 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
316
317 Killed the previous changes I made.
318
319 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls :
320
321 Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs.
322
323 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c :
324
325 Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868.
326
327 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls :
328
329 Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro>
330 for this fix.
331
332 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c :
333
334 sandbox_futils defined a dirname() function that was masking the same
335 function in glibc and was broken (e.g.: SANDBOX_DIR was being set to
336 '/usr/lib/portage/bi/'). Fixed function to return expected results and
337 renamed it to sb_dirname() to no longer mask the glibc function. Closes bug
338 11231.
339
340 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> :
341
342 Fix a segfault in libsandbox.c if canonicalize() was called with
343 first parameter = NULL.
344
345 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> :
346
347 Fix my braindead 'return 1;' in a void function. Updated sandbox.c,
348 cleanup() for this.
349
350 Change cleanup() in sandbox.c not to exit with fail status if
351 the pidsfile is missing. We really should still display sandbox
352 violations if they occured.
353
354 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
355
356 Update cleanup() in sandbox.c to remove the PIDSFILE if this is
357 the last sandbox running.
358
359 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
360
361 Major cleanups to mainly libsandbox.c again.
362
363 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
364
365 Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the
366 parties involved should please contact me so that we can fix it.
367
368 Add opendir wrapper to libsandbox.c.
369
370 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
371
372 Do some more cleanups to ecanonicalize(), as it dropped filenames in
373 rare cases (after my symlink cleanups), and caused glibc to bork.
374 These fixes went into canonicalize.c.
375
376 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
377
378 Fix spawn_shell() and main() in sandbox.c to properly return fail
379 status.
380
381 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
382
383 The new canonicalize() function in libsandbox.c also resolved symlinks,
384 which caused on cleaning sandbox errors if the symlink pointed to a
385 file in the live root. Ripped out canonicalize() and realpath() from
386 glibc; removed the symlink stuff, and changed them to ecanonicalize()
387 and erealpath().
388
389 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> :
390
391 Ripped out all the wrappers, and implemented those of InstallWatch.
392 Losts of cleanups and bugfixes. Implement a execve that forces
393 $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared
394 /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c,
395 sandbox.h and sandbox_futils.c. Rewrote the Makefile for most
396 parts; it now have an install target.
397
398 Reformat the whole thing to look somewhat like the reworked sandbox.c
399 and new sandbox.h and sandbox_futils.c from:
400
401 Brad House <brad@mainstreetsoftworks.com>.
402
403 Additional Copyrights now due to the InstallWatch code:
404
405 Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Revision

  ViewVC Help
Powered by ViewVC 1.1.20