/[path-sandbox]/trunk/libsandbox.c
Gentoo

Diff of /trunk/libsandbox.c

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 109 Revision 110
166static int is_sandbox_pid(); 166static int is_sandbox_pid();
167 167
168/* Wrapped functions */ 168/* Wrapped functions */
169 169
170extern int chmod(const char *, mode_t); 170extern int chmod(const char *, mode_t);
171static int (*true_chmod) (const char *, mode_t); 171static int (*true_chmod) (const char *, mode_t) = NULL;
172extern int chown(const char *, uid_t, gid_t); 172extern int chown(const char *, uid_t, gid_t);
173static int (*true_chown) (const char *, uid_t, gid_t); 173static int (*true_chown) (const char *, uid_t, gid_t) = NULL;
174extern int creat(const char *, mode_t); 174extern int creat(const char *, mode_t);
175static int (*true_creat) (const char *, mode_t); 175static int (*true_creat) (const char *, mode_t) = NULL;
176extern FILE *fopen(const char *, const char *); 176extern FILE *fopen(const char *, const char *);
177static FILE *(*true_fopen) (const char *, const char *); 177static FILE *(*true_fopen) (const char *, const char *) = NULL;
178extern int lchown(const char *, uid_t, gid_t); 178extern int lchown(const char *, uid_t, gid_t);
179static int (*true_lchown) (const char *, uid_t, gid_t); 179static int (*true_lchown) (const char *, uid_t, gid_t) = NULL;
180extern int link(const char *, const char *); 180extern int link(const char *, const char *);
181static int (*true_link) (const char *, const char *); 181static int (*true_link) (const char *, const char *) = NULL;
182extern int mkdir(const char *, mode_t); 182extern int mkdir(const char *, mode_t);
183static int (*true_mkdir) (const char *, mode_t); 183static int (*true_mkdir) (const char *, mode_t) = NULL;
184extern DIR *opendir(const char *); 184extern DIR *opendir(const char *);
185static DIR *(*true_opendir) (const char *); 185static DIR *(*true_opendir) (const char *) = NULL;
186#ifdef WRAP_MKNOD 186#ifdef WRAP_MKNOD
187extern int __xmknod(const char *, mode_t, dev_t); 187extern int __xmknod(const char *, mode_t, dev_t);
188static int (*true___xmknod) (const char *, mode_t, dev_t); 188static int (*true___xmknod) (const char *, mode_t, dev_t) = NULL;
189#endif 189#endif
190extern int open(const char *, int, ...); 190extern int open(const char *, int, ...);
191static int (*true_open) (const char *, int, ...); 191static int (*true_open) (const char *, int, ...) = NULL;
192extern int rename(const char *, const char *); 192extern int rename(const char *, const char *);
193static int (*true_rename) (const char *, const char *); 193static int (*true_rename) (const char *, const char *) = NULL;
194extern int rmdir(const char *); 194extern int rmdir(const char *);
195static int (*true_rmdir) (const char *); 195static int (*true_rmdir) (const char *) = NULL;
196extern int symlink(const char *, const char *); 196extern int symlink(const char *, const char *);
197static int (*true_symlink) (const char *, const char *); 197static int (*true_symlink) (const char *, const char *) = NULL;
198extern int truncate(const char *, TRUNCATE_T); 198extern int truncate(const char *, TRUNCATE_T);
199static int (*true_truncate) (const char *, TRUNCATE_T); 199static int (*true_truncate) (const char *, TRUNCATE_T) = NULL;
200extern int unlink(const char *); 200extern int unlink(const char *);
201static int (*true_unlink) (const char *); 201static int (*true_unlink) (const char *) = NULL;
202 202
203#if (GLIBC_MINOR >= 1) 203#if (GLIBC_MINOR >= 1)
204 204
205extern int creat64(const char *, __mode_t); 205extern int creat64(const char *, __mode_t);
206static int (*true_creat64) (const char *, __mode_t); 206static int (*true_creat64) (const char *, __mode_t) = NULL;
207extern FILE *fopen64(const char *, const char *); 207extern FILE *fopen64(const char *, const char *);
208static FILE *(*true_fopen64) (const char *, const char *); 208static FILE *(*true_fopen64) (const char *, const char *) = NULL;
209extern int open64(const char *, int, ...); 209extern int open64(const char *, int, ...);
210static int (*true_open64) (const char *, int, ...); 210static int (*true_open64) (const char *, int, ...) = NULL;
211extern int truncate64(const char *, __off64_t); 211extern int truncate64(const char *, __off64_t);
212static int (*true_truncate64) (const char *, __off64_t); 212static int (*true_truncate64) (const char *, __off64_t) = NULL;
213 213
214#endif 214#endif
215 215
216extern int execve(const char *filename, char *const argv[], char *const envp[]); 216extern int execve(const char *filename, char *const argv[], char *const envp[]);
217static int (*true_execve) (const char *, char *const[], char *const[]); 217static int (*true_execve) (const char *, char *const[], char *const[]);
968 int current_pid = 0; 968 int current_pid = 0;
969 int tmp_pid = 0; 969 int tmp_pid = 0;
970 970
971 init_wrappers(); 971 init_wrappers();
972 972
973 check_dlsym(fopen);
973 pids_stream = true_fopen(sandbox_pids_file, "r"); 974 pids_stream = true_fopen(sandbox_pids_file, "r");
974 975
975 if (NULL == pids_stream) { 976 if (NULL == pids_stream) {
976 perror(">>> pids file fopen"); 977 perror(">>> pids file fopen");
977 } else { 978 } else {
1371 fprintf(stderr, "\e[31;01mSECURITY BREACH\033[0m %s already exists and is not a regular file.\n", dpath); 1372 fprintf(stderr, "\e[31;01mSECURITY BREACH\033[0m %s already exists and is not a regular file.\n", dpath);
1372 } else if (0 == check_access(sbcontext, "open_wr", dpath, filter_path(dpath, 1))) { 1373 } else if (0 == check_access(sbcontext, "open_wr", dpath, filter_path(dpath, 1))) {
1373 unsetenv("SANDBOX_LOG"); 1374 unsetenv("SANDBOX_LOG");
1374 fprintf(stderr, "\e[31;01mSECURITY BREACH\033[0m SANDBOX_LOG %s isn't allowed via SANDBOX_WRITE\n", dpath); 1375 fprintf(stderr, "\e[31;01mSECURITY BREACH\033[0m SANDBOX_LOG %s isn't allowed via SANDBOX_WRITE\n", dpath);
1375 } else { 1376 } else {
1377 check_dlsym(open);
1376 log_file = true_open(dpath, O_APPEND | O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 1378 log_file = true_open(dpath, O_APPEND | O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
1377 if (log_file >= 0) { 1379 if (log_file >= 0) {
1378 write(log_file, buffer, strlen(buffer)); 1380 write(log_file, buffer, strlen(buffer));
1379 close(log_file); 1381 close(log_file);
1380 } 1382 }
1398 unsetenv("SANDBOX_DEBUG"); 1400 unsetenv("SANDBOX_DEBUG");
1399 unsetenv("SANDBOX_DEBUG_LOG"); 1401 unsetenv("SANDBOX_DEBUG_LOG");
1400 fprintf(stderr, "\e[31;01mSECURITY BREACH\033[0m SANDBOX_DEBUG_LOG %s isn't allowed by SANDBOX_WRITE.\n", 1402 fprintf(stderr, "\e[31;01mSECURITY BREACH\033[0m SANDBOX_DEBUG_LOG %s isn't allowed by SANDBOX_WRITE.\n",
1401 dpath); 1403 dpath);
1402 } else { 1404 } else {
1405 check_dlsym(open);
1403 debug_log_file = true_open(dpath, O_APPEND | O_WRONLY | O_CREAT, 1406 debug_log_file = true_open(dpath, O_APPEND | O_WRONLY | O_CREAT,
1404 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 1407 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
1405 if (debug_log_file >= 0) { 1408 if (debug_log_file >= 0) {
1406 write(debug_log_file, buffer, strlen(buffer)); 1409 write(debug_log_file, buffer, strlen(buffer));
1407 close(debug_log_file); 1410 close(debug_log_file);

Legend:
Removed from v.109  
changed lines
  Added in v.110

  ViewVC Help
Powered by ViewVC 1.1.20