| … | |
… | |
| 1147 | { |
1147 | { |
| 1148 | struct stat log_stat; |
1148 | struct stat log_stat; |
| 1149 | char buffer[512]; |
1149 | char buffer[512]; |
| 1150 | char *absolute_path = NULL; |
1150 | char *absolute_path = NULL; |
| 1151 | char *resolved_path = NULL; |
1151 | char *resolved_path = NULL; |
| 1152 | char *log_path = NULL; |
1152 | char *log_path = NULL, *debug_log_path = NULL; |
| 1153 | int old_errno = errno; |
1153 | int old_errno = errno; |
| 1154 | int result = 1; |
1154 | int result = 1; |
| 1155 | int log_file = 0; |
1155 | int log_file = 0, debug_log_file = 0; |
| 1156 | int debug = 0; |
1156 | int access = 0, debug = 0; |
| 1157 | int color = ((getenv("NOCOLOR") != NULL) ? 0 : 1); |
1157 | int color = ((getenv("NOCOLOR") != NULL) ? 0 : 1); |
| 1158 | |
1158 | |
| 1159 | init_wrappers(); |
1159 | init_wrappers(); |
| 1160 | |
1160 | |
| 1161 | absolute_path = filter_path(file, 0); |
1161 | absolute_path = filter_path(file, 0); |
| … | |
… | |
| 1163 | goto fp_error; |
1163 | goto fp_error; |
| 1164 | resolved_path = filter_path(file, 1); |
1164 | resolved_path = filter_path(file, 1); |
| 1165 | if (NULL == resolved_path) |
1165 | if (NULL == resolved_path) |
| 1166 | goto fp_error; |
1166 | goto fp_error; |
| 1167 | |
1167 | |
| 1168 | if (NULL == getenv("SANDBOX_DEBUG")) { |
|
|
| 1169 | log_path = getenv("SANDBOX_LOG"); |
1168 | log_path = getenv("SANDBOX_LOG"); |
| 1170 | } else { |
1169 | if (NULL != getenv("SANDBOX_DEBUG")) { |
| 1171 | log_path = getenv("SANDBOX_DEBUG_LOG"); |
1170 | debug_log_path = getenv("SANDBOX_DEBUG_LOG"); |
| 1172 | debug = 1; |
1171 | debug = 1; |
| 1173 | } |
1172 | } |
| 1174 | |
1173 | |
| 1175 | result = check_access(sbcontext, func, absolute_path, resolved_path); |
1174 | result = check_access(sbcontext, func, absolute_path, resolved_path); |
| 1176 | |
1175 | |
| … | |
… | |
| 1183 | } else if ((1 == debug) && (0 == sbcontext->show_access_violation)) { |
1182 | } else if ((1 == debug) && (0 == sbcontext->show_access_violation)) { |
| 1184 | EWARN(color, "ACCESS PREDICTED", " %s:%*s%s\n", |
1183 | EWARN(color, "ACCESS PREDICTED", " %s:%*s%s\n", |
| 1185 | func, (int)(10 - strlen(func)), "", absolute_path); |
1184 | func, (int)(10 - strlen(func)), "", absolute_path); |
| 1186 | } |
1185 | } |
| 1187 | |
1186 | |
| 1188 | if ((NULL != log_path) && |
|
|
| 1189 | (((0 == debug) && (0 == result) && (1 == sbcontext->show_access_violation)) || |
1187 | if ((0 == result) && (1 == sbcontext->show_access_violation)) |
| 1190 | (1 == debug))) { |
1188 | access = 1; |
|
|
1189 | |
|
|
1190 | if (((NULL != log_path) && (1 == access)) || |
|
|
1191 | ((NULL != debug_log_path) && (1 == debug))) { |
| 1191 | if (0 != strncmp(absolute_path, resolved_path, strlen(absolute_path))) { |
1192 | if (0 != strncmp(absolute_path, resolved_path, strlen(absolute_path))) { |
| 1192 | sprintf(buffer, "%s:%*s%s (symlink to %s)\n", func, |
1193 | sprintf(buffer, "%s:%*s%s (symlink to %s)\n", func, |
| 1193 | (int)(10 - strlen(func)), "", |
1194 | (int)(10 - strlen(func)), "", |
| 1194 | absolute_path, resolved_path); |
1195 | absolute_path, resolved_path); |
| 1195 | } else { |
1196 | } else { |
| 1196 | sprintf(buffer, "%s:%*s%s\n", func, |
1197 | sprintf(buffer, "%s:%*s%s\n", func, |
| 1197 | (int)(10 - strlen(func)), "", |
1198 | (int)(10 - strlen(func)), "", |
| 1198 | absolute_path); |
1199 | absolute_path); |
| 1199 | } |
1200 | } |
|
|
1201 | if (1 == access) { |
| 1200 | if ((0 == lstat(log_path, &log_stat)) && |
1202 | if ((0 == lstat(log_path, &log_stat)) && |
| 1201 | (0 == S_ISREG(log_stat.st_mode))) { |
1203 | (0 == S_ISREG(log_stat.st_mode))) { |
| 1202 | EERROR(color, "SECURITY BREACH", " '%s' %s\n", log_path, |
1204 | EERROR(color, "SECURITY BREACH", " '%s' %s\n", log_path, |
| 1203 | "already exists and is not a regular file!"); |
1205 | "already exists and is not a regular file!"); |
| 1204 | } else { |
1206 | } else { |
| 1205 | check_dlsym(open); |
1207 | check_dlsym(open); |
| 1206 | log_file = true_open(log_path, O_APPEND | O_WRONLY | |
1208 | log_file = true_open(log_path, O_APPEND | O_WRONLY | |
| 1207 | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | |
1209 | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | |
| 1208 | S_IROTH); |
1210 | S_IROTH); |
| 1209 | if (log_file >= 0) { |
1211 | if (log_file >= 0) { |
| 1210 | write(log_file, buffer, strlen(buffer)); |
1212 | write(log_file, buffer, strlen(buffer)); |
| 1211 | close(log_file); |
1213 | close(log_file); |
|
|
1214 | } |
|
|
1215 | } |
|
|
1216 | } |
|
|
1217 | if (1 == debug) { |
|
|
1218 | if ((0 == lstat(debug_log_path, &log_stat)) && |
|
|
1219 | (0 == S_ISREG(log_stat.st_mode))) { |
|
|
1220 | EERROR(color, "SECURITY BREACH", " '%s' %s\n", debug_log_path, |
|
|
1221 | "already exists and is not a regular file!"); |
|
|
1222 | } else { |
|
|
1223 | check_dlsym(open); |
|
|
1224 | debug_log_file = true_open(debug_log_path, O_APPEND | O_WRONLY | |
|
|
1225 | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | |
|
|
1226 | S_IROTH); |
|
|
1227 | if (debug_log_file >= 0) { |
|
|
1228 | write(debug_log_file, buffer, strlen(buffer)); |
|
|
1229 | close(debug_log_file); |
|
|
1230 | } |
| 1212 | } |
1231 | } |
| 1213 | } |
1232 | } |
| 1214 | } |
1233 | } |
| 1215 | |
1234 | |
| 1216 | if (NULL != absolute_path) |
1235 | if (NULL != absolute_path) |
Parent Directory
| 
Revision Log
| 
Patch