/[path-sandbox]/trunk/libsandbox.c
Gentoo

Diff of /trunk/libsandbox.c

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 75 Revision 76
135 char **write_denied_prefixes; 135 char **write_denied_prefixes;
136 int num_write_denied_prefixes; 136 int num_write_denied_prefixes;
137} sbcontext_t; 137} sbcontext_t;
138 138
139static sbcontext_t sbcontext; 139static sbcontext_t sbcontext;
140 140static char **cached_env_vars;
141static int sb_init = 0; 141static int sb_init = 0;
142 142
143void __attribute__ ((constructor)) libsb_init(void); 143void __attribute__ ((constructor)) libsb_init(void);
144void __attribute__ ((destructor)) libsb_fini(void); 144void __attribute__ ((destructor)) libsb_fini(void);
145 145
157static int before_syscall(const char *, const char *); 157static int before_syscall(const char *, const char *);
158static int before_syscall_open_int(const char *, const char *, int); 158static int before_syscall_open_int(const char *, const char *, int);
159static int before_syscall_open_char(const char *, const char *, const char *); 159static int before_syscall_open_char(const char *, const char *, const char *);
160static void clean_env_entries(char ***, int *); 160static void clean_env_entries(char ***, int *);
161static void init_context(sbcontext_t *); 161static void init_context(sbcontext_t *);
162static void init_env_entries(char ***, int *, char *, int); 162static void init_env_entries(char ***, int *, const char *, const char *, int);
163static int is_sandbox_on(); 163static int is_sandbox_on();
164static int is_sandbox_pid(); 164static int is_sandbox_pid();
165 165
166/* Wrapped functions */ 166/* Wrapped functions */
167 167
279} 279}
280 280
281 281
282void __attribute__ ((destructor)) libsb_fini(void) 282void __attribute__ ((destructor)) libsb_fini(void)
283{ 283{
284 int x;
285 if(NULL != cached_env_vars) {
286 for(x=0; x < 4; x++) {
287 if(NULL != cached_env_vars[x])
288 free(cached_env_vars[x]);
289 }
290 free(cached_env_vars);
291 }
284 clean_env_entries(&(sbcontext.deny_prefixes), 292 clean_env_entries(&(sbcontext.deny_prefixes),
285 &(sbcontext.num_deny_prefixes)); 293 &(sbcontext.num_deny_prefixes));
286 clean_env_entries(&(sbcontext.read_prefixes), 294 clean_env_entries(&(sbcontext.read_prefixes),
287 &(sbcontext.num_read_prefixes)); 295 &(sbcontext.num_read_prefixes));
288 clean_env_entries(&(sbcontext.write_prefixes), 296 clean_env_entries(&(sbcontext.write_prefixes),
312 tmp_string = NULL; 320 tmp_string = NULL;
313 321
314 /* Generate sandbox pids-file path */ 322 /* Generate sandbox pids-file path */
315 sandbox_pids_file = get_sandbox_pids_file(); 323 sandbox_pids_file = get_sandbox_pids_file();
316 324
317 init_context(&sbcontext);
318
319 init_env_entries(&(sbcontext.deny_prefixes),
320 &(sbcontext.num_deny_prefixes), "SANDBOX_DENY", 1);
321 init_env_entries(&(sbcontext.read_prefixes),
322 &(sbcontext.num_read_prefixes), "SANDBOX_READ", 1);
323 init_env_entries(&(sbcontext.write_prefixes),
324 &(sbcontext.num_write_prefixes), "SANDBOX_WRITE", 1);
325 init_env_entries(&(sbcontext.predict_prefixes),
326 &(sbcontext.num_predict_prefixes), "SANDBOX_PREDICT", 1);
327
328 sb_init = 1; 325// sb_init = 1;
329 326
330 errno = old_errno; 327 errno = old_errno;
331} 328}
332 329
333static int canonicalize(const char *path, char *resolved_path) 330static int canonicalize(const char *path, char *resolved_path)
1026 1023
1027#define pfx_num (*prefixes_num) 1024#define pfx_num (*prefixes_num)
1028#define pfx_array (*prefixes_array) 1025#define pfx_array (*prefixes_array)
1029#define pfx_item ((*prefixes_array)[(*prefixes_num)]) 1026#define pfx_item ((*prefixes_array)[(*prefixes_num)])
1030 1027
1031static void init_env_entries(char ***prefixes_array, int *prefixes_num, char *env, int warn) 1028static void init_env_entries(char ***prefixes_array, int *prefixes_num, const char *env, const char *prefixes_env, int warn)
1032{ 1029{
1033 int old_errno = errno; 1030 int old_errno = errno;
1034 char *prefixes_env = getenv(env); 1031// char *prefixes_env = getenv(env);
1035 1032
1036 if (NULL == prefixes_env) { 1033 if (NULL == prefixes_env) {
1037 /* Do not warn if this is in init stage, as we might get 1034 /* Do not warn if this is in init stage, as we might get
1038 * issues due to LD_PRELOAD already set (bug #91431). */ 1035 * issues due to LD_PRELOAD already set (bug #91431). */
1039 if (1 == sb_init) 1036 if (1 == sb_init)
1040 fprintf(stderr, "Sandbox error : the %s environmental variable should be defined.\n", env); 1037 fprintf(stderr, "Sandbox error : the %s environmental variable should be defined.\n", env);
1038 if(pfx_array) {
1039 int x;
1040 for(x=0; x < pfx_num; x++)
1041 free(pfx_item);
1042 free(pfx_array);
1043 }
1044 pfx_num = 0;
1041 } else { 1045 } else {
1042 char *buffer = NULL; 1046 char *buffer = NULL;
1043 int prefixes_env_length = strlen(prefixes_env); 1047 int prefixes_env_length = strlen(prefixes_env);
1044 int i = 0; 1048 int i = 0;
1045 int num_delimiters = 0; 1049 int num_delimiters = 0;
1448static int before_syscall(const char *func, const char *file) 1452static int before_syscall(const char *func, const char *file)
1449{ 1453{
1450 int old_errno = errno; 1454 int old_errno = errno;
1451 int result = 1; 1455 int result = 1;
1452// static sbcontext_t sbcontext; 1456// static sbcontext_t sbcontext;
1457 char *deny = getenv("SANDBOX_DENY");
1458 char *read = getenv("SANDBOX_READ");
1459 char *write = getenv("SANDBOX_WRITE");
1460 char *predict = getenv("SANDBOX_PREDICT");
1453 1461
1454 if (!strlen(file)) { 1462 if (!strlen(file)) {
1455 /* The file/directory does not exist */ 1463 /* The file/directory does not exist */
1456 errno = ENOENT; 1464 errno = ENOENT;
1457 return 0; 1465 return 0;
1458 } 1466 }
1459 1467
1460 if (NULL == sbcontext.deny_prefixes) 1468 if(sb_init == 0) {
1469 init_context(&sbcontext);
1470 cached_env_vars = malloc(sizeof(char *)*4);
1471 cached_env_vars[0] = cached_env_vars[1] = cached_env_vars[2] = cached_env_vars[3] = NULL;
1472 sb_init=1;
1473 }
1474
1475 if((deny == NULL && cached_env_vars[0] != deny) || cached_env_vars[0] == NULL ||
1476 strcmp(cached_env_vars[0], deny) != 0) {
1477
1478 clean_env_entries(&(sbcontext.deny_prefixes),
1479 &(sbcontext.num_deny_prefixes));
1480
1481 if(NULL != cached_env_vars[0])
1482 free(cached_env_vars[0]);
1483
1484 if(NULL != deny) {
1461 init_env_entries(&(sbcontext.deny_prefixes), 1485 init_env_entries(&(sbcontext.deny_prefixes),
1486 &(sbcontext.num_deny_prefixes), "SANDBOX_DENY", deny, 1);
1487 cached_env_vars[0] = strdup(deny);
1488 } else {
1489 cached_env_vars[0] = NULL;
1490 }
1491 }
1492
1493 if((read == NULL && cached_env_vars[1] != read) || cached_env_vars[1] == NULL ||
1494 strcmp(cached_env_vars[1], read) != 0) {
1495
1496 clean_env_entries(&(sbcontext.read_prefixes),
1462 &(sbcontext.num_deny_prefixes), 1497 &(sbcontext.num_read_prefixes));
1463 "SANDBOX_DENY", 1); 1498
1464 if (NULL == sbcontext.read_prefixes) 1499 if(NULL != cached_env_vars[1])
1500 free(cached_env_vars[1]);
1501
1502 if(NULL != read) {
1465 init_env_entries(&(sbcontext.read_prefixes), 1503 init_env_entries(&(sbcontext.read_prefixes),
1504 &(sbcontext.num_read_prefixes), "SANDBOX_READ", read, 1);
1505 cached_env_vars[1] = strdup(read);
1506 } else {
1507 cached_env_vars[1] = NULL;
1508 }
1509 }
1510
1511 if((write == NULL && cached_env_vars[2] != write) || cached_env_vars[2] == NULL ||
1512 strcmp(cached_env_vars[2], write) != 0) {
1513
1514 clean_env_entries(&(sbcontext.write_prefixes),
1466 &(sbcontext.num_read_prefixes), 1515 &(sbcontext.num_write_prefixes));
1467 "SANDBOX_READ", 1); 1516
1468 if (NULL == sbcontext.write_prefixes) 1517 if(NULL != cached_env_vars[2])
1518 free(cached_env_vars[2]);
1519
1520 if(NULL != write) {
1469 init_env_entries(&(sbcontext.write_prefixes), 1521 init_env_entries(&(sbcontext.write_prefixes),
1522 &(sbcontext.num_write_prefixes), "SANDBOX_WRITE", write, 1);
1523 cached_env_vars[2] = strdup(write);
1524 } else {
1525 cached_env_vars[2] = NULL;
1526 }
1527 }
1528
1529 if((predict == NULL && cached_env_vars[3] != predict) || cached_env_vars[3] == NULL ||
1530 strcmp(cached_env_vars[3], predict) != 0) {
1531
1532 clean_env_entries(&(sbcontext.predict_prefixes),
1470 &(sbcontext.num_write_prefixes), 1533 &(sbcontext.num_predict_prefixes));
1471 "SANDBOX_WRITE", 1); 1534
1472 if (NULL == sbcontext.predict_prefixes) 1535 if(NULL != cached_env_vars[3])
1536 free(cached_env_vars[3]);
1537
1538 if(NULL != predict) {
1473 init_env_entries(&(sbcontext.predict_prefixes), 1539 init_env_entries(&(sbcontext.predict_prefixes),
1474 &(sbcontext.num_predict_prefixes), 1540 &(sbcontext.num_predict_prefixes), "SANDBOX_PREDICT", predict, 1);
1475 "SANDBOX_PREDICT", 1); 1541 cached_env_vars[3] = strdup(predict);
1542 } else {
1543 cached_env_vars[3] = NULL;
1544 }
1545
1546 }
1476 1547
1477 result = check_syscall(&sbcontext, func, file); 1548 result = check_syscall(&sbcontext, func, file);
1478 1549
1479 errno = old_errno; 1550 errno = old_errno;
1480 1551

Legend:
Removed from v.75  
changed lines
  Added in v.76

  ViewVC Help
Powered by ViewVC 1.1.20