1 |
# ChangeLog for Path Sandbox |
2 |
# Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2 |
3 |
# $Header$ |
4 |
|
5 |
09 Mar 2005; Brian Harring <ferringb@gentoo.org> sandbox.c: Fixed the |
6 |
infamous "pids file is not a regular file" w/out newline bug. |
7 |
|
8 |
09 Mar 2005; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in: |
9 |
Correct libc_version path detection, since it was screwing up if libdir != |
10 |
"/lib/". |
11 |
|
12 |
02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> libsandbox.c: |
13 |
Hack to make sure sandboxed process cannot remove a device node, bug #79836. |
14 |
|
15 |
02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am: |
16 |
Fix symbols.in not added to dist. |
17 |
|
18 |
02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c, |
19 |
getcwd.c, libsandbox.c, sandbox.c, sandbox.h, sandbox_futils.c: |
20 |
White space fixes. |
21 |
|
22 |
02 Mar 2005; Martin Schlemmer <azarah@gentoo.org> Makefile.am, canonicalize.c, |
23 |
configure.in, getcwd.c, libsandbox.c, symbols.in: |
24 |
Fix inverse test logic in canonicalize.c, use a strncpy. Fix gcc warning in |
25 |
getcwd.c. Add symbols.in and logic to Makefile.am to generate symbol versions |
26 |
for glibc and other libc's that use this. Update libsandbox.c to use these |
27 |
symbol versions if available. Fix exec wrapper to re-export LD_PRELOAD if the |
28 |
process unset it. |
29 |
|
30 |
01 Mar 2005; Brian Harring <ferringb@gentoo.org> libsandbox.c: |
31 |
killed off _init and _fini in favor of |
32 |
void __attribute__ ((constructor)) init_func and |
33 |
void __attribute__ ((destructor)) closing_func. _(init|func) were deprecated. |
34 |
|
35 |
06 Dec 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, libsandbox.c, |
36 |
canonicalize.c, getcwd.c: Fixed compilation *again*. Hopefully cvs is done |
37 |
having the hick-ups. |
38 |
|
39 |
04 Dec 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, getcwd.c, |
40 |
Makefile.am: Fixed compilation. |
41 |
|
42 |
01 Dec 2004; Brian Harring <ferringb@gentoo.org> aclocal.m4: |
43 |
Gutted the bugger so it stops checking for a c++ and fortran compiler. |
44 |
Do *not* regenerate aclocal.m4 for making a release until a better |
45 |
solution is created. |
46 |
|
47 |
20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, sandbox_futils.c: |
48 |
Removal of more hardcoded paths. |
49 |
|
50 |
20 Nov 2004; Brian Harring <ferringb@gentoo.org> Makefile.am, configure.in, |
51 |
sandbox_futils.c: tweaks to install sandbox.bashrc, and use it. |
52 |
|
53 |
19 Nov 2004; Brian Harring <ferringb@gentoo.org>: |
54 |
Sandbox is now autotooled, create-localdecls needs to be killed and the code |
55 |
shifted into configure.in. Currently builds *one* libsandbox.so- if multiple |
56 |
are desired (-m64 and -m32 for amd64), the ebuild should do it (imo). |
57 |
To get to a point of testing, automake && autoconf; created requisite files w/ |
58 |
a(utomake|clocal)-1.8, and autoconf 2.59. Installs to /usr/, instead of |
59 |
/lib and /usr/lib/portage/bin. |
60 |
|
61 |
14 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox.c: |
62 |
closing out bug #70225, potential overflow of the sandbox_pids_file var. |
63 |
|
64 |
07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard, |
65 |
(think it was at least) allows intermixing of code and data segments. bug #70351 |
66 |
should be fixed by this. |
67 |
|
68 |
03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c: |
69 |
futils fix from bug #65201 via solar, and libsandbox log path checks via #69137 |
70 |
|
71 |
02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from |
72 |
Seth Robertson that tracked down all adjuct flags for read operations that |
73 |
do not invoke a write operation. |
74 |
|
75 |
04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: |
76 |
Another fix from jstubbs regarding a free() on a stack variable for the |
77 |
environment -- tracking now prevents extraneous free()'s segfault. |
78 |
|
79 |
04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: |
80 |
J. Stubbs tracked down a new bug where mkdir was failing to the patch on |
81 |
the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir. |
82 |
Also remove the errno = ESUCCESS settings as documentation points out that |
83 |
a library isn't allowed to do that. |
84 |
|
85 |
04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a |
86 |
file_security_check() function to check random potential exploits on files |
87 |
that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes |
88 |
the 'system-crippling' exploits (bug 21923) and catches a few other |
89 |
potential problems. |
90 |
|
91 |
20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for |
92 |
32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work. |
93 |
|
94 |
20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: |
95 |
bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>. |
96 |
Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>. |
97 |
|
98 |
29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c : |
99 |
Fix permissions and group of pids file and logs. Permissions should be 0664 |
100 |
and group should be 'portage'. Bug #34260. |
101 |
|
102 |
28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
103 |
Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed |
104 |
to the real execve (in our execve wrapper). Seems that on some arches (sparc |
105 |
among others) do not allow us to tamper with the readonly copy passed to |
106 |
execve, so pass our own copy of the environment. Bug #42290. |
107 |
|
108 |
11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls: |
109 |
Changed tail to head and added a notice about duration of glibc check. |
110 |
|
111 |
21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls: |
112 |
Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh |
113 |
as there isn't a guarentee that it is dynamic. |
114 |
|
115 |
02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
116 |
If 'file' passed to before_syscall(const char *func, const char *file) is |
117 |
invalid, we should set errno to ENOENT, and not EINVAL. This should |
118 |
close bug #32238. |
119 |
|
120 |
14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
121 |
Fix a bug that occurs mainly on 64bit arch, where the file passed to |
122 |
the functions we wrap, is invalid, and then cause canonicalize to pass |
123 |
garbage to before_syscall(), thanks to great detective work from |
124 |
Andrea Luzzardi <al@sig11.org> (bug #29846). |
125 |
|
126 |
13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : |
127 |
Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>. |
128 |
|
129 |
13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
130 |
Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically |
131 |
only checked the destination patch, and not the source, so we could move |
132 |
a protected file to a unprotected directory, and then delete/modify it. |
133 |
Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix. |
134 |
|
135 |
12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c : |
136 |
Added python2.3 to the predict section/variable. |
137 |
|
138 |
28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, |
139 |
sandbox.h, sandbox_futils.c : |
140 |
Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If |
141 |
it is not set, it will revert to its old value. |
142 |
|
143 |
27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
144 |
Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so, |
145 |
rather than failing with a violation, bug #29748. |
146 |
|
147 |
27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
148 |
Fix canonicalize() to ignore calls with path = "". |
149 |
|
150 |
27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c, |
151 |
sandbox_futils.c, canonicalize.c : |
152 |
Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system |
153 |
call handled strings larger than PATH_MAX (bug #21766). It however does not |
154 |
work the same on 2.4 kernels. |
155 |
|
156 |
To fix, I added the posix implementation of getcwd() (from glibc cvs) that |
157 |
do not need the system call. We use the default getcwd() function via a |
158 |
wrapper (egetcwd), and then lstat the returned path. If lstat fails, it |
159 |
means the current directory was removed, OR that the the system call for |
160 |
getcwd failed (curious is that it do not fail and return NULL or set |
161 |
errno, but rather just truncate the retured directory - usually from the |
162 |
start), and if so, we use the generic getcwd() function (__egetcwd). Note |
163 |
that we do not use the generic version all the time, as it calls lstat() |
164 |
a great number of times, and performance degrade much. |
165 |
|
166 |
29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls, |
167 |
libsandbox.c : |
168 |
Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks. |
169 |
|
170 |
22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c |
171 |
create-localdecls : |
172 |
When checking path names of files accessed, we need to canonicalize it, else |
173 |
it may be a symlink in a 'write allowed' directory pointing to a file in a |
174 |
directory we should not have write access to. |
175 |
|
176 |
With something like coreutils-5.0, we have two problems: |
177 |
1) One of the tests checks if getcwd() can return a path longer than |
178 |
PATH_MAX. This test then tries to create a dir which even while |
179 |
created local (mkdir("conftest2")), it ends up being resolved with |
180 |
a name that is much larger than PATH_MAX. The problem now is that |
181 |
canonicalize() have undefined behaviour when the path was too long |
182 |
(returned wrongly truncated paths, etc), and pass the wrong path to |
183 |
before_syscall() (causing the bogus sandbox violations). |
184 |
2) The ecanonicalize() function we used, along with the canonicalize() |
185 |
function did not support longer than PATH_MAX. This is partly a |
186 |
cause for 1), but the error checking (rather lack of it) of calls |
187 |
to erealpath() in canonicalize() was the prime reason for 1). |
188 |
|
189 |
As we do not use this canonicalized name to call the function, we resolve this |
190 |
by fixing canonicalize() to do better error checking, and ecanonicalize() as |
191 |
well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'. |
192 |
While they will resolve paths properly now, and can check if a write/read is |
193 |
allowed, the functions called from the sandboxed environment will still work |
194 |
as expected. |
195 |
|
196 |
This should resolve bug #21766. |
197 |
|
198 |
06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : |
199 |
For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under |
200 |
it (bug #16298). |
201 |
|
202 |
Problem is that for some reason locale fopen's locale.alias with mode "rm". |
203 |
|
204 |
------------------------------------------------------- |
205 |
nosferatu root # grep fopen locale.log |
206 |
fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias |
207 |
nosferatu root # |
208 |
-------------------------------------------------------- |
209 |
|
210 |
I checked the source of locale, but it have fopen with mode 'r', so |
211 |
not sure where the "rm" mode comes from. Anyhow, changed the check in |
212 |
before_syscall_open_char() to also see mode "rm" as readonly. |
213 |
|
214 |
23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : |
215 |
|
216 |
Add glibc-2.3 support. |
217 |
|
218 |
22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c : |
219 |
|
220 |
Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all |
221 |
operations releated to preload, as well as only try to modify ld.so.preload |
222 |
if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when |
223 |
not using ld.so.preload. Fix to not write this instance of sandbox's pid |
224 |
to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running. |
225 |
|
226 |
22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile : |
227 |
|
228 |
Changed the LD to CC for hppa. |
229 |
|
230 |
22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : |
231 |
|
232 |
Killed the previous changes I made. |
233 |
|
234 |
17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : |
235 |
|
236 |
Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs. |
237 |
|
238 |
09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c : |
239 |
|
240 |
Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868. |
241 |
|
242 |
16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls : |
243 |
|
244 |
Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro> |
245 |
for this fix. |
246 |
|
247 |
4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c : |
248 |
|
249 |
sandbox_futils defined a dirname() function that was masking the same |
250 |
function in glibc and was broken (e.g.: SANDBOX_DIR was being set to |
251 |
'/usr/lib/portage/bi/'). Fixed function to return expected results and |
252 |
renamed it to sb_dirname() to no longer mask the glibc function. Closes bug |
253 |
11231. |
254 |
|
255 |
4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> : |
256 |
|
257 |
Fix a segfault in libsandbox.c if canonicalize() was called with |
258 |
first parameter = NULL. |
259 |
|
260 |
1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> : |
261 |
|
262 |
Fix my braindead 'return 1;' in a void function. Updated sandbox.c, |
263 |
cleanup() for this. |
264 |
|
265 |
Change cleanup() in sandbox.c not to exit with fail status if |
266 |
the pidsfile is missing. We really should still display sandbox |
267 |
violations if they occured. |
268 |
|
269 |
31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
270 |
|
271 |
Update cleanup() in sandbox.c to remove the PIDSFILE if this is |
272 |
the last sandbox running. |
273 |
|
274 |
25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
275 |
|
276 |
Major cleanups to mainly libsandbox.c again. |
277 |
|
278 |
22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
279 |
|
280 |
Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the |
281 |
parties involved should please contact me so that we can fix it. |
282 |
|
283 |
Add opendir wrapper to libsandbox.c. |
284 |
|
285 |
21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
286 |
|
287 |
Do some more cleanups to ecanonicalize(), as it dropped filenames in |
288 |
rare cases (after my symlink cleanups), and caused glibc to bork. |
289 |
These fixes went into canonicalize.c. |
290 |
|
291 |
20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
292 |
|
293 |
Fix spawn_shell() and main() in sandbox.c to properly return fail |
294 |
status. |
295 |
|
296 |
19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
297 |
|
298 |
The new canonicalize() function in libsandbox.c also resolved symlinks, |
299 |
which caused on cleaning sandbox errors if the symlink pointed to a |
300 |
file in the live root. Ripped out canonicalize() and realpath() from |
301 |
glibc; removed the symlink stuff, and changed them to ecanonicalize() |
302 |
and erealpath(). |
303 |
|
304 |
18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : |
305 |
|
306 |
Ripped out all the wrappers, and implemented those of InstallWatch. |
307 |
Losts of cleanups and bugfixes. Implement a execve that forces |
308 |
$LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared |
309 |
/etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c, |
310 |
sandbox.h and sandbox_futils.c. Rewrote the Makefile for most |
311 |
parts; it now have an install target. |
312 |
|
313 |
Reformat the whole thing to look somewhat like the reworked sandbox.c |
314 |
and new sandbox.h and sandbox_futils.c from: |
315 |
|
316 |
Brad House <brad@mainstreetsoftworks.com>. |
317 |
|
318 |
Additional Copyrights now due to the InstallWatch code: |
319 |
|
320 |
Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net> |