diff options
Diffstat (limited to 'sys-apps/sandbox/files')
20 files changed, 1086 insertions, 0 deletions
diff --git a/sys-apps/sandbox/files/0001-libsandbox-handle-more-at-functions.patch b/sys-apps/sandbox/files/0001-libsandbox-handle-more-at-functions.patch new file mode 100644 index 0000000..09462b7 --- /dev/null +++ b/sys-apps/sandbox/files/0001-libsandbox-handle-more-at-functions.patch @@ -0,0 +1,42 @@ +From 25425878243c5ca1ff21e6f479e585c60b943930 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 30 Mar 2009 19:56:29 -0400 +Subject: [PATCH] libsandbox: handle more *at functions + +Add some more *at functions to the main checking code. + +URL: http://bugs.gentoo.org/264320 +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +Reported-by: Harald van Dijk <truedfx@gentoo.org> +--- + libsandbox/libsandbox.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c +index 88248af..c3f0b55 100644 +--- a/libsandbox/libsandbox.c ++++ b/libsandbox/libsandbox.c +@@ -681,15 +681,20 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, + sb_nr == SB_NR_CREAT || + sb_nr == SB_NR_CREAT64 || + sb_nr == SB_NR_MKDIR || ++ sb_nr == SB_NR_MKDIRAT || + sb_nr == SB_NR_MKNOD || + sb_nr == SB_NR_MKNODAT || + sb_nr == SB_NR__XMKNOD || + sb_nr == SB_NR___XMKNOD || + sb_nr == SB_NR___XMKNODAT || + sb_nr == SB_NR_MKFIFO || ++ sb_nr == SB_NR_MKFIFOAT || + sb_nr == SB_NR_LINK || ++ sb_nr == SB_NR_LINKAT || + sb_nr == SB_NR_SYMLINK || ++ sb_nr == SB_NR_SYMLINKAT || + sb_nr == SB_NR_RENAME || ++ sb_nr == SB_NR_RENAMEAT || + sb_nr == SB_NR_LUTIMES || + sb_nr == SB_NR_UTIMENSAT || + sb_nr == SB_NR_UTIME || +-- +1.6.2 + diff --git a/sys-apps/sandbox/files/09sandbox b/sys-apps/sandbox/files/09sandbox new file mode 100644 index 0000000..9181eb0 --- /dev/null +++ b/sys-apps/sandbox/files/09sandbox @@ -0,0 +1 @@ +CONFIG_PROTECT_MASK="/etc/sandbox.d" diff --git a/sys-apps/sandbox/files/sandbox-1.2.17-prefix.patch b/sys-apps/sandbox/files/sandbox-1.2.17-prefix.patch new file mode 100644 index 0000000..9834855 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.2.17-prefix.patch @@ -0,0 +1,209 @@ +* Michael Haubenwallner <michael.haubenwallner@salomon.at> + Prefix awareness for sandbox + +diff -ruN sandbox-1.2.17.orig/configure.ac sandbox-1.2.17/configure.ac +--- sandbox-1.2.17.orig/configure.ac 2005-12-05 15:03:35.000000000 +0100 ++++ sandbox-1.2.17/configure.ac 2006-07-27 16:14:28.000000000 +0200 +@@ -156,5 +156,7 @@ + Makefile + scripts/Makefile + data/Makefile ++ data/sandbox.bashrc ++ data/sandbox.profile + src/Makefile + ]) +diff -ruN sandbox-1.2.17.orig/data/sandbox.bashrc sandbox-1.2.17/data/sandbox.bashrc +--- sandbox-1.2.17.orig/data/sandbox.bashrc 2005-12-01 00:14:28.000000000 +0100 ++++ sandbox-1.2.17/data/sandbox.bashrc 1970-01-01 01:00:00.000000000 +0100 +@@ -1,18 +0,0 @@ +-# Copyright (C) 2001 Geert Bevin, Uwyn, http://www.uwyn.com +-# Distributed under the terms of the GNU General Public License, v2 or later +-# Author : Geert Bevin <gbevin@uwyn.com> +-# $Header$ +-source /etc/profile +- +-if [[ -n ${LD_PRELOAD} && ${LD_PRELOAD} != *$SANDBOX_LIB* ]] ; then +- export LD_PRELOAD="${SANDBOX_LIB} ${LD_PRELOAD}" +-elif [[ -z ${LD_PRELOAD} ]] ; then +- export LD_PRELOAD="${SANDBOX_LIB}" +-fi +- +-export BASH_ENV="${SANDBOX_BASHRC}" +- +-alias make="make LD_PRELOAD=${LD_PRELOAD}" +-alias su="su -c '/bin/bash -rcfile ${SANDBOX_BASHRC}'" +- +-declare -r SANDBOX_ACTIVE +diff -ruN sandbox-1.2.17.orig/data/sandbox.bashrc.in sandbox-1.2.17/data/sandbox.bashrc.in +--- sandbox-1.2.17.orig/data/sandbox.bashrc.in 1970-01-01 01:00:00.000000000 +0100 ++++ sandbox-1.2.17/data/sandbox.bashrc.in 2006-07-27 16:13:40.000000000 +0200 +@@ -0,0 +1,17 @@ ++# Copyright (C) 2001 Geert Bevin, Uwyn, http://www.uwyn.com ++# Distributed under the terms of the GNU General Public License, v2 or later ++# Author : Geert Bevin <gbevin@uwyn.com> ++# $Header$ ++ ++if [[ -n ${LD_PRELOAD} && ${LD_PRELOAD} != *$SANDBOX_LIB* ]] ; then ++ export LD_PRELOAD="${SANDBOX_LIB} ${LD_PRELOAD}" ++elif [[ -z ${LD_PRELOAD} ]] ; then ++ export LD_PRELOAD="${SANDBOX_LIB}" ++fi ++ ++export BASH_ENV="${SANDBOX_BASHRC}" ++ ++alias make="make LD_PRELOAD=${LD_PRELOAD}" ++alias su="su -c '@CU_BASH@ -rcfile ${SANDBOX_PROFILE}'" ++ ++declare -r SANDBOX_ACTIVE +diff -ruN sandbox-1.2.17.orig/data/sandbox.profile.in sandbox-1.2.17/data/sandbox.profile.in +--- sandbox-1.2.17.orig/data/sandbox.profile.in 1970-01-01 01:00:00.000000000 +0100 ++++ sandbox-1.2.17/data/sandbox.profile.in 2006-07-27 16:12:05.000000000 +0200 +@@ -0,0 +1,7 @@ ++# Copyright (C) 2001 Michael Haubenwallner, Salomon Automation, http://www.salomon.at ++# Distributed under the terms of the GNU General Public License, v2 or later ++# Author : Michael Haubenwallner <michael.haubenwallner@salomon.at> ++# $Header$ ++ ++source @sysconfdir@/profile ++source "${SANDBOX_BASHRC}" +diff -ruN sandbox-1.2.17.orig/src/Makefile.am sandbox-1.2.17/src/Makefile.am +--- sandbox-1.2.17.orig/src/Makefile.am 2005-12-05 14:16:52.000000000 +0100 ++++ sandbox-1.2.17/src/Makefile.am 2006-07-27 16:12:05.000000000 +0200 +@@ -7,6 +7,7 @@ + -DPIC -fPIC -D_REENTRANT \ + -DLIBSANDBOX_PATH=\"$(libdir)\" \ + -DSANDBOX_BASHRC_PATH=\"$(pkgdatadir)\" \ ++ -DLOCALSTATEDIR=\"$(localstatedir)\" \ + -I$(top_srcdir) -Wall + + LOCAL_INCLUDES = $(top_srcdir)/localdecls.h +diff -ruN sandbox-1.2.17.orig/src/sandbox.c sandbox-1.2.17/src/sandbox.c +--- sandbox-1.2.17.orig/src/sandbox.c 2005-12-05 14:15:45.000000000 +0100 ++++ sandbox-1.2.17/src/sandbox.c 2006-07-27 16:12:05.000000000 +0200 +@@ -33,6 +33,7 @@ + char sandbox_debug_log[SB_PATH_MAX]; + char sandbox_lib[SB_PATH_MAX]; + char sandbox_rc[SB_PATH_MAX]; ++ char sandbox_profile[SB_PATH_MAX]; + char work_dir[SB_PATH_MAX]; + char var_tmp_dir[SB_PATH_MAX]; + char tmp_dir[SB_PATH_MAX]; +@@ -81,6 +82,9 @@ + /* Generate sandbox bashrc path */ + get_sandbox_rc(sandbox_info->sandbox_rc); + ++ /* Generate sandbox bashprofile path */ ++ get_sandbox_profile(sandbox_info->sandbox_profile); ++ + /* Generate sandbox log full path */ + get_sandbox_log(sandbox_info->sandbox_log); + if (1 == exists(sandbox_info->sandbox_log)) { +@@ -278,6 +282,7 @@ + unsetenv(ENV_SANDBOX_ON); + unsetenv(ENV_SANDBOX_LIB); + unsetenv(ENV_SANDBOX_BASHRC); ++ unsetenv(ENV_SANDBOX_PROFILE); + unsetenv(ENV_SANDBOX_LOG); + unsetenv(ENV_SANDBOX_DEBUG_LOG); + +@@ -322,6 +327,7 @@ + sandbox_setenv(new_environ, ENV_SANDBOX_ON, "1"); + sandbox_setenv(new_environ, ENV_SANDBOX_LIB, sandbox_info->sandbox_lib); + sandbox_setenv(new_environ, ENV_SANDBOX_BASHRC, sandbox_info->sandbox_rc); ++ sandbox_setenv(new_environ, ENV_SANDBOX_PROFILE, sandbox_info->sandbox_profile); + sandbox_setenv(new_environ, ENV_SANDBOX_LOG, sandbox_info->sandbox_log); + sandbox_setenv(new_environ, ENV_SANDBOX_DEBUG_LOG, + sandbox_info->sandbox_debug_log); +@@ -458,6 +464,11 @@ + exit(EXIT_FAILURE); + } + ++ if (0 >= exists(sandbox_info.sandbox_profile)) { ++ perror("sandbox: Could not open the sandbox profile file"); ++ exit(EXIT_FAILURE); ++ } ++ + /* set up the required environment variables */ + if (print_debug) + printf("Setting up the required environment variables.\n"); +@@ -476,7 +487,7 @@ + argv_bash = (char **)malloc(6 * sizeof(char *)); + argv_bash[0] = strdup("/bin/bash"); + argv_bash[1] = strdup("-rcfile"); +- argv_bash[2] = strdup(sandbox_info.sandbox_rc); ++ argv_bash[2] = strdup(sandbox_info.sandbox_profile); + + if (argc < 2) + argv_bash[3] = NULL; +diff -ruN sandbox-1.2.17.orig/src/sandbox.h sandbox-1.2.17/src/sandbox.h +--- sandbox-1.2.17.orig/src/sandbox.h 2005-12-05 14:23:13.000000000 +0100 ++++ sandbox-1.2.17/src/sandbox.h 2006-07-27 16:12:05.000000000 +0200 +@@ -17,10 +17,11 @@ + #define LD_PRELOAD_FILE "/etc/ld.so.preload" + #define LIB_NAME "libsandbox.so" + #define BASHRC_NAME "sandbox.bashrc" ++#define BASHPROFILE_NAME "sandbox.profile" + #define TMPDIR "/tmp" +-#define VAR_TMPDIR "/var/tmp" +-#define PORTAGE_TMPDIR "/var/tmp/portage" +-#define SANDBOX_LOG_LOCATION "/var/log/sandbox" ++#define VAR_TMPDIR LOCALSTATEDIR "/tmp" ++#define PORTAGE_TMPDIR VAR_TMPDIR "/portage" ++#define SANDBOX_LOG_LOCATION LOCALSTATEDIR "/log/sandbox" + #define LOG_FILE_PREFIX "/sandbox-" + #define DEBUG_LOG_FILE_PREFIX "/sandbox-debug-" + #define LOG_FILE_EXT ".log" +@@ -38,6 +39,7 @@ + + #define ENV_SANDBOX_LIB "SANDBOX_LIB" + #define ENV_SANDBOX_BASHRC "SANDBOX_BASHRC" ++#define ENV_SANDBOX_PROFILE "SANDBOX_PROFILE" + #define ENV_SANDBOX_LOG "SANDBOX_LOG" + #define ENV_SANDBOX_DEBUG_LOG "SANDBOX_DEBUG_LOG" + +diff -ruN sandbox-1.2.17.orig/src/sandbox_utils.c sandbox-1.2.17/src/sandbox_utils.c +--- sandbox-1.2.17.orig/src/sandbox_utils.c 2005-12-05 09:36:32.000000000 +0100 ++++ sandbox-1.2.17/src/sandbox_utils.c 2006-07-27 16:12:05.000000000 +0200 +@@ -42,6 +42,11 @@ + snprintf(path, SB_PATH_MAX, "%s/%s", SANDBOX_BASHRC_PATH, BASHRC_NAME); + } + ++void get_sandbox_profile(char *path) ++{ ++ snprintf(path, SB_PATH_MAX, "%s/%s", SANDBOX_BASHRC_PATH, BASHPROFILE_NAME); ++} ++ + void get_sandbox_log(char *path) + { + char *sandbox_log_env = NULL; +--- sandbox-1.2.17/data/Makefile.am.orig 2006-07-27 16:25:09.000000000 +0200 ++++ sandbox-1.2.17/data/Makefile.am 2006-07-27 16:25:18.000000000 +0200 +@@ -1,3 +1 @@ +-dist_pkgdata_DATA = sandbox.bashrc +- +-EXTRA_DIST = sandbox.bashrc ++dist_pkgdata_DATA = sandbox.bashrc sandbox.profile +diff -ru sandbox-1.2.17.orig/configure.ac sandbox-1.2.17/configure.ac +--- sandbox-1.2.17.orig/configure.ac 2005-12-05 15:03:35.000000000 +0100 ++++ sandbox-1.2.17/configure.ac 2006-07-21 13:12:39.000000000 +0200 +@@ -10,6 +10,8 @@ + AC_PROG_MAKE_SET + AC_PROG_AWK + AC_CHECK_PROGS([READELF], [readelf], [false]) ++AC_PATH_PROGS([CU_BASH], [bash], [/bin/bash]) ++AC_DEFINE_UNQUOTED([CU_BASH], ["${CU_BASH}"], [path to bash binary]) + + AC_ENABLE_SHARED + AC_DISABLE_STATIC +diff -ru sandbox-1.2.17.orig/src/sandbox.c sandbox-1.2.17/src/sandbox.c +--- sandbox-1.2.17.orig/src/sandbox.c 2005-12-05 14:15:45.000000000 +0100 ++++ sandbox-1.2.17/src/sandbox.c 2006-07-21 13:15:29.000000000 +0200 +@@ -474,7 +474,7 @@ + chdir(sandbox_info.work_dir); + + argv_bash = (char **)malloc(6 * sizeof(char *)); +- argv_bash[0] = strdup("/bin/bash"); ++ argv_bash[0] = strdup(CU_BASH); + argv_bash[1] = strdup("-rcfile"); + argv_bash[2] = strdup(sandbox_info.sandbox_rc); + diff --git a/sys-apps/sandbox/files/sandbox-1.2.18.1-open-cloexec.patch b/sys-apps/sandbox/files/sandbox-1.2.18.1-open-cloexec.patch new file mode 100644 index 0000000..806f1a3 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.2.18.1-open-cloexec.patch @@ -0,0 +1,15 @@ +http://bugs.gentoo.org/196720 + +mark the new "e" fopen() flag as safe + +--- sandbox-1.2.18.1/src/libsandbox.c ++++ sandbox-1.2.18.1/src/libsandbox.c +@@ -1595,7 +1595,7 @@ + { + if (*mode == 'r' && (0 == (strcmp(mode, "r")) || + /* The strspn accept args are known non-writable modifiers */ +- (strlen(++mode) == strspn(mode, "xbtmc")))) { ++ (strlen(++mode) == strspn(mode, "xbtmce")))) { + return before_syscall("open_rd", file); + } else { + return before_syscall("open_wr", file); diff --git a/sys-apps/sandbox/files/sandbox-1.2.18.1-open-normal-fail.patch b/sys-apps/sandbox/files/sandbox-1.2.18.1-open-normal-fail.patch new file mode 100644 index 0000000..49b57e4 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.2.18.1-open-normal-fail.patch @@ -0,0 +1,99 @@ +Patch from Kevin F. Quinn at https://bugs.gentoo.org/show_bug.cgi?id=135745 +Already applied in sandbox svn + +Makes sandboxed open() calls return the normal error conditions if the +file in question does not exist, without causing a sandbox violation. +This allows programs to use open() to test for file existance, regardless +of read-write flags. This is not revealing any further information about +the backing system because this data was already available through stat(). + +Index: src/libsandbox.c +=================================================================== +--- src/libsandbox.c.orig ++++ src/libsandbox.c +@@ -80,6 +80,9 @@ + #define FUNCTION_SANDBOX_SAFE_ACCESS(_func, _path, _flags) \ + ((0 == is_sandbox_on()) || (1 == before_syscall_access(_func, _path, _flags))) + ++#define FUNCTION_SANDBOX_FAIL_OPEN_INT(_func, _path, _flags) \ ++ ((0 == is_sandbox_on()) || (1 == before_syscall_open_int(_func, _path, _flags))) ++ + #define FUNCTION_SANDBOX_SAFE_OPEN_INT(_func, _path, _flags) \ + ((0 == is_sandbox_on()) || (1 == before_syscall_open_int(_func, _path, _flags))) + +@@ -388,6 +391,16 @@ static FILE * (*true_ ## _name) (const c + FILE *_name(const char *pathname, const char *mode) \ + { \ + FILE *result = NULL; \ ++ int my_errno = errno; \ ++ struct stat st; \ ++\ ++ if (mode!=NULL && mode[0]=='r') { \ ++ /* If we're trying to read, fail normally if file does not stat */\ ++ if (-1 == stat(pathname, &st)) { \ ++ return NULL; \ ++ } \ ++ } \ ++ errno = my_errno; \ + \ + if FUNCTION_SANDBOX_SAFE_OPEN_CHAR("fopen", pathname, mode) { \ + check_dlsym(_name); \ +@@ -561,12 +574,20 @@ int _name(const char *pathname, int flag + va_list ap; \ + int mode = 0; \ + int result = -1; \ ++ int my_errno = errno; \ ++ struct stat st; \ + \ + if (flags & O_CREAT) { \ + va_start(ap, flags); \ + mode = va_arg(ap, int); \ + va_end(ap); \ ++ } else { \ ++ /* If we're not trying to create, fail normally if file does not stat */\ ++ if (-1 == stat(pathname, &st)) { \ ++ return -1; \ ++ } \ + } \ ++ errno = my_errno; \ + \ + if FUNCTION_SANDBOX_SAFE_OPEN_INT("open", pathname, flags) { \ + check_dlsym(_name); \ +@@ -726,6 +747,16 @@ static FILE * (*true_ ## _name) (const c + FILE *_name(const char *pathname, const char *mode) \ + { \ + FILE *result = NULL; \ ++ int my_errno = errno; \ ++ struct stat64 st; \ ++\ ++ if (mode!=NULL && mode[0]=='r') { \ ++ /* If we're trying to read, fail normally if file does not stat */\ ++ if (-1 == stat64(pathname, &st)) { \ ++ return NULL; \ ++ } \ ++ } \ ++ errno = my_errno; \ + \ + if FUNCTION_SANDBOX_SAFE_OPEN_CHAR("fopen64", pathname, mode) { \ + check_dlsym(_name); \ +@@ -746,12 +777,20 @@ int _name(const char *pathname, int flag + va_list ap; \ + int mode = 0; \ + int result = -1; \ ++ int my_errno = errno; \ ++ struct stat64 st; \ + \ + if (flags & O_CREAT) { \ + va_start(ap, flags); \ + mode = va_arg(ap, int); \ + va_end(ap); \ ++ } else { \ ++ /* If we're not trying to create, fail normally if file does not stat */\ ++ if (-1 == stat64(pathname, &st)) { \ ++ return -1; \ ++ } \ + } \ ++ errno = my_errno; \ + \ + if FUNCTION_SANDBOX_SAFE_OPEN_INT("open64", pathname, flags) { \ + check_dlsym(_name); \ diff --git a/sys-apps/sandbox/files/sandbox-1.2.18.1-rtld-validation.patch b/sys-apps/sandbox/files/sandbox-1.2.18.1-rtld-validation.patch new file mode 100644 index 0000000..36e96f5 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.2.18.1-rtld-validation.patch @@ -0,0 +1,43 @@ +From: Robin H. Johnson <robbat2@gentoo.org> +Gentoo-Bug: 206678 +X-Gentoo-URL: http://bugs.gentoo.org/show_bug.cgi?id=206678 +Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> + +Based on a previous revision by solar@gentoo.org. +It seems that on hardened systems, USE_RTLD_NEXT is not always usable, and this +trips up sandbox. + +diff -Nuar sandbox-1.2.18.1.orig/src/libsandbox.c sandbox-1.2.18.1/src/libsandbox.c +--- sandbox-1.2.18.1.orig/src/libsandbox.c 2008-06-27 16:15:53.000000000 +0000 ++++ sandbox-1.2.18.1/src/libsandbox.c 2008-06-27 16:20:26.000000000 +0000 +@@ -192,18 +192,24 @@ + { + void *symaddr = NULL; + +- if (NULL == libc_handle) { +-#if !defined(USE_RTLD_NEXT) ++#if defined(USE_RTLD_NEXT) ++ libc_handle = RTLD_NEXT; ++#endif ++ ++ /* Checking for -1UL is significent on hardened! ++ * USE_RTLD_NEXT returns it as a sign of being unusable. ++ * However using !x or NULL checks does NOT pick it up! ++ */ ++#define INVALID_LIBC_HANDLE(x) (!x || NULL == x || -1UL == x) ++ if (INVALID_LIBC_HANDLE(libc_handle)) { + libc_handle = dlopen(LIBC_VERSION, RTLD_LAZY); +- if (!libc_handle) { ++ if (INVALID_LIBC_HANDLE(libc_handle)) { + fprintf(stderr, "libsandbox: Can't dlopen libc: %s\n", + dlerror()); + exit(EXIT_FAILURE); + } +-#else +- libc_handle = RTLD_NEXT; +-#endif + } ++#undef INVALID_LIBC_HANDLE + + if (NULL == symver) + symaddr = dlsym(libc_handle, symname); diff --git a/sys-apps/sandbox/files/sandbox-1.2.20_alpha2-parallel.patch b/sys-apps/sandbox/files/sandbox-1.2.20_alpha2-parallel.patch new file mode 100644 index 0000000..cbf769f --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.2.20_alpha2-parallel.patch @@ -0,0 +1,12 @@ +http://bugs.gentooorg/190051 + +--- libsandbox/Makefile.in ++++ libsandbox/Makefile.in +@@ -517,6 +517,7 @@ + + + libsandbox.c: libsandbox.map symbols.h ++wrappers.c: symbols.h + + libsandbox.map: $(SYMBOLS_FILE) $(GEN_VERSION_MAP_SCRIPT) + @echo "Generating $@"; \ diff --git a/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch b/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch new file mode 100644 index 0000000..490bc41 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch @@ -0,0 +1,37 @@ +http://bugs.gentoo.org/263657 + +disable pthread locks ... this is how stable has always worked, so there +wont be any regressions ... + +diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c +index 034d0e7..595d17f 100644 +--- a/libsandbox/libsandbox.c ++++ b/libsandbox/libsandbox.c +@@ -814,9 +814,6 @@ + return result; + } + +-/* Need to protect the global sbcontext structure */ +-static pthread_mutex_t sb_syscall_lock = PTHREAD_MUTEX_INITIALIZER; +- + bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, int flags) + { + int old_errno = errno; +@@ -843,8 +840,6 @@ + file = at_file_buf; + } + +- pthread_mutex_lock(&sb_syscall_lock); +- + if (!sb_init) { + init_context(&sbcontext); + sb_init = true; +@@ -885,8 +880,6 @@ + + result = check_syscall(&sbcontext, sb_nr, func, file, flags); + +- pthread_mutex_unlock(&sb_syscall_lock); +- + if (0 == result) { + if ((NULL != getenv(ENV_SANDBOX_PID)) && (is_env_on(ENV_SANDBOX_ABORT))) + diff --git a/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch b/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch new file mode 100644 index 0000000..754ef01 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch @@ -0,0 +1,13 @@ +sandbox-1.7 traces static apps so disable the qa notice as it just scares +users ... dont want scary stuff in stable! + +--- libsandbox/wrapper-funcs/__wrapper_exec.c ++++ libsandbox/wrapper-funcs/__wrapper_exec.c +@@ -221,7 +221,6 @@ + if (!FUNCTION_SANDBOX_SAFE(path)) + return result; + +- sb_check_exec(path, argv); + } + #endif + diff --git a/sys-apps/sandbox/files/sandbox-1.9-setoptions.patch b/sys-apps/sandbox/files/sandbox-1.9-setoptions.patch new file mode 100644 index 0000000..34e8722 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.9-setoptions.patch @@ -0,0 +1,15 @@ + Fix undefined PTRACE_SETOPTIONS error, patch by grobian + +diff --git a/libsandbox/trace.c b/libsandbox/trace.c +index 7c5ec17..eaf520f 100644 +--- a/libsandbox/trace.c ++++ b/libsandbox/trace.c +@@ -425,7 +425,7 @@ void trace_main(const char *filename, char *const argv[]) + SB_DEBUG("parent waiting for child (pid=%i) to signal", trace_pid); + while (!child_stopped) + sched_yield(); +-#ifdef PTRACE_O_TRACESYSGOOD ++#if defined(PTRACE_O_TRACESYSGOOD) && defined(PTRACE_SETOPTIONS) + /* Not all kernel versions support this, so ignore return */ + ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD); + #endif diff --git a/sys-apps/sandbox/files/sandbox-2.0-prefix.patch b/sys-apps/sandbox/files/sandbox-2.0-prefix.patch new file mode 100644 index 0000000..5e32912 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.0-prefix.patch @@ -0,0 +1,37 @@ +* heiko's way of getting this thing going +http://repo.or.cz/w/heikos-i-prolly-break-your-prefix-overlay.git?a=blob;f=sys-apps/sandbox/files/sandbox-2.0-prefix.patch;h=7b4f568679522682ba784853829a0f2b1272b21d;hb=HEAD + +diff --git a/libsbutil/get_sandbox_lib.c b/libsbutil/get_sandbox_lib.c +index b64a5ac..1cf4832 100644 +--- a/libsbutil/get_sandbox_lib.c ++++ b/libsbutil/get_sandbox_lib.c +@@ -22,6 +22,7 @@ + void get_sandbox_lib(char *path) + { + save_errno(); ++#ifndef GENTOO_PREFIX + strcpy(path, LIB_NAME); + if (strncmp("/usr/lib", LIBSANDBOX_PATH, 8)) { + void *hndl = dlopen(path, RTLD_LAZY); +@@ -30,5 +31,10 @@ void get_sandbox_lib(char *path) + else + dlclose(hndl); + } ++#else ++ /* Gentoo Prefix always needs the absolute path due to DT_R*PATH usage ++ * within dlopen(). */ ++ snprintf(path, SB_PATH_MAX, "%s/%s", LIBSANDBOX_PATH, LIB_NAME); ++#endif + restore_errno(); + } +--- a/etc/sandbox.d/00default.orig 2009-06-22 14:10:30.000000000 +0200 ++++ a/etc/sandbox.d/00default 2009-06-22 14:11:41.000000000 +0200 +@@ -14,7 +14,7 @@ + # Finally add current directory if interactive + SANDBOX_WRITE="${SANDBOX_WORKDIR}" + # Needed for configure tests +-SANDBOX_WRITE="/usr/tmp/conftest:/usr/lib/conftest:/usr/lib32/conftest:/usr/lib64/conftest:/usr/tmp/cf:/usr/lib/cf:/usr/lib32/cf:/usr/lib64/cf" ++SANDBOX_WRITE="@GENTOO_PORTAGE_EPREFIX@/usr/tmp/conftest:@GENTOO_PORTAGE_EPREFIX@/usr/lib/conftest:@GENTOO_PORTAGE_EPREFIX@/usr/lib32/conftest:@GENTOO_PORTAGE_EPREFIX@/usr/lib64/conftest:@GENTOO_PORTAGE_EPREFIX@/usr/tmp/cf:@GENTOO_PORTAGE_EPREFIX@/usr/lib/cf:@GENTOO_PORTAGE_EPREFIX@/usr/lib32/cf:@GENTOO_PORTAGE_EPREFIX@/usr/lib64/cf" + + # Usually writes in /home should not cause violations + SANDBOX_PREDICT="${HOME}" diff --git a/sys-apps/sandbox/files/sandbox-2.0-setoptions.patch b/sys-apps/sandbox/files/sandbox-2.0-setoptions.patch new file mode 100644 index 0000000..9430dbb --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.0-setoptions.patch @@ -0,0 +1,11 @@ +--- libsandbox/trace.c.old 2009-06-30 10:11:40.000000000 -0500 ++++ libsandbox/trace.c 2009-06-30 10:11:58.000000000 -0500 +@@ -476,7 +476,7 @@ + } else if (trace_pid) { + SB_DEBUG("parent waiting for child (pid=%i) to signal", trace_pid); + waitpid(trace_pid, NULL, 0); +-#ifdef PTRACE_O_TRACESYSGOOD ++#if defined(PTRACE_SETOPTIONS) && defined(PTRACE_O_TRACESYSGOOD) + /* Not all kernel versions support this, so ignore return */ + ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD); + #endif diff --git a/sys-apps/sandbox/files/sandbox-2.2-prefix.patch b/sys-apps/sandbox/files/sandbox-2.2-prefix.patch new file mode 100644 index 0000000..0cd5f3f --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.2-prefix.patch @@ -0,0 +1,26 @@ +* heiko's way of getting this thing going +http://repo.or.cz/w/heikos-i-prolly-break-your-prefix-overlay.git?a=blob;f=sys-apps/sandbox/files/sandbox-2.0-prefix.patch;h=7b4f568679522682ba784853829a0f2b1272b21d;hb=HEAD + +diff --git a/libsbutil/get_sandbox_lib.c b/libsbutil/get_sandbox_lib.c +index b64a5ac..1cf4832 100644 +--- a/libsbutil/get_sandbox_lib.c ++++ b/libsbutil/get_sandbox_lib.c +@@ -22,6 +22,7 @@ + void get_sandbox_lib(char *path) + { + save_errno(); ++#ifndef GENTOO_PREFIX + strcpy(path, LIB_NAME); + if (strncmp("/usr/lib", LIBSANDBOX_PATH, 8)) { + void *hndl = dlopen(path, RTLD_LAZY); +@@ -30,5 +31,10 @@ void get_sandbox_lib(char *path) + else + dlclose(hndl); + } ++#else ++ /* Gentoo Prefix always needs the absolute path due to DT_R*PATH usage ++ * within dlopen(). */ ++ snprintf(path, SB_PATH_MAX, "%s/%s", LIBSANDBOX_PATH, LIB_NAME); ++#endif + restore_errno(); + } diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch new file mode 100755 index 0000000..e4dc529 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch @@ -0,0 +1,201 @@ +From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 24 Dec 2012 19:41:49 -0500 +Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before + checking the dirfd + +When it comes to processing errors, an empty path is checked before +an invalid dirfd. Make sure sandbox matches that behavior for the +random testsuites out there that look for this. + +URL: https://bugs.gentoo.org/346929 +Reported-by: Marien Zwart <marienz@gentoo.org> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + libsandbox/wrapper-funcs/__pre_check.c | 2 ++ + libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------ + libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++----------- + libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------ + libsandbox/wrappers.h | 2 ++ + tests/mkdirat-3.sh | 7 +++++++ + tests/mkdirat.at | 1 + + tests/openat-2.sh | 9 +++++++++ + tests/openat.at | 1 + + tests/unlinkat-4.sh | 7 +++++++ + tests/unlinkat.at | 1 + + 11 files changed, 44 insertions(+), 35 deletions(-) + create mode 100755 tests/mkdirat-3.sh + create mode 100755 tests/openat-2.sh + create mode 100755 tests/unlinkat-4.sh + +diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c +index 2d5711f..28ad91f 100644 +--- a/libsandbox/wrapper-funcs/__pre_check.c ++++ b/libsandbox/wrapper-funcs/__pre_check.c +@@ -20,3 +20,5 @@ + #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF + # include "unlinkat_pre_check.c" + #endif ++ ++#include "__pre_at_check.c" +diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c +index 77a65df..0b48d1f 100644 +--- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c ++++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c +@@ -1,20 +1,13 @@ + bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) + { + char canonic[SB_PATH_MAX]; +- char dirfd_path[SB_PATH_MAX]; + + save_errno(); + +- /* Expand the dirfd path first */ +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { +- case -1: +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", +- func, pathname, strerror(errno)); +- return false; +- case 0: +- pathname = dirfd_path; +- break; +- } ++ /* Check incoming args against common *at issues */ ++ char dirfd_path[SB_PATH_MAX]; ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) ++ return false; + + /* Then break down any relative/symlink paths */ + if (-1 == canonicalize(pathname, canonic)) +diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c +index 0127708..5fd5eaa 100644 +--- a/libsandbox/wrapper-funcs/openat_pre_check.c ++++ b/libsandbox/wrapper-funcs/openat_pre_check.c +@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int + + save_errno(); + +- /* Expand the dirfd path first */ ++ /* Check incoming args against common *at issues */ + char dirfd_path[SB_PATH_MAX]; +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { +- case -1: +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", +- func, pathname, strerror(errno)); +- return false; +- case 0: +- pathname = dirfd_path; +- break; +- } ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) ++ return false; + + /* Doesn't exist -> skip permission checks */ + struct stat st; +diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c +index 9f5e7d7..c004d15 100644 +--- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c ++++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c +@@ -1,20 +1,13 @@ + bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd) + { + char canonic[SB_PATH_MAX]; +- char dirfd_path[SB_PATH_MAX]; + + save_errno(); + +- /* Expand the dirfd path first */ +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { +- case -1: +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", +- func, pathname, strerror(errno)); +- return false; +- case 0: +- pathname = dirfd_path; +- break; +- } ++ /* Check incoming args against common *at issues */ ++ char dirfd_path[SB_PATH_MAX]; ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) ++ return false; + + /* Then break down any relative/symlink paths */ + if (-1 == canonicalize(pathname, canonic)) +diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h +index 5b97787..0aa58bb 100644 +--- a/libsandbox/wrappers.h ++++ b/libsandbox/wrappers.h +@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn + attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags); + attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags); + attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd); ++attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, ++ char *dirfd_path, size_t dirfd_path_len); + + #endif +-- +1.8.1.2 + +From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 24 Dec 2012 19:41:49 -0500 +Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before + checking the dirfd [missing file] + +When it comes to processing errors, an empty path is checked before +an invalid dirfd. Make sure sandbox matches that behavior for the +random testsuites out there that look for this. + +Forgot to `git add` in the previous commit :/. + +URL: https://bugs.gentoo.org/346929 +Reported-by: Marien Zwart <marienz@gentoo.org> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c + +diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c +new file mode 100644 +index 0000000..f72c40c +--- /dev/null ++++ b/libsandbox/wrapper-funcs/__pre_at_check.c +@@ -0,0 +1,34 @@ ++/* ++ * common *at() pre-checks. ++ * ++ * Copyright 1999-2012 Gentoo Foundation ++ * Licensed under the GPL-2 ++ */ ++ ++/* We assume the parent has nested use with save/restore errno */ ++bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, ++ char *dirfd_path, size_t dirfd_path_len) ++{ ++ /* the empty path name should fail with ENOENT before any dirfd ++ * checks get a chance to run #346929 ++ */ ++ if (*pathname && *pathname[0] == '\0') { ++ errno = ENOENT; ++ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", ++ func, *pathname, strerror(errno)); ++ return false; ++ } ++ ++ /* Expand the dirfd path first */ ++ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) { ++ case -1: ++ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", ++ func, *pathname, strerror(errno)); ++ return false; ++ case 0: ++ *pathname = dirfd_path; ++ break; ++ } ++ ++ return true; ++} +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch new file mode 100755 index 0000000..fbecb07 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch @@ -0,0 +1,30 @@ +From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sat, 17 Nov 2012 14:14:26 -0500 +Subject: [PATCH] sandbox.desktop: drop .svg from Icon field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +URL: http://bugs.gentoo.org/443672 +Reported-by: Petteri Räty <betelgeuse@gentoo.org> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + data/sandbox.desktop | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/data/sandbox.desktop b/data/sandbox.desktop +index 5b5b576..27a887e 100644 +--- a/data/sandbox.desktop ++++ b/data/sandbox.desktop +@@ -5,6 +5,6 @@ Type=Application + Comment=launch a sandboxed shell ... useful for debugging ebuilds + Exec=sandbox + TryExec=sandbox +-Icon=sandbox.svg ++Icon=sandbox + Categories=Development; + Terminal=true +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch new file mode 100755 index 0000000..bfea9e5 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch @@ -0,0 +1,51 @@ +From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sun, 3 Mar 2013 05:34:09 -0500 +Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values + +Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox +with portage. It changed how the sandbox log env var was accessed by +moving from getenv() to get_sandbox_log(). The latter has path checking +and will kick out values that contain a slash. That means every time a +new process starts, a new sandbox log path will be generated, and when a +program triggers a violation, it'll write to the new file. Meanwhile, +portage itself watches the original one which never gets updated. + +This code has been around forever w/out documentation, and I can't think +of a reason we need it. So punt it. + +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + libsbutil/get_sandbox_log.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c +index a79b399..bdb4278 100644 +--- a/libsbutil/get_sandbox_log.c ++++ b/libsbutil/get_sandbox_log.c +@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c + + sandbox_log_env = getenv(env); + +- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) { +- /* When testing, just use what the env says to */ ++ if (sandbox_log_env) { ++ /* If the env is viable, roll with it. We aren't really ++ * about people breaking the security of the sandbox by ++ * exporting SANDBOX_LOG=/dev/null. ++ */ + strncpy(path, sandbox_log_env, SB_PATH_MAX); + } else { +- /* THIS CHUNK BREAK THINGS BY DOING THIS: +- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log +- */ +- if ((NULL != sandbox_log_env) && +- (NULL != strchr(sandbox_log_env, '/'))) +- sandbox_log_env = NULL; +- + snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s", + SANDBOX_LOG_LOCATION, prefix, + (sandbox_log_env == NULL ? "" : sandbox_log_env), +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch new file mode 100755 index 0000000..0101ece --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch @@ -0,0 +1,54 @@ +From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 24 Dec 2012 18:46:29 -0500 +Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW) + +We don't check for O_NOFOLLOW in the open wrappers, so we end up +returning the wrong error when operating on broken symlinks. + +URL: https://bugs.gentoo.org/413441 +Reported-by: Marien Zwart <marienz@gentoo.org> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + libsandbox/wrapper-funcs/__64_post.h | 1 + + libsandbox/wrapper-funcs/__64_pre.h | 1 + + libsandbox/wrapper-funcs/openat_pre_check.c | 2 +- + tests/open-2.sh | 10 ++++++++++ + tests/open.at | 1 + + 5 files changed, 14 insertions(+), 1 deletion(-) + create mode 100755 tests/open-2.sh + +diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h +index 2fd2182..82d2a16 100644 +--- a/libsandbox/wrapper-funcs/__64_post.h ++++ b/libsandbox/wrapper-funcs/__64_post.h +@@ -1,3 +1,4 @@ + #undef SB64 + #undef stat ++#undef lstat + #undef off_t +diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h +index 2132110..0b34b25 100644 +--- a/libsandbox/wrapper-funcs/__64_pre.h ++++ b/libsandbox/wrapper-funcs/__64_pre.h +@@ -1,3 +1,4 @@ + #define SB64 + #define stat stat64 ++#define lstat lstat64 + #define off_t off64_t +diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c +index c827ee6..0127708 100644 +--- a/libsandbox/wrapper-funcs/openat_pre_check.c ++++ b/libsandbox/wrapper-funcs/openat_pre_check.c +@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int + + /* Doesn't exist -> skip permission checks */ + struct stat st; +- if (-1 == stat(pathname, &st)) { ++ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) { + sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", + func, pathname, strerror(errno)); + return false; +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-prefix.patch b/sys-apps/sandbox/files/sandbox-2.6-prefix.patch new file mode 100644 index 0000000..d3861c0 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-prefix.patch @@ -0,0 +1,70 @@ +Index: sandbox-2.6/data/sandbox.bashrc +=================================================================== +--- sandbox-2.6.orig/data/sandbox.bashrc ++++ sandbox-2.6/data/sandbox.bashrc +@@ -10,7 +10,7 @@ fi + export BASH_ENV="${SANDBOX_BASHRC}" + + alias make="make LD_PRELOAD=${LD_PRELOAD}" +-alias su="su -c '/bin/bash -rcfile ${SANDBOX_BASHRC}'" ++alias su="su -c '@GENTOO_PORTAGE_EPREFIX@/bin/bash -rcfile ${SANDBOX_BASHRC}'" + + declare -r SANDBOX_ACTIVE + +@@ -29,7 +29,7 @@ if [[ ${SANDBOX_INTRACTV} == "1" && -t 1 + ( + [[ ${NOCOLOR} == "true" || ${NOCOLOR} == "yes" || ${NOCOLOR} == "1" ]] && \ + export RC_NOCOLOR="yes" +- source /etc/init.d/functions.sh ++ source @GENTOO_PORTAGE_EPREFIX@/etc/init.d/functions.sh + if [ $? -ne 0 ] ; then + einfo() { echo " INFO: $*"; } + ewarn() { echo " WARN: $*"; } +@@ -55,7 +55,7 @@ if [[ ${SANDBOX_INTRACTV} == "1" && -t 1 + #sbs_pdir=$(portageq envvar PORTAGE_TMPDIR)/portage/ #portageq takes too long imo + if [[ -z ${PORTAGE_TMPDIR} ]] ; then + sbs_pdir=$( +- for f in /etc/{,portage/}make.globals /etc/{,portage/}make.conf ; do ++ for f in @GENTOO_PORTAGE_EPREFIX@/etc/{,portage/}make.globals @GENTOO_PORTAGE_EPREFIX@/etc/{,portage/}make.conf ; do + [[ -e ${f} ]] && source ${f} + done + echo $PORTAGE_TMPDIR +@@ -63,7 +63,7 @@ if [[ ${SANDBOX_INTRACTV} == "1" && -t 1 + else + sbs_pdir=${PORTAGE_TMPDIR} + fi +- : ${sbs_pdir:=/var/tmp} ++ : ${sbs_pdir:=@GENTOO_PORTAGE_EPREFIX@/var/tmp} + sbs_pdir=${sbs_pdir}/portage/ + + if [[ ${PWD:0:${#sbs_pdir}} == "${sbs_pdir}" ]] ; then +Index: sandbox-2.6/src/sandbox.c +=================================================================== +--- sandbox-2.6.orig/src/sandbox.c ++++ sandbox-2.6/src/sandbox.c +@@ -269,7 +269,7 @@ int main(int argc, char **argv) + goto oom_error; + + /* Setup bash argv */ +- str_list_add_item_copy(argv_bash, "/bin/bash", oom_error); ++ str_list_add_item_copy(argv_bash, "@GENTOO_PORTAGE_EPREFIX@/bin/bash", oom_error); + str_list_add_item_copy(argv_bash, "-rcfile", oom_error); + str_list_add_item_copy(argv_bash, sandbox_info.sandbox_rc, oom_error); + if (argc >= 2) { +Index: sandbox-2.6/libsbutil/sbutil.h +=================================================================== +--- sandbox-2.6.orig/libsbutil/sbutil.h ++++ sandbox-2.6/libsbutil/sbutil.h +@@ -22,9 +22,9 @@ + #define LD_PRELOAD_EQ "LD_PRELOAD=" + #define LIB_NAME "libsandbox.so" + #define BASHRC_NAME "sandbox.bashrc" +-#define TMPDIR "/tmp" +-#define PORTAGE_TMPDIR "/var/tmp/portage" +-#define SANDBOX_LOG_LOCATION "/var/log/sandbox" ++#define TMPDIR "@GENTOO_PORTAGE_EPREFIX@/tmp" ++#define PORTAGE_TMPDIR "@GENTOO_PORTAGE_EPREFIX@/var/tmp/portage" ++#define SANDBOX_LOG_LOCATION "@GENTOO_PORTAGE_EPREFIX@/var/log/sandbox" + #define LOG_FILE_PREFIX "/sandbox-" + #define DEBUG_LOG_FILE_PREFIX "/sandbox-debug-" + #define LOG_FILE_EXT ".log" diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch new file mode 100755 index 0000000..7fc0972 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch @@ -0,0 +1,93 @@ +From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sat, 23 Jun 2012 11:52:51 -0700 +Subject: [PATCH] libsandbox: clean up open file handles in parent tracing + process + +Currently, if a non-static app sets up a pipe (with cloexec enabled) and +executes a static app, the handle to that pipe is left open in the parent +process. This causes trouble when the parent is waiting for that to be +closed immediately. + +Since none of the fds in the forked parent process matter to us, we can +just go ahead and clean up all fds before we start tracing the child. + +URL: http://bugs.gentoo.org/364877 +Reported-by: Victor Stinner <victor.stinner@haypocalc.com> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + libsandbox/trace.c | 3 +- + libsbutil/sb_close.c | 26 +++++++++++- + libsbutil/sbutil.h | 1 + + tests/Makefile.am | 2 + + tests/pipe-fork_static_tst.c | 18 +++++++++ + tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++ + tests/script-9.sh | 5 +++ + tests/script.at | 1 + + 8 files changed, 149 insertions(+), 2 deletions(-) + create mode 100644 tests/pipe-fork_static_tst.c + create mode 100644 tests/pipe-fork_tst.c + create mode 100755 tests/script-9.sh + +diff --git a/libsandbox/trace.c b/libsandbox/trace.c +index 32ad2d6..dfbab18 100644 +--- a/libsandbox/trace.c ++++ b/libsandbox/trace.c +@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[]) + /* Not all kernel versions support this, so ignore return */ + ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD); + #endif ++ sb_close_all_fds(); + trace_loop(); +- return; ++ sb_ebort("ISE: child should have quit, as should we\n"); + } + + sb_debug("child setting up ..."); +diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c +index 17a4560..5379197 100644 +--- a/libsbutil/sb_close.c ++++ b/libsbutil/sb_close.c +@@ -29,3 +29,27 @@ int sb_close(int fd) + + return res; + } ++ ++/* Quickly close all the open fds (good for daemonization) */ ++void sb_close_all_fds(void) ++{ ++ DIR *dirp; ++ struct dirent *de; ++ int dfd, fd; ++ const char *fd_dir = sb_get_fd_dir(); ++ ++ dirp = opendir(fd_dir); ++ if (!dirp) ++ sb_ebort("could not process %s\n", fd_dir); ++ dfd = dirfd(dirp); ++ ++ while ((de = readdir(dirp)) != NULL) { ++ if (de->d_name[0] == '.') ++ continue; ++ fd = atoi(de->d_name); ++ if (fd != dfd) ++ close(fd); ++ } ++ ++ closedir(dirp); ++} +diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h +index 02b88cb..479734b 100644 +--- a/libsbutil/sbutil.h ++++ b/libsbutil/sbutil.h +@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode); + size_t sb_read(int fd, void *buf, size_t count); + size_t sb_write(int fd, const void *buf, size_t count); + int sb_close(int fd); ++void sb_close_all_fds(void); + int sb_copy_file_to_fd(const char *file, int ofd); + + /* Reliable output */ +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch new file mode 100644 index 0000000..7e73822 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch @@ -0,0 +1,27 @@ +From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Fri, 6 Jul 2012 14:58:16 -0400 +Subject: [PATCH] libsandbox: fix hppa trace code + +URL: https://bugs.gentoo.org/425062 +Reported-by: Jeroen Roovers <jer@gentoo.org> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + libsandbox/trace/linux/hppa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c +index d23b0d1..5414354 100644 +--- a/libsandbox/trace/linux/hppa.c ++++ b/libsandbox/trace/linux/hppa.c +@@ -1,5 +1,5 @@ +-#define trace_reg_sysnum (20 * 4) /* PT_GR20 */ +-#define trace_reg_ret (28 * 4) /* PT_GR28 */ ++#define trace_reg_sysnum gr[20] ++#define trace_reg_ret gr[28] + + static unsigned long trace_arg(void *vregs, int num) + { +-- +1.7.9.7 + |