Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 9403 - sandbox needs a complete rewrite.
Summary: sandbox needs a complete rewrite.
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: x86 Linux
: High critical (vote)
Assignee: Martin Schlemmer (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 2909
  Show dependency tree
 
Reported: 2002-10-20 16:22 UTC by Seemant Kulleen (RETIRED)
Modified: 2003-08-07 08:16 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Seemant Kulleen (RETIRED) gentoo-dev 2002-10-20 16:22:18 UTC
total sandbox rewrite to use ptrace stuff
Comment 1 J Robert Ray 2002-10-21 07:44:31 UTC
I have put together a preliminary proof-of-concept and would like to get some
comments.

Tarball: http://www.gentoo.org/~jrray/st-sandbox.tbz2

This is basically strace with some extra decoration in the routines that strace
uses to print out the args to various syscalls.

The files with the relevant changes are file.c, sandbox.h, and sandbox.c.

Untar, ./configure && make, you'll find an executable named 'sandbox', this acts
just like the strace program, although it ignores commandline args now.

"./sandbox bash" will give you a new shell inside a sandbox:

jrray@geep st-sandbox $ ./sandbox bash
jrray@geep st-sandbox $ touch hi
ACCESS VIOLATION open(hi => /home/jrray/src/tmp/st-sandbox/hi)
touch: creating `hi': No such file or directory
jrray@geep st-sandbox $ rm sandbox
ACCESS VIOLATION unlink(sandbox => /home/jrray/src/tmp/st-sandbox/sandbox)
rm: cannot remove `sandbox': No such file or directory
jrray@geep st-sandbox $ mkdir hi
ACCESS VIOLATION mkdir(hi => /home/jrray/src/tmp/st-sandbox/hi)
mkdir: cannot create directory `hi': No such file or directory
jrray@geep st-sandbox $ mv sandbox blah
ACCESS VIOLATION rename(blah => /home/jrray/src/tmp/st-sandbox/blah)
mv: cannot move `sandbox' to `blah': No such file or directory

I believe I got all the functions from the old sandbox working, but I have to
double check that.

Something interesting I noticed is that 'man' seems to try to use ptrace.  You
can't overlap ptraces so running man fails while in the sandbox.  Who knows why
it does this, or what other apps we'll run up against.

At this point I'm not using environment variables, instead I keep an array of
valid writable directories in memory.  I'd appreciate comments on this too.

Any feedback is appreciated!

- Robert
Comment 2 J Robert Ray 2002-10-21 08:03:18 UTC
I experimented with trying to kill the child process if it accesses an illegal
file, but unfortunately the child is able to complete the offending syscall
before it terminates.  (I stepped through in the debugger to verify this.)

Instead of killing off the child process, I change the filename that the syscall
is going to operate on to a NULL string.  When the syscall returns, I put the
char I changed back.

This is the source of the perhaps confusing "No such file or directory" errors.
 I think this is a good solution because it prevents the illegal access, and the
calling process will see the violation as an error condition.
Comment 3 Seemant Kulleen (RETIRED) gentoo-dev 2002-10-22 05:16:34 UTC
based on our IRC conversation, you think fixing the sandbox code is easier?
Comment 4 Grant Goodyear (RETIRED) gentoo-dev 2002-10-22 11:23:55 UTC
It's not horribly important right at the moment, but there have been
(slowly!) ongoing plans to port Gentoo to BSD tools.  The current
sandbox is not portable to BSD because the system calls have either
different names or different interfaces.  It shouldn't be too hard to port, but
while you're working on a new version perhaps you could wrap any
non-portable system calls?
Comment 5 J Robert Ray 2002-10-23 06:03:13 UTC
A major drawback to using ptrace is it breaks make's job control and prevents
the use of -j2.  From 'man ptrace':

Tracing causes a few subtle differences in the semantics of traced processes.
For example, if a process is attached to with PTRACE_ATTACH, its original parent
can no longer receive notification via wait when it stops, and there is no way
for the new parent to effectively simulate this notification.

Example:

jrray@geep st-sandbox $ make -j2
gcc -b i686-pc-linux-gnu -Wall -DHAVE_CONFIG_H   -I. -Ilinux/i386 -I./linux/i386
-Ilinux -I./linux -D_GNU_SOURCE  -c strace.c
make: *** wait: No child processes.  Stop.
make: *** Waiting for unfinished jobs....


Make can no longer call wait on its child subprocesses and freaks out.

I'm going to guess that forcing everyone to use make -j1 is not going to go over
well.
Comment 6 J Robert Ray 2003-06-26 00:13:28 UTC
Reassigning bugs due to lack of time.
Comment 7 Martin Schlemmer (RETIRED) gentoo-dev 2003-08-07 08:16:16 UTC
Current version in CVS looks fine without problems (after fixing the coreutils
thing).  Marking it as works for me, as I have not had any problems since the
coreutils thing that is fixed - and coreutils was the first in a long
time.