Attachment #864316 for bug #599706




	    sb_nr == SB_NR_CHOWN       ||
	    sb_nr == SB_NR_CREAT       ||
	    sb_nr == SB_NR_CREAT64     ||
    	    sb_nr == SB_NR_FCHMOD      ||
	    sb_nr == SB_NR_FCHMODAT    ||
    	    sb_nr == SB_NR_FCHOWN      ||
	    sb_nr == SB_NR_FCHOWNAT    ||
	  /*sb_nr == SB_NR_FTRUNCATE   ||
	    sb_nr == SB_NR_FTRUNCATE64 ||*/

	return before_syscall(dirfd, sb_nr, ext_func, file, flags);
}

bool before_syscall_fd(int sb_nr, const char *func, int fd) {
#ifdef SANDBOX_PROC_SELF_FD
	/* We only know how to handle e.g. fchmod() and fchown() on
	 * linux, where it's possible to (eventually) get a path out
	 * of the given file descriptor. The "64" below accounts for
	 * the length of an integer string, and is probably
	 * overkill. */
	char path[sizeof("/proc/self/fd/") + 64];
	snprintf(path, sizeof("/proc/self/fd/") + 64, "/proc/self/fd/%i", fd);
	return before_syscall(AT_FDCWD, sb_nr, func, path, 0);
#else
	return true;
#endif
}

bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char *file, const char *mode)
{
	if (NULL == mode)

Lines 46-51 Link Here

(-)a/libsandbox/libsandbox.h (+7 lines)
46	#define SB_SAFE_OPEN_CHAR(_path, _mode) \	46	#define SB_SAFE_OPEN_CHAR(_path, _mode) \
47	SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode)	47	SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode)
48		48
		49	#define _SB_SAFE_FD(_nr, _name, _fd) \
		50	__SB_SAFE(before_syscall_fd(_nr, _name, fd))
		51	#define SB_SAFE_FD(_fd) \
		52	_SB_SAFE_FD(WRAPPER_NR, STRING_NAME, _fd)
		53
49	/* Symbols that don't exist in the C library will be <= this value. */	54	/* Symbols that don't exist in the C library will be <= this value. */
50	#define SB_NR_UNDEF -99999	55	#define SB_NR_UNDEF -99999
51	#define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF)	56	#define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF)
Lines 55-60 bool before_syscall(int, int, const char , const char , int); Link Here
55	bool before_syscall_access(int, int, const char , const char , int);	60	bool before_syscall_access(int, int, const char , const char , int);
56	bool before_syscall_open_int(int, int, const char , const char , int);	61	bool before_syscall_open_int(int, int, const char , const char , int);
57	bool before_syscall_open_char(int, int, const char , const char , const char *);	62	bool before_syscall_open_char(int, int, const char , const char , const char *);
		63	bool before_syscall_fd(int, const char *, int);
		64
58	enum sandbox_method_t get_sandbox_method(void);	65	enum sandbox_method_t get_sandbox_method(void);
59		66
60	void get_dlsym(const char symname, const char *symver);	67	void get_dlsym(const char symname, const char *symver);

Lines 7-14 Link Here

(-)a/libsandbox/symbols.h.in (+2 lines)
7	# before 'creat()' as 'creat()' uses 'open()' ...	7	# before 'creat()' as 'creat()' uses 'open()' ...
8		8
9	chmod	9	chmod
		10	fchmod
10	fchmodat	11	fchmodat
11	chown	12	chown
		13	fchown
12	fchownat	14	fchownat
13	open	15	open
14	__open_2	16	__open_2




		}
		__sb_debug("})");
		return 1;
	} else if (nr == SB_NR_FCHMOD) {
		int fd = trace_arg(regs, 1);
		mode_t mode = trace_arg(regs, 2);
		__sb_debug("(%i, %o)", fd, mode);
		return _SB_SAFE_FD(nr, name, fd);

	} else if (nr == SB_NR_FCHOWN) {
		int fd = trace_arg(regs, 1);
		uid_t uid = trace_arg(regs, 2);
		gid_t gid = trace_arg(regs, 3);
		__sb_debug("(%i, %i, %i)", fd, uid, gid);
		return _SB_SAFE_FD(nr, name, fd);
	}


 done:
	__sb_debug("(...)");
	return ret;

Line 0 Link Here

(-)a/libsandbox/wrapper-funcs/fchmod.c (+11 lines)
	1	/*
	2	* fchmod() wrapper.
	3	*
	4	* Copyright 1999-2018 Gentoo Foundation
	5	* Licensed under the GPL-2
	6	*/
	7
	8	#define WRAPPER_ARGS_PROTO int fd, mode_t mode
	9	#define WRAPPER_ARGS fd, mode
	10	#define WRAPPER_SAFE() SB_SAFE_FD(fd)
	11	#include "__wrapper_simple.c"




/*
 * fchown() wrapper.
 *
 * Copyright 1999-2018 Gentoo Foundation
 * Licensed under the GPL-2
 */

#define WRAPPER_ARGS_PROTO int fd, uid_t owner, gid_t group
#define WRAPPER_ARGS fd, owner, group
#define WRAPPER_SAFE() SB_SAFE_FD(fd)
#include "__wrapper_simple.c"
tests/fchmod-0.c  | 35 +++++++++++++++++++++++++++++++++++
tests/fchmod-1.sh | 14 ++++++++++++++
tests/fchmod.at   |  1 +
tests/fchown-0.c  | 34 ++++++++++++++++++++++++++++++++++
tests/fchown-1.sh | 14 ++++++++++++++
tests/fchown.at   |  1 +
tests/local.mk    |  2 ++
7 files changed, 101 insertions(+)
create mode 100644 tests/fchmod-0.c
create mode 100755 tests/fchmod-1.sh
create mode 100644 tests/fchmod.at
create mode 100644 tests/fchown-0.c
create mode 100755 tests/fchown-1.sh
create mode 100644 tests/fchown.at




/*
 * https://bugs.gentoo.org/599706
 *
 */

#include "headers.h"

int main(int argc, char *argv[])
{
	if (argc < 2)
		return -2;

	int mode = 0;
	sscanf(argv[1], "%i", &mode);
	/* The sandbox catches this:
	 *
	 *   int fd = open(argv[2], O_RDWR);
	 *
	 * And it /should/ catch this:
	 *
	 *    int fd = open(argv[2], O_RDONLY);
	 *
	 * ...but the latter only works when /proc/self/fd/%i
	 * is available.
	 *
	 */
#ifdef SANDBOX_PROC_SELF_FD
	int fd = open(argv[2], O_RDONLY);
#else
	int fd = open(argv[2], O_RDWR);
#endif
	int fchmod_result = fchmod(fd, (mode_t)mode);
	close(fd);
	return fchmod_result;
}




#!/bin/sh
#
# https://bugs.gentoo.org/599706
#

addwrite $PWD

# The sandbox doesn't log anything when it returns a junk file
# descriptor? It doesn't look like we can test the contents of
# sandbox.log here... instead, we just have to count on fchmod
# failing, which it does if you use O_RDWR, and it *should* if you use
# O_RDONLY (because that won't stop the change of permissions).
fchmod-0 $(stat --format='%#04a' ../..) ../.. && exit 1
exit 0

Line 0 Link Here

(-)a/tests/fchmod.at (+1 lines)
	1	SB_CHECK(1)




/*
 * https://bugs.gentoo.org/599706
 *
 */

#include "headers.h"

int main(int argc, char *argv[])
{
	if (argc < 3)
		return -2;

	uid_t uid = atoi(argv[1]);
	gid_t gid = atoi(argv[2]);
	/* The sandbox catches this:
	 *
	 *   int fd = open(argv[3], O_RDWR);
	 *
	 * And it /should/ catch this:
	 *
	 *    int fd = open(argv[3], O_RDONLY);
	 *
	 * ...but the latter only works when /proc/self/fd/%i
	 * is available.
	 */
#ifdef SANDBOX_PROC_SELF_FD
	int fd = open(argv[3], O_RDONLY);
#else
	int fd = open(argv[3], O_RDWR);
#endif
	int fchown_result = fchown(fd, uid, gid);
	close(fd);
	return fchown_result;
}




#!/bin/sh
#
# https://bugs.gentoo.org/599706
#

addwrite $PWD

# The sandbox doesn't log anything when it returns a junk file
# descriptor? It doesn't look like we can test the contents of
# sandbox.log here... instead, we just have to count on fchown
# failing, which it does if you use O_RDWR, and it *should* if you use
# O_RDONLY (because that won't stop the change of ownership).
fchown-0 ${SB_UID} ${SB_GID} ../.. && exit 1
exit 0

Line 0 Link Here

(-)a/tests/fchown.at (+1 lines)
	1	SB_CHECK(1)




	%D%/execv-0 \
	%D%/execvp-0 \
	%D%/faccessat-0 \
	%D%/fchmod-0 \
	%D%/fchmodat-0 \
	%D%/fchown-0 \
	%D%/fchownat-0 \
	%D%/fopen-0 \
	%D%/fopen64-0 \
- 
handled correctly.
--
tests/fchmod-2.sh | 11 +++++++++++
tests/fchmod.at   |  1 +
tests/fchown-2.sh | 11 +++++++++++
tests/fchown.at   |  1 +
4 files changed, 24 insertions(+)
create mode 100755 tests/fchmod-2.sh
create mode 100755 tests/fchown-2.sh

Line 0 Link Here

(-)a/tests/fchmod-2.sh (+11 lines)
	1	#!/bin/sh
	2	#
	3	# Ensure that fchmod() doesn't trigger spurious violations in the most
	4	# basic of cases.
	5	#
	6	addwrite $PWD
	7
	8	# This should not trigger a violation.
	9	rm -f file
	10	touch file
	11	fchmod-0 0644 file \|\| exit 1

Line 1 Link Here

(-)a/tests/fchmod.at (+1 lines)
1	SB_CHECK(1)	1	SB_CHECK(1)
		2	SB_CHECK(2)

Line 0 Link Here

(-)a/tests/fchown-2.sh (+11 lines)
	1	#!/bin/sh
	2	#
	3	# Ensure that fchown() doesn't trigger spurious violations in the most
	4	# basic of cases.
	5	#
	6	addwrite $PWD
	7
	8	# This should not trigger a violation.
	9	rm -f file
	10	touch file
	11	fchown-0 ${SB_UID} ${SB_GID} file \|\| exit 1

Line 1 Link Here

(-)a/tests/fchown.at (-1 / +1 lines)
1	SB_CHECK(1)	1	SB_CHECK(1)
2	-	2	SB_CHECK(2)

Return to bug 599706

Lines 766-772 static int check_access(sbcontext_t sbcontext, int sb_nr, const char func, Link Here

(-)a/libsandbox/libsandbox.c (+17 lines)
766	sb_nr == SB_NR_CHOWN \|\|	766	sb_nr == SB_NR_CHOWN \|\|
767	sb_nr == SB_NR_CREAT \|\|	767	sb_nr == SB_NR_CREAT \|\|
768	sb_nr == SB_NR_CREAT64 \|\|	768	sb_nr == SB_NR_CREAT64 \|\|
		769	sb_nr == SB_NR_FCHMOD \|\|
769	sb_nr == SB_NR_FCHMODAT \|\|	770	sb_nr == SB_NR_FCHMODAT \|\|
		771	sb_nr == SB_NR_FCHOWN \|\|
770	sb_nr == SB_NR_FCHOWNAT \|\|	772	sb_nr == SB_NR_FCHOWNAT \|\|
771	/*sb_nr == SB_NR_FTRUNCATE \|\|	773	/*sb_nr == SB_NR_FTRUNCATE \|\|
772	sb_nr == SB_NR_FTRUNCATE64 \|\|*/	774	sb_nr == SB_NR_FTRUNCATE64 \|\|*/
Lines 1102-1107 bool before_syscall_open_int(int dirfd, int sb_nr, const char *func, const char Link Here
1102	return before_syscall(dirfd, sb_nr, ext_func, file, flags);	1104	return before_syscall(dirfd, sb_nr, ext_func, file, flags);
1103	}	1105	}
1104		1106
		1107	bool before_syscall_fd(int sb_nr, const char *func, int fd) {
		1108	#ifdef SANDBOX_PROC_SELF_FD
		1109	/* We only know how to handle e.g. fchmod() and fchown() on
		1110	* linux, where it's possible to (eventually) get a path out
		1111	* of the given file descriptor. The "64" below accounts for
		1112	* the length of an integer string, and is probably
		1113	* overkill. */
		1114	char path[sizeof("/proc/self/fd/") + 64];
		1115	snprintf(path, sizeof("/proc/self/fd/") + 64, "/proc/self/fd/%i", fd);
		1116	return before_syscall(AT_FDCWD, sb_nr, func, path, 0);
		1117	#else
		1118	return true;
		1119	#endif
		1120	}
		1121
1105	bool before_syscall_open_char(int dirfd, int sb_nr, const char func, const char file, const char *mode)	1122	bool before_syscall_open_char(int dirfd, int sb_nr, const char func, const char file, const char *mode)
1106	{	1123	{
1107	if (NULL == mode)	1124	if (NULL == mode)

Lines 455-462 static bool trace_check_syscall(const struct syscall_entry se, void regs) Link Here

(-)a/libsandbox/trace.c (+13 lines)
455	}	455	}
456	__sb_debug("})");	456	__sb_debug("})");
457	return 1;	457	return 1;
		458	} else if (nr == SB_NR_FCHMOD) {
		459	int fd = trace_arg(regs, 1);
		460	mode_t mode = trace_arg(regs, 2);
		461	__sb_debug("(%i, %o)", fd, mode);
		462	return _SB_SAFE_FD(nr, name, fd);
		463
		464	} else if (nr == SB_NR_FCHOWN) {
		465	int fd = trace_arg(regs, 1);
		466	uid_t uid = trace_arg(regs, 2);
		467	gid_t gid = trace_arg(regs, 3);
		468	__sb_debug("(%i, %i, %i)", fd, uid, gid);
		469	return _SB_SAFE_FD(nr, name, fd);
458	}	470	}
459		471
		472
460	done:	473	done:
461	__sb_debug("(...)");	474	__sb_debug("(...)");
462	return ret;	475	return ret;

Line 0 Link Here

(-)a/libsandbox/wrapper-funcs/fchown.c (-2 / +11 lines)
0	-	1	/*
1	--	2	* fchown() wrapper.
		3	*
		4	* Copyright 1999-2018 Gentoo Foundation
		5	* Licensed under the GPL-2
		6	*/
		7
		8	#define WRAPPER_ARGS_PROTO int fd, uid_t owner, gid_t group
		9	#define WRAPPER_ARGS fd, owner, group
		10	#define WRAPPER_SAFE() SB_SAFE_FD(fd)
		11	#include "__wrapper_simple.c"
2	tests/fchmod-0.c \| 35 +++++++++++++++++++++++++++++++++++	12	tests/fchmod-0.c \| 35 +++++++++++++++++++++++++++++++++++
3	tests/fchmod-1.sh \| 14 ++++++++++++++	13	tests/fchmod-1.sh \| 14 ++++++++++++++
4	tests/fchmod.at \| 1 +	14	tests/fchmod.at \| 1 +
5	tests/fchown-0.c \| 34 ++++++++++++++++++++++++++++++++++	15	tests/fchown-0.c \| 34 ++++++++++++++++++++++++++++++++++
6	tests/fchown-1.sh \| 14 ++++++++++++++	16	tests/fchown-1.sh \| 14 ++++++++++++++
7	tests/fchown.at \| 1 +	17	tests/fchown.at \| 1 +
8	tests/local.mk \| 2 ++	18	tests/local.mk \| 2 ++
9	7 files changed, 101 insertions(+)	19	7 files changed, 101 insertions(+)
10	create mode 100644 tests/fchmod-0.c	20	create mode 100644 tests/fchmod-0.c
11	create mode 100755 tests/fchmod-1.sh	21	create mode 100755 tests/fchmod-1.sh
12	create mode 100644 tests/fchmod.at	22	create mode 100644 tests/fchmod.at
13	create mode 100644 tests/fchown-0.c	23	create mode 100644 tests/fchown-0.c
14	create mode 100755 tests/fchown-1.sh	24	create mode 100755 tests/fchown-1.sh
15	create mode 100644 tests/fchown.at	25	create mode 100644 tests/fchown.at

Line 0 Link Here

(-)a/tests/fchmod-0.c (+35 lines)
	1	/*
	2	* https://bugs.gentoo.org/599706
	3	*
	4	*/
	5
	6	#include "headers.h"
	7
	8	int main(int argc, char *argv[])
	9	{
	10	if (argc < 2)
	11	return -2;
	12
	13	int mode = 0;
	14	sscanf(argv[1], "%i", &mode);
	15	/* The sandbox catches this:
	16	*
	17	* int fd = open(argv[2], O_RDWR);
	18	*
	19	* And it /should/ catch this:
	20	*
	21	* int fd = open(argv[2], O_RDONLY);
	22	*
	23	* ...but the latter only works when /proc/self/fd/%i
	24	* is available.
	25	*
	26	*/
	27	#ifdef SANDBOX_PROC_SELF_FD
	28	int fd = open(argv[2], O_RDONLY);
	29	#else
	30	int fd = open(argv[2], O_RDWR);
	31	#endif
	32	int fchmod_result = fchmod(fd, (mode_t)mode);
	33	close(fd);
	34	return fchmod_result;
	35	}

Line 0 Link Here

(-)a/tests/fchmod-1.sh (+14 lines)
	1	#!/bin/sh
	2	#
	3	# https://bugs.gentoo.org/599706
	4	#
	5
	6	addwrite $PWD
	7
	8	# The sandbox doesn't log anything when it returns a junk file
	9	# descriptor? It doesn't look like we can test the contents of
	10	# sandbox.log here... instead, we just have to count on fchmod
	11	# failing, which it does if you use O_RDWR, and it should if you use
	12	# O_RDONLY (because that won't stop the change of permissions).
	13	fchmod-0 $(stat --format='%#04a' ../..) ../.. && exit 1
	14	exit 0

Line 0 Link Here

(-)a/tests/fchown-0.c (+34 lines)
	1	/*
	2	* https://bugs.gentoo.org/599706
	3	*
	4	*/
	5
	6	#include "headers.h"
	7
	8	int main(int argc, char *argv[])
	9	{
	10	if (argc < 3)
	11	return -2;
	12
	13	uid_t uid = atoi(argv[1]);
	14	gid_t gid = atoi(argv[2]);
	15	/* The sandbox catches this:
	16	*
	17	* int fd = open(argv[3], O_RDWR);
	18	*
	19	* And it /should/ catch this:
	20	*
	21	* int fd = open(argv[3], O_RDONLY);
	22	*
	23	* ...but the latter only works when /proc/self/fd/%i
	24	* is available.
	25	*/
	26	#ifdef SANDBOX_PROC_SELF_FD
	27	int fd = open(argv[3], O_RDONLY);
	28	#else
	29	int fd = open(argv[3], O_RDWR);
	30	#endif
	31	int fchown_result = fchown(fd, uid, gid);
	32	close(fd);
	33	return fchown_result;
	34	}

Line 0 Link Here

(-)a/tests/fchown-1.sh (+14 lines)
	1	#!/bin/sh
	2	#
	3	# https://bugs.gentoo.org/599706
	4	#
	5
	6	addwrite $PWD
	7
	8	# The sandbox doesn't log anything when it returns a junk file
	9	# descriptor? It doesn't look like we can test the contents of
	10	# sandbox.log here... instead, we just have to count on fchown
	11	# failing, which it does if you use O_RDWR, and it should if you use
	12	# O_RDONLY (because that won't stop the change of ownership).
	13	fchown-0 ${SB_UID} ${SB_GID} ../.. && exit 1
	14	exit 0

Lines 29-35 check_PROGRAMS += \ Link Here

(-)a/tests/local.mk (-2 / +2 lines)
29	%D%/execv-0 \	29	%D%/execv-0 \
30	%D%/execvp-0 \	30	%D%/execvp-0 \
31	%D%/faccessat-0 \	31	%D%/faccessat-0 \
		32	%D%/fchmod-0 \
32	%D%/fchmodat-0 \	33	%D%/fchmodat-0 \
		34	%D%/fchown-0 \
33	%D%/fchownat-0 \	35	%D%/fchownat-0 \
34	%D%/fopen-0 \	36	%D%/fopen-0 \
35	%D%/fopen64-0 \	37	%D%/fopen64-0 \
36	-
37	handled correctly.	38	handled correctly.
38	--
39	tests/fchmod-2.sh \| 11 +++++++++++	39	tests/fchmod-2.sh \| 11 +++++++++++
40	tests/fchmod.at \| 1 +	40	tests/fchmod.at \| 1 +
41	tests/fchown-2.sh \| 11 +++++++++++	41	tests/fchown-2.sh \| 11 +++++++++++
42	tests/fchown.at \| 1 +	42	tests/fchown.at \| 1 +
43	4 files changed, 24 insertions(+)	43	4 files changed, 24 insertions(+)
44	create mode 100755 tests/fchmod-2.sh	44	create mode 100755 tests/fchmod-2.sh
45	create mode 100755 tests/fchown-2.sh	45	create mode 100755 tests/fchown-2.sh