Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 11872 Details for
Bug 3141
AutoRdependencies in ebuild
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for libsandbox.c to support tracing
libsandbox_trace.patch (text/plain), 7.03 KB, created by
Wout Mertens (RETIRED)
on 2003-05-13 05:58:08 UTC
(
hide
)
Description:
patch for libsandbox.c to support tracing
Filename:
MIME Type:
Creator:
Wout Mertens (RETIRED)
Created:
2003-05-13 05:58:08 UTC
Size:
7.03 KB
patch
obsolete
>--- libsandbox.c.orig 2003-05-13 09:01:29.000000000 +0200 >+++ libsandbox.c 2003-05-13 11:34:43.000000000 +0200 >@@ -8,6 +8,40 @@ > * > * it's very important that the --enable-static-link option is NOT specified > * >+ * To use, you need to set environment variables: >+ * SANDBOX_ON If this is set, it turns on sandboxing >+ * SANDBOX_LOG The log file used for reporting violations. >+ * Sandbox writes to stderr if not set. >+ * SANDBOX_DEBUG Turn on sandbox debugging, so you know what it did >+ * SANDBOX_DEBUG_LOG Logfile for debugging, stderr if not set >+ * SANDBOX_TRACE Turn on tracing, listing all interesting files read >+ * SANDBOX_TRACE_LOG Logfile for the above, needs to be set to work >+ * >+ * These take path prefixes separated by ':' : >+ * SANDBOX_DENY Deny access to the listed prefixes >+ * SANDBOX_READ Allow reads from these prefixes. Normally set to "/" >+ * SANDBOX_WRITE Allow write access to these prefixes >+ * SANDBOX_PREDICT Dunno really. Something with error logging. >+ * >+ * Notes: >+ * - the above just do sandboxing, the regular access permissions still apply. >+ * >+ * - sandbox works by messing with libc. If you have applications that call >+ * the kernel directly (like dietlibc?), it won't work. This means that >+ * malicious code could still be executed. Which is why the portage user is >+ * a good idea. >+ * >+ * - using sandbox is faster than something based on ptrace(), which would >+ * not have the above problem. Easily checked by comparing the difference >+ * between >+ * # time FEATURES=-sandbox strace -f -e\!all emerge blabla >+ * and >+ * # time emerge blabla >+ * >+ * - If we want total security, maybe something like the systrace patch >+ * (http://www.systrace.org) would be better, although that only exists >+ * for the Linux kernel. >+ * > * Copyright (C) 2001 Geert Bevin, Uwyn, http://www.uwyn.com > * Distributed under the terms of the GNU General Public License, v2 or later > * Author : Geert Bevin <gbevin@uwyn.com> >@@ -21,6 +55,15 @@ > * > * Martin Schlemmer <azarah@gentoo.org> (18 Aug 2002) > * >+ * Added logging for opened files in the forbidden zone, thus knowing >+ * what packages were used, see bug #3141 >+ * >+ * Removed unused write_denied structures >+ * >+ * Added docs for libsandbox >+ * >+ * Wout Mertens <wmertens@gentoo.org> (13 May 2003) >+ * > * Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>, > * as some of the InstallWatch code was used. > * >@@ -105,8 +148,6 @@ > int num_write_prefixes; > char** predict_prefixes; > int num_predict_prefixes; >- char** write_denied_prefixes; >- int num_write_denied_prefixes; > } sbcontext_t; > > /* glibc modified realpath() functions */ >@@ -714,8 +755,6 @@ > context->num_write_prefixes = 0; > context->predict_prefixes = NULL; > context->num_predict_prefixes = 0; >- context->write_denied_prefixes = NULL; >- context->num_write_denied_prefixes = 0; > } > > static int is_sandbox_pid() >@@ -932,17 +971,6 @@ > ) { > struct stat tmp_stat; > >- for (i = 0; i < sbcontext->num_write_denied_prefixes; i++) { >- if (NULL != sbcontext->write_denied_prefixes[i]) { >- if (0 == strncmp(filtered_path, >- sbcontext->write_denied_prefixes[i], >- strlen(sbcontext->write_denied_prefixes[i]))) { >- result = 0; >- break; >- } >- } >- } >- > if (-1 == result) { > for (i = 0; i < sbcontext->num_write_prefixes; i++) { > if (NULL != sbcontext->write_prefixes[i]) { >@@ -995,6 +1023,64 @@ > return result; > } > >+/* We define as interesting: */ >+/* All files that we don't have write access to and are reading from */ >+static int is_interesting(sbcontext_t* sbcontext, const char* func, const char* path) >+{ >+ int result = -1; >+ int i = 0; >+ char* filtered_path = filter_path(path); >+ >+ if ('/' != filtered_path[0]) { >+ return 0; >+ } >+ >+ if ((0 == strncmp(filtered_path, "/etc/ld.so.preload", 18)) && (is_sandbox_pid())) { >+ result = 0; >+ } >+ >+ if (-1 == result) { >+ /* These are the functions we care about */ >+ if ((NULL != sbcontext->write_prefixes) && >+ ((0 == strncmp(func, "open_rd", 7)) || >+ (0 == strncmp(func, "popen", 5)) || >+ (0 == strncmp(func, "system", 6)) || >+ (0 == strncmp(func, "execl", 5)) || >+ (0 == strncmp(func, "execlp", 6)) || >+ (0 == strncmp(func, "execle", 6)) || >+ (0 == strncmp(func, "execv", 5)) || >+ (0 == strncmp(func, "execvp", 6)) || >+ (0 == strncmp(func, "execve", 6)) >+ ) >+ ) { >+ /* See if we are allowed to write to it */ >+ for (i = 0; i < sbcontext->num_write_prefixes; i++) { >+ if (NULL != sbcontext->write_prefixes[i]) { >+ if (0 == strncmp(filtered_path, >+ sbcontext->write_prefixes[i], >+ strlen(sbcontext->write_prefixes[i]))) { >+ result = 0; >+ break; >+ } >+ } >+ } >+ /* All the rest is interesting */ >+ if (-1 == result) { >+ result = 1; >+ } >+ } >+ } >+ >+ if (-1 == result) { >+ result = 0; >+ } >+ >+ if (filtered_path) free(filtered_path); >+ filtered_path = NULL; >+ >+ return result; >+} >+ > static int check_syscall(sbcontext_t* sbcontext, const char* func, const char* file) > { > int old_errno = errno; >@@ -1008,6 +1094,10 @@ > char* debug_log_env = NULL; > char* debug_log_path = NULL; > int debug_log_file = 0; >+ struct stat trace_log_stat; >+ char* trace_log_env = NULL; >+ char* trace_log_path = NULL; >+ int trace_log_file = 0; > char buffer[512]; > > init_wrappers(); >@@ -1027,6 +1117,8 @@ > log_path = getenv("SANDBOX_LOG"); > debug_log_env = getenv("SANDBOX_DEBUG"); > debug_log_path = getenv("SANDBOX_DEBUG_LOG"); >+ trace_log_env = getenv("SANDBOX_TRACE"); >+ trace_log_path = getenv("SANDBOX_TRACE_LOG"); > > if (((NULL == log_path) || > (0 != strncmp(absolute_path, log_path, strlen(log_path)))) && >@@ -1089,6 +1181,31 @@ > } > } > >+ /* Save the path if tracing and it's interesting enough */ >+ if ( (NULL != trace_log_env) && >+ (NULL != trace_log_path) && >+ (0 != strncmp(absolute_path, trace_log_path, strlen(trace_log_path))) && >+ is_interesting(sbcontext, func, absolute_path) >+ ) { >+ sprintf(buffer, "%s\n", absolute_path); >+ >+ if ((0 == lstat(trace_log_path, &trace_log_stat)) && >+ (0 == S_ISREG(trace_log_stat.st_mode)) >+ ) { >+ fprintf(stderr, >+ "\e[31;01mSECURITY BREACH\033[0m %s already exists and is not a regular file.\n", >+ log_path); >+ } else { >+ trace_log_file = true_open(trace_log_path, >+ O_APPEND | O_WRONLY | O_CREAT, >+ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); >+ if(trace_log_file >= 0) { >+ write(trace_log_file, buffer, strlen(buffer)); >+ close(trace_log_file); >+ } >+ } >+ } >+ > if (absolute_path) free(absolute_path); > absolute_path = NULL; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11872">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3141
:
11510
|
11561
| 11872 |
11873
