Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 516940 Details for
Bug 599706
sys-apps/sandbox: fchown()/fchmod() can modify fd even when opened O_RDONLY
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0002-libsandbox-add-awful-hacky-fchown-fchmod-fix-on-linu.patch
0002-libsandbox-add-awful-hacky-fchown-fchmod-fix-on-linu.patch (text/plain), 5.36 KB, created by
Michael Orlitzky
on 2018-01-28 03:44:23 UTC
(
hide
)
Description:
0002-libsandbox-add-awful-hacky-fchown-fchmod-fix-on-linu.patch
Filename:
MIME Type:
Creator:
Michael Orlitzky
Created:
2018-01-28 03:44:23 UTC
Size:
5.36 KB
patch
obsolete
>From 2109f1314ce44ae4371be4fc7ed0408d71466f8f Mon Sep 17 00:00:00 2001 >From: Michael Orlitzky <mjo@gentoo.org> >Date: Sat, 27 Jan 2018 22:16:31 -0500 >Subject: [PATCH 2/3] libsandbox: add awful hacky fchown/fchmod fix on linux > (Gentoo bug 599706). > >The problem with fchown/fchmod is that they use a file descriptor >obtained from open(), and the sandbox is relying on its open() wrapper >for safety. But it turns out that fchown/fchmod can operate on a >descriptor opened O_RDONLY, which the open() wrapper is happy to give >you. Oops. > >There's no obvious way to map the descriptor to a path once you've got >it, but on linux you can do something ridiculous and use >"/proc/self/fd/%i" which should be a symlink >pointing... somewhere. Probably to the path passed to open(). Anyway, >once we have a path, we can use the existing "is this path safe" >machinery in the sandbox. >--- > libsandbox/libsandbox.c | 19 +++++++++++++++++++ > libsandbox/libsandbox.h | 6 ++++++ > libsandbox/symbols.h.in | 2 ++ > libsandbox/trace.c | 13 +++++++++++++ > libsandbox/wrapper-funcs/fchmod.c | 11 +++++++++++ > libsandbox/wrapper-funcs/fchown.c | 11 +++++++++++ > 6 files changed, 62 insertions(+) > create mode 100644 libsandbox/wrapper-funcs/fchmod.c > create mode 100644 libsandbox/wrapper-funcs/fchown.c > >diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c >index c126aa1..1a4ebb8 100644 >--- a/libsandbox/libsandbox.c >+++ b/libsandbox/libsandbox.c >@@ -752,7 +752,9 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, > sb_nr == SB_NR_CHOWN || > sb_nr == SB_NR_CREAT || > sb_nr == SB_NR_CREAT64 || >+ sb_nr == SB_NR_FCHMOD || > sb_nr == SB_NR_FCHMODAT || >+ sb_nr == SB_NR_FCHOWN || > sb_nr == SB_NR_FCHOWNAT || > /*sb_nr == SB_NR_FTRUNCATE || > sb_nr == SB_NR_FTRUNCATE64 ||*/ >@@ -1094,6 +1096,23 @@ bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char > return before_syscall(dirfd, sb_nr, ext_func, file, 0); > } > >+bool before_syscall_fd(int sb_nr, const char *func, int fd) { >+#ifdef __linux__ >+ /* We only know how to handle e.g. fchmod() and fchown() on >+ * linux, where it's possible to (eventually) get a path out >+ * of the given file descriptor. The "64" below accounts for >+ * the length of an integer string, and is probably >+ * overkill. */ >+ char path[sizeof("/proc/self/fd/") + 64]; >+ snprintf(path, sizeof("/proc/self/fd/") + 64, "/proc/self/fd/%i", fd); >+ return before_syscall(AT_FDCWD, sb_nr, func, path, 0); >+#else >+ return true; >+#endif >+} >+ >+ >+ > typedef struct { > const char *name; > size_t len; >diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h >index 63882e7..f57fdf0 100644 >--- a/libsandbox/libsandbox.h >+++ b/libsandbox/libsandbox.h >@@ -46,11 +46,17 @@ > #define SB_SAFE_OPEN_CHAR(_path, _mode) \ > SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode) > >+#define _SB_SAFE_FD(_nr, _name, _fd) \ >+ __SB_SAFE(before_syscall_fd(_nr, _name, fd)) >+#define SB_SAFE_FD(_fd) \ >+ _SB_SAFE_FD(WRAPPER_NR, STRING_NAME, _fd) >+ > bool is_sandbox_on(void); > bool before_syscall(int, int, const char *, const char *, int); > bool before_syscall_access(int, int, const char *, const char *, int); > bool before_syscall_open_int(int, int, const char *, const char *, int); > bool before_syscall_open_char(int, int, const char *, const char *, const char *); >+bool before_syscall_fd(int, const char *, int); > > void *get_dlsym(const char *symname, const char *symver); > >diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in >index bdbce08..30fca77 100644 >--- a/libsandbox/symbols.h.in >+++ b/libsandbox/symbols.h.in >@@ -7,8 +7,10 @@ > # before 'creat()' as 'creat()' uses 'open()' ... > > chmod >+fchmod > fchmodat > chown >+fchown > fchownat > open > __open_2 >diff --git a/libsandbox/trace.c b/libsandbox/trace.c >index fb1fc32..4bd68df 100644 >--- a/libsandbox/trace.c >+++ b/libsandbox/trace.c >@@ -421,6 +421,19 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs) > ret = 1; > free(path); > return ret; >+ >+ } else if (nr == SB_NR_FCHMOD) { >+ int fd = trace_arg(regs, 1); >+ mode_t mode = trace_arg(regs, 2); >+ __sb_debug("(%i, %o)", fd, mode); >+ return _SB_SAFE_FD(nr, name, fd); >+ >+ } else if (nr == SB_NR_FCHOWN) { >+ int fd = trace_arg(regs, 1); >+ uid_t uid = trace_arg(regs, 2); >+ gid_t gid = trace_arg(regs, 3); >+ __sb_debug("(%i, %i, %i)", fd, uid, gid); >+ return _SB_SAFE_FD(nr, name, fd); > } > > done: >diff --git a/libsandbox/wrapper-funcs/fchmod.c b/libsandbox/wrapper-funcs/fchmod.c >new file mode 100644 >index 0000000..04bfcea >--- /dev/null >+++ b/libsandbox/wrapper-funcs/fchmod.c >@@ -0,0 +1,11 @@ >+/* >+ * fchmod() wrapper. >+ * >+ * Copyright 1999-2018 Gentoo Foundation >+ * Licensed under the GPL-2 >+ */ >+ >+#define WRAPPER_ARGS_PROTO int fd, mode_t mode >+#define WRAPPER_ARGS fd, mode >+#define WRAPPER_SAFE() SB_SAFE_FD(fd) >+#include "__wrapper_simple.c" >diff --git a/libsandbox/wrapper-funcs/fchown.c b/libsandbox/wrapper-funcs/fchown.c >new file mode 100644 >index 0000000..ab79d5c >--- /dev/null >+++ b/libsandbox/wrapper-funcs/fchown.c >@@ -0,0 +1,11 @@ >+/* >+ * fchown() wrapper. >+ * >+ * Copyright 1999-2018 Gentoo Foundation >+ * Licensed under the GPL-2 >+ */ >+ >+#define WRAPPER_ARGS_PROTO int fd, uid_t owner, gid_t group >+#define WRAPPER_ARGS fd, owner, group >+#define WRAPPER_SAFE() SB_SAFE_FD(fd) >+#include "__wrapper_simple.c" >-- >2.13.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=516940">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 599706
:
453296
|
516938
|
516940
|
516944
|
618702
|
618704
|
618706
|
864316
|
864317
