Attachment #57154 for bug #90343

Line 1 Link Here

(-)sandbox-1.2.1.orig/libctest.c (-1 lines)
1	int main(void) { return 0; }

Lines 81-86 Link Here

(-)sandbox-1.2.1.orig/libsandbox.c (+98 lines)
81		81
82	//#include "localdecls.h"	82	//#include "localdecls.h"
83	#include "sandbox.h"	83	#include "sandbox.h"
		84	#include "sbnotify.h"
84		85
85	/* Macros to check if a function should be executed */	86	/* Macros to check if a function should be executed */
86	#define FUNCTION_SANDBOX_SAFE(func, path) \	87	#define FUNCTION_SANDBOX_SAFE(func, path) \
Lines 158-163 Link Here
158	static char filter_path(const char , int follow_link);	159	static char filter_path(const char , int follow_link);
159	static int is_sandbox_on();	160	static int is_sandbox_on();
160	static int is_sandbox_pid();	161	static int is_sandbox_pid();
		162	static void sbnotify_event(int event_flags, const char * canonical, const char * func_name, int result);
		163	static void sbnotify_log(const char * buffer);
		164	static int get_sbnotify_eventmask();
161		165
162	/* Wrapped functions */	166	/* Wrapped functions */
163		167
Lines 375-380 Link Here
375	result = true_chmod(path, mode);	379	result = true_chmod(path, mode);
376	}	380	}
377		381
		382	sbnotify_event(SBN_MODIFY\|SBN_ATTRIB, canonic, "chmod", result);
		383
378	return result;	384	return result;
379	}	385	}
380		386
Lines 391-396 Link Here
391	result = true_chown(path, owner, group);	397	result = true_chown(path, owner, group);
392	}	398	}
393		399
		400	sbnotify_event(SBN_MODIFY\|SBN_ATTRIB, canonic, "chown", result);
		401
394	return result;	402	return result;
395	}	403	}
396		404
Lines 408-413 Link Here
408	result = true_open(pathname, O_CREAT \| O_WRONLY \| O_TRUNC, mode);	416	result = true_open(pathname, O_CREAT \| O_WRONLY \| O_TRUNC, mode);
409	}	417	}
410		418
		419	sbnotify_event(SBN_MODIFY\|SBN_WRITE, canonic, "create", result);
		420
411	return result;	421	return result;
412	}	422	}
413		423
Lines 424-429 Link Here
424	result = true_fopen(pathname, mode);	434	result = true_fopen(pathname, mode);
425	}	435	}
426		436
		437	if(mode[0]=='w'\|\|mode[0]=='a'\|\|mode[1]=='+')
		438	sbnotify_event(SBN_MODIFY\|SBN_WRITE, canonic, "fopen", (int)result);
		439	else
		440	sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result);
		441
427	return result;	442	return result;
428	}	443	}
429		444
Lines 440-445 Link Here
440	result = true_lchown(path, owner, group);	455	result = true_lchown(path, owner, group);
441	}	456	}
442		457
		458	sbnotify_event(SBN_MODIFY\|SBN_ATTRIB, canonic, "lchown", result);
		459
443	return result;	460	return result;
444	}	461	}
445		462
Lines 457-462 Link Here
457	result = true_link(oldpath, newpath);	474	result = true_link(oldpath, newpath);
458	}	475	}
459		476
		477	sbnotify_event(SBN_LINK_FROM, old_canonic, "link", result );
		478	sbnotify_event(SBN_MODIFY\|SBN_LINK_TO\|SBN_CREATE, new_canonic, "link", result );
		479
460	return result;	480	return result;
461	}	481	}
462		482
Lines 483-488 Link Here
483	result = true_mkdir(pathname, mode);	503	result = true_mkdir(pathname, mode);
484	}	504	}
485		505
		506	sbnotify_event(SBN_MODIFY\|SBN_CREATE, canonic, "mkdir", result );
		507
486	return result;	508	return result;
487	}	509	}
488		510
Lines 499-504 Link Here
499	result = true_opendir(name);	521	result = true_opendir(name);
500	}	522	}
501		523
		524	sbnotify_event(SBN_ACCESS, canonic, "opendir", (int)result );
		525
502	return result;	526	return result;
503	}	527	}
504		528
Lines 544-549 Link Here
544	result = true_open(pathname, flags, mode);	568	result = true_open(pathname, flags, mode);
545	}	569	}
546		570
		571	if(flags & (O_WRONLY \| O_RDWR))
		572	sbnotify_event(SBN_MODIFY\|SBN_WRITE, canonic, "open", result );
		573	else
		574	sbnotify_event(SBN_ACCESS, canonic, "open", result );
		575
547	return result;	576	return result;
548	}	577	}
549		578
Lines 561-566 Link Here
561	result = true_rename(oldpath, newpath);	590	result = true_rename(oldpath, newpath);
562	}	591	}
563		592
		593	sbnotify_event(SBN_MODIFY\|SBN_MOVE_FROM\|SBN_DELETE, old_canonic, "rename", result );
		594	sbnotify_event(SBN_MODIFY\|SBN_MOVE_TO\|SBN_CREATE, new_canonic, "rename", result );
		595
564	return result;	596	return result;
565	}	597	}
566		598
Lines 577-582 Link Here
577	result = true_rmdir(pathname);	609	result = true_rmdir(pathname);
578	}	610	}
579		611
		612	sbnotify_event(SBN_MODIFY\|SBN_DELETE, canonic, "rmdir", result );
		613
580	return result;	614	return result;
581	}	615	}
582		616
Lines 594-599 Link Here
594	result = true_symlink(oldpath, newpath);	628	result = true_symlink(oldpath, newpath);
595	}	629	}
596		630
		631	sbnotify_event(SBN_SYMLINK_FROM, old_canonic, "symlink", result );
		632	sbnotify_event(SBN_MODIFY\|SBN_SYMLINK_TO\|SBN_CREATE, new_canonic, "symlink", result );
		633
597	return result;	634	return result;
598	}	635	}
599		636
Lines 610-615 Link Here
610	result = true_truncate(path, length);	647	result = true_truncate(path, length);
611	}	648	}
612		649
		650	sbnotify_event(SBN_MODIFY\|SBN_WRITE, canonic, "truncate", result );
		651
613	return result;	652	return result;
614	}	653	}
615		654
Lines 624-629 Link Here
624	* a device node, bug #79836. */	663	* a device node, bug #79836. */
625	if (0 == strncmp(canonic, "/dev/", 5)) {	664	if (0 == strncmp(canonic, "/dev/", 5)) {
626	errno = EACCES;	665	errno = EACCES;
		666	sbnotify_event(SBN_MODIFY\|SBN_DELETE, canonic, "unlink", result );
627	return result;	667	return result;
628	}	668	}
629		669
Lines 633-638 Link Here
633	result = true_unlink(pathname);	673	result = true_unlink(pathname);
634	}	674	}
635		675
		676	sbnotify_event(SBN_MODIFY\|SBN_DELETE, canonic, "unlink", result );
		677
636	return result;	678	return result;
637	}	679	}
638		680
Lines 652-657 Link Here
652	result = true_open64(pathname, O_CREAT \| O_WRONLY \| O_TRUNC, mode);	694	result = true_open64(pathname, O_CREAT \| O_WRONLY \| O_TRUNC, mode);
653	}	695	}
654		696
		697	sbnotify_event(SBN_MODIFY\|SBN_WRITE, canonic, "creat64", result);
		698
655	return result;	699	return result;
656	}	700	}
657		701
Lines 668-673 Link Here
668	result = true_fopen64(pathname, mode);	712	result = true_fopen64(pathname, mode);
669	}	713	}
670		714
		715	if(mode[0]=='w'\|\|mode[0]=='a'\|\|mode[1]=='+')
		716	sbnotify_event(SBN_MODIFY\|SBN_WRITE, canonic, "fopen64", (int)result);
		717	else
		718	sbnotify_event(SBN_ACCESS, canonic, "fopen64", (int)result);
		719
671	return result;	720	return result;
672	}	721	}
673		722
Lines 693-698 Link Here
693	result = true_open64(pathname, flags, mode);	742	result = true_open64(pathname, flags, mode);
694	}	743	}
695		744
		745	if(flags & (O_WRONLY \| O_RDWR))
		746	sbnotify_event(SBN_MODIFY\|SBN_WRITE, canonic, "open64", result);
		747	else
		748	sbnotify_event(SBN_ACCESS, canonic, "open64", result);
		749
696	return result;	750	return result;
697	}	751	}
698		752
Lines 709-714 Link Here
709	result = true_truncate64(path, length);	763	result = true_truncate64(path, length);
710	}	764	}
711		765
		766	sbnotify_event(SBN_MODIFY, canonic, "truncate64", result);
		767
712	return result;	768	return result;
713	}	769	}
714		770
Lines 824-829 Link Here
824		880
825	errno = old_errno;	881	errno = old_errno;
826		882
		883	sbnotify_event(SBN_EXECUTE, filename, "execve", result );
		884
827	return result;	885	return result;
828	}	886	}
829		887
Lines 1496-1501 Link Here
1496	}	1554	}
1497	}	1555	}
1498		1556
		1557	static void
		1558	sbnotify_event( int event_flags, const char * canonical, const char * func_name, int result )
		1559	{
		1560	event_flags = event_flags \| SBN_ACCESS;
		1561	if (result<0) event_flags = event_flags \| SBN_ERROR;
		1562	if (event_flags & get_sbnotify_eventmask())
		1563	{
		1564	char buffer[512];
		1565	sprintf(buffer, "%d\t%s\t%s\t%d\n", event_flags, canonical, func_name, result);
		1566	sbnotify_log((const char *)&buffer);
		1567	}
		1568	}
		1569
		1570	static void
		1571	sbnotify_log(const char * buffer)
		1572	{
		1573	char *log_path = getenv("SBNOTIFY_LOG");
		1574	if (log_path == NULL) return;
		1575	int log_file = true_open(log_path,
		1576	O_APPEND \| O_WRONLY
		1577	\| O_CREAT,
		1578	S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
		1579	if (log_file >= 0) {
		1580	write(log_file, buffer, strlen(buffer));
		1581	close(log_file);
		1582	}
		1583	}
		1584
		1585	static int
		1586	get_sbnotify_eventmask()
		1587	{
		1588	const char * env_var = getenv("SBNOTIFY_EVENTMASK");
		1589	if (NULL != env_var) {
		1590	int value;
		1591	if (1==sscanf( env_var, "%i", &value))
		1592	return value;
		1593	}
		1594	return 0;
		1595	}
		1596
1499	#include "getcwd.c"	1597	#include "getcwd.c"
1500	#include "canonicalize.c"	1598	#include "canonicalize.c"
1501	#include "sandbox_futils.c"	1599	#include "sandbox_futils.c"




/*
 * Sandbox file event notification.  Inspired by Inotify.
 *
 * Copyright (C) 2005 Zachary Medico
 */

#ifndef __SBNOTIFY_H__
#define __SBNOTIFY_H__

#include <sys/types.h>

/* An attempt to categorize filesystem calls */
#define SBN_ACCESS			0x00000001	/* File access */
#define SBN_MODIFY			0x00000002	/* File modify (possibly create)*/
#define SBN_ATTRIB			0x00000004	/* File change attributes */
#define SBN_CREATE			0x00000008	/* File create. move, link, or symlink */
#define SBN_DELETE			0x00000010	/* File delete or move */
#define SBN_WRITE			0x00000020	/* File open write */
#define SBN_EXECUTE			0x00000040	/* File execute */
#define SBN_MOVE_FROM		0x00000080	/* File move from X */
#define SBN_MOVE_TO			0x00000100	/* File move to Y */
#define SBN_LINK_FROM		0x00000200	/* Link create from X */
#define SBN_LINK_TO			0x00000400	/* Link create to Y */
#define SBN_SYMLINK_FROM	0x00000800	/* Symlink create from X */
#define SBN_SYMLINK_TO		0x00001000	/* Symlink create to Y */
#define SBN_ERROR			0x00002000	/* Return value is negative */

#endif

Return to bug 90343

Line 0 Link Here

(-)sandbox-1.2.1.orig/sbnotify.h (+28 lines)
	1	/*
	2	* Sandbox file event notification. Inspired by Inotify.
	3	*
	4	* Copyright (C) 2005 Zachary Medico
	5	*/
	6
	7	#ifndef __SBNOTIFY_H__
	8	#define __SBNOTIFY_H__
	9
	10	#include <sys/types.h>
	11
	12	/* An attempt to categorize filesystem calls */
	13	#define SBN_ACCESS 0x00000001 /* File access */
	14	#define SBN_MODIFY 0x00000002 /* File modify (possibly create)*/
	15	#define SBN_ATTRIB 0x00000004 /* File change attributes */
	16	#define SBN_CREATE 0x00000008 /* File create. move, link, or symlink */
	17	#define SBN_DELETE 0x00000010 /* File delete or move */
	18	#define SBN_WRITE 0x00000020 /* File open write */
	19	#define SBN_EXECUTE 0x00000040 /* File execute */
	20	#define SBN_MOVE_FROM 0x00000080 /* File move from X */
	21	#define SBN_MOVE_TO 0x00000100 /* File move to Y */
	22	#define SBN_LINK_FROM 0x00000200 /* Link create from X */
	23	#define SBN_LINK_TO 0x00000400 /* Link create to Y */
	24	#define SBN_SYMLINK_FROM 0x00000800 /* Symlink create from X */
	25	#define SBN_SYMLINK_TO 0x00001000 /* Symlink create to Y */
	26	#define SBN_ERROR 0x00002000 /* Return value is negative */
	27
	28	#endif