Bug 442172

Summary:	sys-apps/sandbox: executing set*id app results in warnings: ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
Product:	Portage Development	Reporter:	Nikoli <nikoli>
Component:	Sandbox	Assignee:	Sandbox Maintainers <sandbox>
Status:	RESOLVED FIXED
Severity:	normal	CC:	netmon, sam
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=537598
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	build.log net-libs:libssh2-1.4.2:20121107-162415.log

Description Nikoli 2012-11-07 10:25:25 UTC

Created attachment 328646 [details]
build.log

ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
/var/tmp/portage/net-libs/libssh2-1.4.2/work/libssh2-1.4.2/tests/../docs/libssh2_userauth_publickey_fromfile_ex.3
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
/var/tmp/portage/net-libs/libssh2-1.4.2/work/libssh2-1.4.2/tests/../docs/libssh2_version.3
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
FAIL: mansyntax.sh
===========================================
1 of 2 tests failed
Please report to libssh2-devel@cool.haxx.se
===========================================
make[2]: *** [check-TESTS] Error 1


Portage 2.1.11.31 (hardened/linux/amd64, gcc-4.5.4, glibc-2.15-r3, 3.5.6-hardened x86_64)
=================================================================
Timestamp of tree: Wed, 07 Nov 2012 08:15:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.3-r2
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.68
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo nikoli
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=generic -mavx -maes -mpclmul -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -mtune=generic -mavx -maes -mpclmul -O2 -pipe"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ru en"
MAKEOPTS="-j9"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/var/lib/layman/nikoli"
USE="X a52 aac acl acpi aes-ni akonadi alsa amd64 amr atm audiofile avx bash-completion bzip2 cairo caps cdda cddb cdio cdparanoia cdr celt cli consolekit cracklib crypt css cups cxx dbus djvu dri dts dv dvd dvdr encode exif fat ffmpeg flac fluidsynth fontconfig fortran gd geoip gif gimp gmp gnutls gphoto2 gpm graphviz gsm gstreamer gtk handbook hardened iconv icu id3tag idn ilbc imagemagick imap imlib ios ipod ipv6 jbig jpeg jpeg2k justify kde kipi kontact lame laptop lcms libass libnotify libproxy libsamplerate lm_sensors lzma lzo mac mad matroska mikmod mmx mmxext mng modplug modules mp3 mp4 mpeg mtp mudflap multilib musepack musicbrainz ncurses networkmanager nls nptl nptlonly ntfs ogg openal openexr opengl openmp opus pam pango pax_kernel pcre pdf pg-intdatetime phonon plasma pm-utils png policykit postscript pppd qt3support qt4 quicktime rar raw readline reiserfs replaygain rtmp sasl scanner schroedinger semantic-desktop session sid smp sndfile socks5 speex spell sqlite sse sse2 sse3 sse4_1 ssl ssse3 startup-notification svg symlink sysfs taglib theora threads thumbnail tiff truetype tta udev udisks unicode upnp upower usb v4l v4l2 vaapi vcd vorbis vpx wavpack webkit webp wifi wma wmf wps x264 xattr xcb xcomposite xface xinerama xml xmp xpm xscreensaver xv xvid xz zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="*" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="pdfimport presenter-console presenter-minimizer report-builder nlpsolver" LINGUAS="ru en" NGINX_MODULES_HTTP="access auth_basic autoindex fastcgi gzip rewrite" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel i965 modesetting vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2012-11-07 16:28:48 UTC

Created attachment 328706 [details]
net-libs:libssh2-1.4.2:20121107-162415.log

Confirmed, but mine looks slightly different (maybe because I ran it as normal user?).

Comment 2 SpanKY gentoo-dev

2012-11-23 06:14:00 UTC

this happens when FEATURES=userpriv is enabled and man is set*id

Comment 3 SpanKY gentoo-dev

2012-12-03 18:44:04 UTC

on the upside, i've fixed sandbox so that it'll fall back to ptrace when handling set*id programs.  on the downside, it is not easy to fix this warning.

i cannot just unsetenv(LD_PRELOAD) because the process which is doing the exec might have been created via clone or vfork.  in those situations, the child shares the same memory region as the parent, so modifying the environ in the child will also modify it in the parent.

as an example, last i looked, `make` does exactly this.  it vforks its targets when executing rules.  so if we unsetenv, it'd break by doing:
 - run make as non-root (user)
 - top level make runs (pid=10)
 - make finds two rules to process
 - first rule reads: mount --help
 - make vforks (child pid=11) and tries to run mount
 - libsandbox detects this, sets things up to ptrace, and unsetenv(LD_PRELOAD)
 - mount finishes running w/out warning (since LD_PRELOAD was unset)
 - make moves on to 2nd rule (now with LD_PRELOAD unset in its env)
 - 2nd rule reads: -touch /
 - make vforks (child pid=12) and tries to run touch
 - touch fails since it doesn't have permission, but this error is not caught by sandbox because LD_PRELOAD is no longer set
 - make ignores the error (due to the rule starting with "-")

this is a bit of a contrived case, but we've seen people run set*id programs in makefiles before as well as have errors in install targets which write to the wrong path.

there's no way (that i know of) to detect this at runtime (i.e. how many other processes are sharing memory region XXX with me?), and we can't do a fork() behind the back of a vfork() or clone() because that implies C library overhead that is unsafe (grabbing locks).  we also can't unset the env, do the exec, and then reset the env because this would introduce a race condition if people were using threads + clone/vfork + exec.  it would also be pretty messy to get the synchronization between the child (which does the unset) and the parent (which does the set) done right.

we might be able to finagle a clone(~CLONE_VM) ourselves before doing the exec.  it'll be tricky, but not too hard i don't think.

Comment 4 SpanKY gentoo-dev

2012-12-24 08:03:35 UTC

this doesn't silence the warning, but it does fix the lack of tracing:

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=26ad6af1a4f246bda3cd7a19a24c1767ec9c835e

Comment 5 Larry the Git Cow gentoo-dev

2021-10-24 01:10:09 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f0d8469ab6f3a4039038bf86cc829e917b596f40

commit f0d8469ab6f3a4039038bf86cc829e917b596f40
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2021-10-22 00:20:58 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2021-10-24 00:54:46 +0000

    sandbox: leverage PR_SET_NO_NEW_PRIVS when available
    
    This will lock down the ability to use set*id programs (like sudo),
    and will allow us to utilize seccomp bpf to speed up ptrace.
    
    Closes: https://bugs.gentoo.org/442172
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

 configure.ac  |  2 ++
 headers.h     |  3 +++
 src/sandbox.c | 16 ++++++++++++++++
 3 files changed, 21 insertions(+)

Comment 6 Larry the Git Cow gentoo-dev

2021-10-24 01:13:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288877d0e268087dacb4b593202e28f86b6d31d4

commit 288877d0e268087dacb4b593202e28f86b6d31d4
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2021-10-24 01:12:13 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2021-10-24 01:13:05 +0000

    sys-apps/sandbox: version bump to 2.27
    
    Add USE=nnp flag to control new NO_NEW_PRIVS behavior.  In case things
    go horribly wrong, can easily flip the flag off to keep from blowing
    everyone up.
    
    Bug: https://bugs.gentoo.org/442172
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

 sys-apps/sandbox/Manifest            |  1 +
 sys-apps/sandbox/metadata.xml        |  3 ++
 sys-apps/sandbox/sandbox-2.27.ebuild | 64 ++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)