| Summary: | sandbox needs a complete rewrite. | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Seemant Kulleen (RETIRED) <seemant> |
| Component: | [OLD] Core system | Assignee: | Martin Schlemmer (RETIRED) <azarah> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | critical | CC: | christian.skarby, foser, h3y, jrray, m.debruijne, mholzer |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 2909 | ||
|
Description
Seemant Kulleen (RETIRED)
2002-10-20 16:22:18 UTC
I have put together a preliminary proof-of-concept and would like to get some comments. Tarball: http://www.gentoo.org/~jrray/st-sandbox.tbz2 This is basically strace with some extra decoration in the routines that strace uses to print out the args to various syscalls. The files with the relevant changes are file.c, sandbox.h, and sandbox.c. Untar, ./configure && make, you'll find an executable named 'sandbox', this acts just like the strace program, although it ignores commandline args now. "./sandbox bash" will give you a new shell inside a sandbox: jrray@geep st-sandbox $ ./sandbox bash jrray@geep st-sandbox $ touch hi ACCESS VIOLATION open(hi => /home/jrray/src/tmp/st-sandbox/hi) touch: creating `hi': No such file or directory jrray@geep st-sandbox $ rm sandbox ACCESS VIOLATION unlink(sandbox => /home/jrray/src/tmp/st-sandbox/sandbox) rm: cannot remove `sandbox': No such file or directory jrray@geep st-sandbox $ mkdir hi ACCESS VIOLATION mkdir(hi => /home/jrray/src/tmp/st-sandbox/hi) mkdir: cannot create directory `hi': No such file or directory jrray@geep st-sandbox $ mv sandbox blah ACCESS VIOLATION rename(blah => /home/jrray/src/tmp/st-sandbox/blah) mv: cannot move `sandbox' to `blah': No such file or directory I believe I got all the functions from the old sandbox working, but I have to double check that. Something interesting I noticed is that 'man' seems to try to use ptrace. You can't overlap ptraces so running man fails while in the sandbox. Who knows why it does this, or what other apps we'll run up against. At this point I'm not using environment variables, instead I keep an array of valid writable directories in memory. I'd appreciate comments on this too. Any feedback is appreciated! - Robert I experimented with trying to kill the child process if it accesses an illegal file, but unfortunately the child is able to complete the offending syscall before it terminates. (I stepped through in the debugger to verify this.) Instead of killing off the child process, I change the filename that the syscall is going to operate on to a NULL string. When the syscall returns, I put the char I changed back. This is the source of the perhaps confusing "No such file or directory" errors. I think this is a good solution because it prevents the illegal access, and the calling process will see the violation as an error condition. based on our IRC conversation, you think fixing the sandbox code is easier? It's not horribly important right at the moment, but there have been (slowly!) ongoing plans to port Gentoo to BSD tools. The current sandbox is not portable to BSD because the system calls have either different names or different interfaces. It shouldn't be too hard to port, but while you're working on a new version perhaps you could wrap any non-portable system calls? A major drawback to using ptrace is it breaks make's job control and prevents the use of -j2. From 'man ptrace': Tracing causes a few subtle differences in the semantics of traced processes. For example, if a process is attached to with PTRACE_ATTACH, its original parent can no longer receive notification via wait when it stops, and there is no way for the new parent to effectively simulate this notification. Example: jrray@geep st-sandbox $ make -j2 gcc -b i686-pc-linux-gnu -Wall -DHAVE_CONFIG_H -I. -Ilinux/i386 -I./linux/i386 -Ilinux -I./linux -D_GNU_SOURCE -c strace.c make: *** wait: No child processes. Stop. make: *** Waiting for unfinished jobs.... Make can no longer call wait on its child subprocesses and freaks out. I'm going to guess that forcing everyone to use make -j1 is not going to go over well. Reassigning bugs due to lack of time. Current version in CVS looks fine without problems (after fixing the coreutils thing). Marking it as works for me, as I have not had any problems since the coreutils thing that is fixed - and coreutils was the first in a long time. |