794949 – sys-apps/sandbox raises error when reading /var/log/sandbox

Bug 794949 - sys-apps/sandbox raises error when reading /var/log/sandbox

Summary: sys-apps/sandbox raises error when reading /var/log/sandbox

Status:	RESOLVED FIXED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Sandbox (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sandbox Maintainers

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:	794931
	Show dependency tree

Reported:	2021-06-08 15:03 UTC by Mike Gilbert
Modified:	2021-09-07 15:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
libsandbox: adjust hard-coded denial for /var/log/sandbox (0001-libsandbox-adjust-hard-coded-denial-for-var-log-sand.patch,2.05 KB, patch) 2021-06-08 15:14 UTC, Mike Gilbert	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Gilbert gentoo-dev

2021-06-08 15:03:50 UTC

There is some hard-coded logic in libsandbox that causes access failures when a process tries to read /var/log/sandbox.

https://gitweb.gentoo.org/proj/sandbox.git/tree/libsandbox/libsandbox.c?h=v2.24#n717

The associated comment mentions denying writes (not reads), so this read-denial behavior seems like a mistake.

Comment 1 Mike Gilbert gentoo-dev

2021-06-08 15:14:51 UTC

Created attachment 714660 [details, diff]
libsandbox: adjust hard-coded denial for /var/log/sandbox

I think this will do the trick.

Comment 2 Larry the Git Cow gentoo-dev

2021-09-07 15:35:19 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=96374d9bff64bcee64340f6572cca9f1cc3f696d

commit 96374d9bff64bcee64340f6572cca9f1cc3f696d
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2021-06-08 15:08:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-09-07 15:31:07 +0000

    libsandbox: adjust hard-coded denial for /var/log/sandbox
    
    Move this hack after the read checks, but before the write checks. This
    allows processes to read the log directory, but not write to it.
    
    This is helpful in case a process does something like this:
    
      find /var/log -name system.journal
    
    Bug: https://bugs.gentoo.org/794949
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
    Closes: https://bugs.gentoo.org/794949
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 libsandbox/libsandbox.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=96374d9bff64bcee64340f6572cca9f1cc3f696d

commit 96374d9bff64bcee64340f6572cca9f1cc3f696d
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2021-06-08 15:08:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-09-07 15:31:07 +0000

    libsandbox: adjust hard-coded denial for /var/log/sandbox
    
    Move this hack after the read checks, but before the write checks. This
    allows processes to read the log directory, but not write to it.
    
    This is helpful in case a process does something like this:
    
      find /var/log -name system.journal
    
    Bug: https://bugs.gentoo.org/794949
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
    Closes: https://bugs.gentoo.org/794949
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 libsandbox/libsandbox.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)