Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--libsandbox/libsandbox.c17
-rw-r--r--libsandbox/libsandbox.h7
-rw-r--r--libsandbox/symbols.h.in2
-rw-r--r--libsandbox/trace.c13
-rw-r--r--libsandbox/wrapper-funcs/fchmod.c11
-rw-r--r--libsandbox/wrapper-funcs/fchown.c11
6 files changed, 61 insertions, 0 deletions
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index b9ef52e..847b4e2 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -766,7 +766,9 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
sb_nr == SB_NR_CHOWN ||
sb_nr == SB_NR_CREAT ||
sb_nr == SB_NR_CREAT64 ||
+ sb_nr == SB_NR_FCHMOD ||
sb_nr == SB_NR_FCHMODAT ||
+ sb_nr == SB_NR_FCHOWN ||
sb_nr == SB_NR_FCHOWNAT ||
/*sb_nr == SB_NR_FTRUNCATE ||
sb_nr == SB_NR_FTRUNCATE64 ||*/
@@ -1102,6 +1104,21 @@ bool before_syscall_open_int(int dirfd, int sb_nr, const char *func, const char
return before_syscall(dirfd, sb_nr, ext_func, file, flags);
}
+bool before_syscall_fd(int sb_nr, const char *func, int fd) {
+#ifdef SANDBOX_PROC_SELF_FD
+ /* We only know how to handle e.g. fchmod() and fchown() on
+ * linux, where it's possible to (eventually) get a path out
+ * of the given file descriptor. The "64" below accounts for
+ * the length of an integer string, and is probably
+ * overkill. */
+ char path[sizeof("/proc/self/fd/") + 64];
+ snprintf(path, sizeof("/proc/self/fd/") + 64, "/proc/self/fd/%i", fd);
+ return before_syscall(AT_FDCWD, sb_nr, func, path, 0);
+#else
+ return true;
+#endif
+}
+
bool before_syscall_open_char(int dirfd, int sb_nr, const char *func, const char *file, const char *mode)
{
if (NULL == mode)
diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h
index 206c506..01a4c6c 100644
--- a/libsandbox/libsandbox.h
+++ b/libsandbox/libsandbox.h
@@ -46,6 +46,11 @@
#define SB_SAFE_OPEN_CHAR(_path, _mode) \
SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode)
+#define _SB_SAFE_FD(_nr, _name, _fd) \
+ __SB_SAFE(before_syscall_fd(_nr, _name, fd))
+#define SB_SAFE_FD(_fd) \
+ _SB_SAFE_FD(WRAPPER_NR, STRING_NAME, _fd)
+
/* Symbols that don't exist in the C library will be <= this value. */
#define SB_NR_UNDEF -99999
#define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF)
@@ -55,6 +60,8 @@ bool before_syscall(int, int, const char *, const char *, int);
bool before_syscall_access(int, int, const char *, const char *, int);
bool before_syscall_open_int(int, int, const char *, const char *, int);
bool before_syscall_open_char(int, int, const char *, const char *, const char *);
+bool before_syscall_fd(int, const char *, int);
+
enum sandbox_method_t get_sandbox_method(void);
void *get_dlsym(const char *symname, const char *symver);
diff --git a/libsandbox/symbols.h.in b/libsandbox/symbols.h.in
index ecf141c..297c13a 100644
--- a/libsandbox/symbols.h.in
+++ b/libsandbox/symbols.h.in
@@ -7,8 +7,10 @@
# before 'creat()' as 'creat()' uses 'open()' ...
chmod
+fchmod
fchmodat
chown
+fchown
fchownat
open
__open_2
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index d70f3bc..75a749e 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -455,8 +455,21 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
}
__sb_debug("})");
return 1;
+ } else if (nr == SB_NR_FCHMOD) {
+ int fd = trace_arg(regs, 1);
+ mode_t mode = trace_arg(regs, 2);
+ __sb_debug("(%i, %o)", fd, mode);
+ return _SB_SAFE_FD(nr, name, fd);
+
+ } else if (nr == SB_NR_FCHOWN) {
+ int fd = trace_arg(regs, 1);
+ uid_t uid = trace_arg(regs, 2);
+ gid_t gid = trace_arg(regs, 3);
+ __sb_debug("(%i, %i, %i)", fd, uid, gid);
+ return _SB_SAFE_FD(nr, name, fd);
}
+
done:
__sb_debug("(...)");
return ret;
diff --git a/libsandbox/wrapper-funcs/fchmod.c b/libsandbox/wrapper-funcs/fchmod.c
new file mode 100644
index 0000000..04bfcea
--- /dev/null
+++ b/libsandbox/wrapper-funcs/fchmod.c
@@ -0,0 +1,11 @@
+/*
+ * fchmod() wrapper.
+ *
+ * Copyright 1999-2018 Gentoo Foundation
+ * Licensed under the GPL-2
+ */
+
+#define WRAPPER_ARGS_PROTO int fd, mode_t mode
+#define WRAPPER_ARGS fd, mode
+#define WRAPPER_SAFE() SB_SAFE_FD(fd)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/fchown.c b/libsandbox/wrapper-funcs/fchown.c
new file mode 100644
index 0000000..ab79d5c
--- /dev/null
+++ b/libsandbox/wrapper-funcs/fchown.c
@@ -0,0 +1,11 @@
+/*
+ * fchown() wrapper.
+ *
+ * Copyright 1999-2018 Gentoo Foundation
+ * Licensed under the GPL-2
+ */
+
+#define WRAPPER_ARGS_PROTO int fd, uid_t owner, gid_t group
+#define WRAPPER_ARGS fd, owner, group
+#define WRAPPER_SAFE() SB_SAFE_FD(fd)
+#include "__wrapper_simple.c"