diff options
Diffstat (limited to 'src/sandbox-1.1/ChangeLog')
-rw-r--r-- | src/sandbox-1.1/ChangeLog | 265 |
1 files changed, 265 insertions, 0 deletions
diff --git a/src/sandbox-1.1/ChangeLog b/src/sandbox-1.1/ChangeLog new file mode 100644 index 000000000..8da8ec9fc --- /dev/null +++ b/src/sandbox-1.1/ChangeLog @@ -0,0 +1,265 @@ +# ChangeLog for Path Sandbox +# Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-src/portage/src/sandbox-1.1/Attic/ChangeLog,v 1.37.2.3 2004/12/01 22:14:09 carpaski Exp $ + + 01 Dec 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: + Added ferringb's code to handle the sandbox pid overflow problem. + + 07 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c: c99 standard + allowing data and code mixing in code isn't available for gcc 2.95- should fix + bug #70351. + + 03 Nov 2004; Brian Harring <ferringb@gentoo.org> libsandbox.c, sandbox_futils.c: + Fixups, and a hole closed regarding verifying SANDBOX_(|DEBUG_)LOG is sane. + + 02 Aug 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Code from + Seth Robertson that tracked down all adjuct flags for read operations that + do not invoke a write operation. + + 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: + Another fix from jstubbs regarding a free() on a stack variable for the + environment -- tracking now prevents extraneous free()'s segfault. + + 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c, sandbox.c: + J. Stubbs tracked down a new bug where mkdir was failing to the patch on + the lstat in mkdir... it now only returns 0 or -1 as documented for mkdir. + Also remove the errno = ESUCCESS settings as documentation points out that + a library isn't allowed to do that. + + 04 Apr 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: Added a + file_security_check() function to check random potential exploits on files + that sandbox is to load and read -- Normally sandboxpids.tmp. This fixes + the 'system-crippling' exploits (bug 21923) and catches a few other + potential problems. + + 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> Makefile: Updates for + 32/64 bit sandbox. Made CC and LD '?=' values to allow passed in CC to work. + + 20 Mar 2004; Nicholas Jones <carpaski@gentoo.org> libsandbox.c: + bug 42048 -- Fixed the lstat/errno conditions for mkdir <caleb@g.o>. + Added the 64/32 bit sandbox patch for AMD64 bug 32963 <brad/azarah>. + + 29 Feb 2004; Martin Schlemmer <azarah@gentoo.org> sandbox.c, sandbox_futils.c : + Fix permissions and group of pids file and logs. Permissions should be 0664 + and group should be 'portage'. Bug #34260. + + 28 Feb 2004; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Besides a small cleanup, redo how we replace LD_PRELOAD in the environ passed + to the real execve (in our execve wrapper). Seems that on some arches (sparc + among others) do not allow us to tamper with the readonly copy passed to + execve, so pass our own copy of the environment. Bug #42290. + + 11 Jan 2004; Nicholas Jones <carpaski@gentoo.org> create-decls: + Changed tail to head and added a notice about duration of glibc check. + + 21 Dec 2003; Nicholas Jones <carpaski@gentoo.org> create-decls: + Changed the glibc subversion check to use /usr/bin/* instead of /bin/sh + as there isn't a guarentee that it is dynamic. + + 02 Nov 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + If 'file' passed to before_syscall(const char *func, const char *file) is + invalid, we should set errno to ENOENT, and not EINVAL. This should + close bug #32238. + + 14 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix a bug that occurs mainly on 64bit arch, where the file passed to + the functions we wrap, is invalid, and then cause canonicalize to pass + garbage to before_syscall(), thanks to great detective work from + Andrea Luzzardi <al@sig11.org> (bug #29846). + + 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : + Add a uClibc detection patch from Peter S. Mazinger <ps.m@gmx.net>. + + 13 Oct 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix a bug in libsandbox.c 's checking in the rename wrapper - it basically + only checked the destination patch, and not the source, so we could move + a protected file to a unprotected directory, and then delete/modify it. + Thanks to Andrea Luzzardi (scox) <al@sig11.org>, bug #30992, for this fix. + + 12 Oct 2003; Nicholas Jones <carpaski@gentoo.org> sandbox.c : + Added python2.3 to the predict section/variable. + + 28 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, sandbox.c, + sandbox.h, sandbox_futils.c : + Add support to set the pids file via SANDBOX_PIDS_FILE at startup. If + it is not set, it will revert to its old value. + + 27 Sep 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix our mkdir wrapper to check if the dir exist, and return EEXIST if so, + rather than failing with a violation, bug #29748. + + 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + Fix canonicalize() to ignore calls with path = "". + + 27 Jul 2003; Martin Schlemmer <azarah@gentoo.org> getcwd.c, libsandbox.c, + sandbox_futils.c, canonicalize.c : + Once again coreutils fails, as my systems had 2.5 kernel, the getcwd system + call handled strings larger than PATH_MAX (bug #21766). It however does not + work the same on 2.4 kernels. + + To fix, I added the posix implementation of getcwd() (from glibc cvs) that + do not need the system call. We use the default getcwd() function via a + wrapper (egetcwd), and then lstat the returned path. If lstat fails, it + means the current directory was removed, OR that the the system call for + getcwd failed (curious is that it do not fail and return NULL or set + errno, but rather just truncate the retured directory - usually from the + start), and if so, we use the generic getcwd() function (__egetcwd). Note + that we do not use the generic version all the time, as it calls lstat() + a great number of times, and performance degrade much. + + 29 Jun 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls, + libsandbox.c : + Make sure SB_PATH_MAX will not wrap. Fix two possible memory leaks. + + 22 Jun 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c, canonicalize.c + create-localdecls : + When checking path names of files accessed, we need to canonicalize it, else + it may be a symlink in a 'write allowed' directory pointing to a file in a + directory we should not have write access to. + + With something like coreutils-5.0, we have two problems: + 1) One of the tests checks if getcwd() can return a path longer than + PATH_MAX. This test then tries to create a dir which even while + created local (mkdir("conftest2")), it ends up being resolved with + a name that is much larger than PATH_MAX. The problem now is that + canonicalize() have undefined behaviour when the path was too long + (returned wrongly truncated paths, etc), and pass the wrong path to + before_syscall() (causing the bogus sandbox violations). + 2) The ecanonicalize() function we used, along with the canonicalize() + function did not support longer than PATH_MAX. This is partly a + cause for 1), but the error checking (rather lack of it) of calls + to erealpath() in canonicalize() was the prime reason for 1). + + As we do not use this canonicalized name to call the function, we resolve this + by fixing canonicalize() to do better error checking, and ecanonicalize() as + well as all functions in libsandbox.c to use a PATH_MAX of 'PATH_MAX * 2'. + While they will resolve paths properly now, and can check if a write/read is + allowed, the functions called from the sandboxed environment will still work + as expected. + + This should resolve bug #21766. + + 06 Apr 2003; Martin Schlemmer <azarah@gentoo.org> libsandbox.c : + For some reason sandbox fails with a 'open_wr' if you run 'locale -a' under + it (bug #16298). + + Problem is that for some reason locale fopen's locale.alias with mode "rm". + + ------------------------------------------------------- + nosferatu root # grep fopen locale.log + fopen("/usr/share/locale/locale.alias", "rm"ACCESS DENIED open_wr: /usr/share/locale/locale.alias + nosferatu root # + -------------------------------------------------------- + + I checked the source of locale, but it have fopen with mode 'r', so + not sure where the "rm" mode comes from. Anyhow, changed the check in + before_syscall_open_char() to also see mode "rm" as readonly. + + 23 Feb 2003; Martin Schlemmer <azarah@gentoo.org> create-localdecls : + + Add glibc-2.3 support. + + 22 Feb 2003; Martin Schlemmer <azarah@gentoo.org> sandbox.c : + + Some /etc/ld.so.preload fixes. Just changed the #if defines to cover all + operations releated to preload, as well as only try to modify ld.so.preload + if we can. Also modify to write the pid to /tmp/sandboxpids.tmp even when + not using ld.so.preload. Fix to not write this instance of sandbox's pid + to /tmp/sandboxpids.tmp on exit if this is not the last sandbox running. + + 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> Makefile : + + Changed the LD to CC for hppa. + + 22 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : + + Killed the previous changes I made. + + 17 Feb 2003; Nicholas Jones <carpaski@gentoo.org> create-localdecls : + + Added parisc to BROKEN_RTLD_ARCHLIST to see if it we can fix the relocation probs. + + 09 Jan 2003; J Robert Ray <jrray@gentoo.org> sandbox.c : + + Don't segfault if $HOME isn't set, set $HOME to "/" instead. Fixes bug 10868. + + 16 Dec 2002; Martin Schlemmer <azarah@gentoo.org> create-localdecls : + + Fix memory leak for mips, bug #12236. Thanks to Torgeir Hansen <torgeir@trenger.ro> + for this fix. + + 4 Dec 2002; J Robert Ray <jrray@gentoo.org> sandbox.h sandbox_futils.c : + + sandbox_futils defined a dirname() function that was masking the same + function in glibc and was broken (e.g.: SANDBOX_DIR was being set to + '/usr/lib/portage/bi/'). Fixed function to return expected results and + renamed it to sb_dirname() to no longer mask the glibc function. Closes bug + 11231. + + 4 Dec 2002; Martin Schlemmer <azarah@gentoo.org> : + + Fix a segfault in libsandbox.c if canonicalize() was called with + first parameter = NULL. + + 1 Sep 2002; Martin Schlemmer <azarah@gentoo.org> : + + Fix my braindead 'return 1;' in a void function. Updated sandbox.c, + cleanup() for this. + + Change cleanup() in sandbox.c not to exit with fail status if + the pidsfile is missing. We really should still display sandbox + violations if they occured. + + 31 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Update cleanup() in sandbox.c to remove the PIDSFILE if this is + the last sandbox running. + + 25 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Major cleanups to mainly libsandbox.c again. + + 22 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Add copyrights to sandbox.h and sandbox_futils.h. If wrong, the + parties involved should please contact me so that we can fix it. + + Add opendir wrapper to libsandbox.c. + + 21 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Do some more cleanups to ecanonicalize(), as it dropped filenames in + rare cases (after my symlink cleanups), and caused glibc to bork. + These fixes went into canonicalize.c. + + 20 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Fix spawn_shell() and main() in sandbox.c to properly return fail + status. + + 19 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + The new canonicalize() function in libsandbox.c also resolved symlinks, + which caused on cleaning sandbox errors if the symlink pointed to a + file in the live root. Ripped out canonicalize() and realpath() from + glibc; removed the symlink stuff, and changed them to ecanonicalize() + and erealpath(). + + 18 Aug 2002; Martin Schlemmer <azarah@gentoo.org> : + + Ripped out all the wrappers, and implemented those of InstallWatch. + Losts of cleanups and bugfixes. Implement a execve that forces + $LIBSANDBOX in $LD_PRELOAD. We can now thus do away with the feared + /etc/ld.so.preload (*g*) ... Made the needed changes to sandbox.c, + sandbox.h and sandbox_futils.c. Rewrote the Makefile for most + parts; it now have an install target. + + Reformat the whole thing to look somewhat like the reworked sandbox.c + and new sandbox.h and sandbox_futils.c from: + + Brad House <brad@mainstreetsoftworks.com>. + + Additional Copyrights now due to the InstallWatch code: + + Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net> + |