| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Not sure why, but the dumpelf.fuzz fuzzer fails when it's calling
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...) at security_init.
So I suggest disabling seccomp for fuzzy testing.
Also, in order to not run indefinitely,
the fuzzer must be executed with some reasonable options.
https://releases.llvm.org/14.0.0/docs/LibFuzzer.html#options
Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com>
Closes: https://github.com/gentoo/pax-utils/pull/13
Signed-off-by: Sam James <sam@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
I wasn't paying enough attention, it's better to just fold the needed
bits into porting.h.
This reverts commit ffedc60fa41d307bda28fd108e6ff1b8da1fc2ee.
This reverts commit f8287200aec0ca33ef07fafcdd5aef0aa6eb1306.
This reverts commit aa907a42d89ddfd5a7e64d8182a1da35277f2f6e.
Bug: https://github.com/gentoo/pax-utils/pull/11#issuecomment-1407566344
Signed-off-by: Sam James <sam@gentoo.org>
|
|
|
|
|
|
|
| |
Separate from the first commit as this one was done programmatically with
dev-util/include-what-you-use.
Signed-off-by: Sam James <sam@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Arsen Arsenović <arsen@aarsen.me>
Signed-off-by: Sam James <sam@gentoo.org>
|
|
|
|
|
|
|
|
| |
Since the bpf programs are the same across runs, generate it ahead of
time. This way we don't have to link against libseccomp and run the
library calls at runtime which helps cut out most overhead.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Under glibc-2.33 sandox uses faccessat2 to stat symlinks.
Unfortunately libseccomp does not yet provide syscall definition
for faccessat2. Define it locally.
Reported-by: Cănărău Constantin
Bug: https://bugs.gentoo.org/768435
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
libseccomp does not yet provide faccessat2. I tested the commit
without seccomp enabled.
This reverts commit e2378b8c6bef5d94805444797e7fe35c07f54783.
Bug: https://bugs.gentoo.org/768435
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
|
|
|
|
|
|
|
| |
Under glibc-2.33 sandox uses faccessat2 to stat symlinks.
Reported-by: Cănărău Constantin
Bug: https://bugs.gentoo.org/768435
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
musl-1.1.24 starting from dfc81828f7ab41da08f744c
"implement fstatat with SYS_statx, conditional on undersized kstat time"
changed fstatat() to use statx().
This caused scanelf to crash under seccomp sandbox.
The change whitelists 'statx' syscall.
Bug: https://bugs.gentoo.org/717300
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc-2.31 switched semop() libc implementation from semop() to semtimedop()
in https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=765cdd0bffd77960a
("sysvipc: Implement semop based on semtimedop")
This caused pax-utils to fail under fakeroot as:
```
$ fakeroot scanelf -yqRBF '#k%F' -k '.symtab' /bin/bash
.../usr/bin/fakeroot: line 178: 103268 Bad system call ...
Program terminated with signal SIGSYS, Bad system call.
33 ../sysdeps/unix/sysv/linux/semtimedop.c: No such file or directory.
(gdb) bt
(gdb)
```
The change whitelists 'semtimedop' syscall.
Reported-by: Patrick McLean
Bug: https://bugs.gentoo.org/709794
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On amd64 and friends msgget() and similar syscalls are standalone syscalls.
On i386 and friends msgget() is a subcall of ipc() syscall.
This makes fakechroot break 'scanelf' as:
$ LANG=C fakeroot scanelf -t /bin/bash
/usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped)
The change whitelists ipc() call which allows all sysv syscalls, namely:
- semop, semget, semctl, semtimedop
- msgsnd, msgrcv, msgget, msgctl
- shmat, shmdt, shmget, shmctl
Reported-and-fixed-by: Samuel Holland
Bug: https://bugs.gentoo.org/675378
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
|
|
|
|
|
| |
Basically wrap all defines in ifdefs or add fallback stubs.
URL: https://bugs.gentoo.org/606184
|
|
|
|
|
|
| |
Newer arches omit readlink entirely (like aarch64).
Reported-by: Steev Klimaszewski <steev@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Some C libraries might use these functions in different ways. Since they
are fairly harmless to use, just whitelist all the read/write variants.
URL: https://bugs.gentoo.org/571128
Reported-by: Vladimir Lushnikov <vladimir@vladimir.lu>
Reported-by: Mias van Klei <miasvanklei@gmail.com>
|
|
|
|
|
|
|
| |
This might be run by the sandbox.
Reported-by: Markus Oehme <oehme.markus@gmx.de>
URL: https://bugs.gentoo.org/562206
|
|
|
|
|
|
| |
Make sure we do not try to use si_syscall when it isn't available.
URL: https://bugs.gentoo.org/560098
|
|
|
|
|
|
|
|
|
|
|
| |
When building with openmp, often libpthread is linked in and code
automatically generated using it. That means lower mutexes end up
calling the futex syscall. This isn't just when pax-utils is built
with openmp, but it also applies when libraries it links with are
built with openmp.
Reported-by: florianmey@gmx.de
URL: https://bugs.gentoo.org/559814
|
|
|
|
|
| |
These are used by freopen internally, so whitelist them all.
They're pretty benign at any rate.
|
|
|
|
|
|
|
|
|
|
| |
If the seccomp feature is disabled in the kernel, we'll get back
EINVAL from the prctl call. There's no simple way to differentiate
between a real EINVAL (bad filter args), so we'll just assume that
libseccomp knows what it is doing.
Reported-by: Piotr Karbowski <piotr.karbowski@gmail.com>
URL: https://bugs.gentoo.org/558414
|
|
|
|
|
|
|
| |
Until we get a bit more dynamic here, whitelist the IPC syscalls that
fakeroot uses since it is available via portage FEATURES.
URL: https://bugs.gentoo.org/558482
|
|
|
|
|
|
|
| |
If a bad syscall is hit, it can be hard to track down. Add a debug mode
that people can enable to get useful error messages showing the failure.
URL: https://bugs.gentoo.org/558482
|
|
|
|
|
|
| |
We don't need to check for ifdefs on syscalls as libseccomp handles stubs
for us. They make sure the SCMP_SYS macros are a superset across all of
the supported architectures.
|
|
|
|
|
| |
This has a minor speed hit (a few milliseconds), but otherwise provides
a decent balance.
|
|
|
|
| |
Should prevent accidentally running set*id programs less of a problem.
|
|
In practice this isn't terribly useful as people aren't attacking these
tools, but might as well be paranoid.
It'd be nice to use mount & net namespaces too, but they're way too slow.
|