commit: eec2258014b6b01c450915171bacbefe29549a5e
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 22 18:57:00 2024 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sun Dec 22 19:12:55 2024 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=eec22580
Fix AT_EMPTY_PATH check
The flags argument has different meanings depending on the syscall.
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
(cherry picked from commit 18e5b33ea8237e725741fc4c67eb9d7b09e2f759)
libsandbox/libsandbox.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 2843536..ee0a07c 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -700,7 +700,11 @@ static bool symlink_func(int sb_nr, int flags)
return true;
/* These funcs sometimes operate on symlinks */
- if ((sb_nr == SB_NR_FCHOWNAT ||
+ if ((sb_nr == SB_NR_ACCESS_RD ||
+ sb_nr == SB_NR_ACCESS_WR ||
+ sb_nr == SB_NR_FACCESSAT ||
+ sb_nr == SB_NR_FACCESSAT2 ||
+ sb_nr == SB_NR_FCHOWNAT ||
sb_nr == SB_NR_FCHMODAT ||
sb_nr == SB_NR_UTIMENSAT) &&
(flags & AT_SYMLINK_NOFOLLOW))
@@ -709,6 +713,19 @@ static bool symlink_func(int sb_nr, int flags)
return false;
}
+static bool check_at_empty_path(int sb_nr, int flags)
+{
+ if (sb_nr == SB_NR_ACCESS_RD ||
+ sb_nr == SB_NR_ACCESS_WR ||
+ sb_nr == SB_NR_FACCESSAT ||
+ sb_nr == SB_NR_FACCESSAT2 ||
+ sb_nr == SB_NR_FCHOWNAT ||
+ sb_nr == SB_NR_FCHMODAT ||
+ sb_nr == SB_NR_UTIMENSAT)
+ return (flags & AT_EMPTY_PATH) ? true : false;
+ return false;
+}
+
static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
int flags, const char *abs_path, const char
*resolv_path)
{
@@ -1067,7 +1084,7 @@ bool before_syscall(int dirfd, int sb_nr, const char
*func, const char *file, in
return true; /* let the kernel reject this */
}
else if (file[0] == '\0') {
- if (!(flags & AT_EMPTY_PATH))
+ if (!check_at_empty_path(sb_nr, flags))
return true; /* let the kernel reject this */
}
