summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/common/sandbox.c89
1 files changed, 59 insertions, 30 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 49c057c2aa..4fd95f06d0 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -678,36 +678,65 @@ sandbox_intern_string(const char *param)
return param;
}
-static char*
-prot_strdup(char* str)
-{
- int param_size = 0;
- char *res = NULL;
+static int
+prot_strings(sandbox_cfg_t* cfg) {
+ int ret = 0;
+ int pr_mem_size = 0, pr_mem_left = 0;
+ char *pr_mem_next = NULL, *pr_mem_base;
+ sandbox_cfg_t *el = NULL;
+
+ // get total number of bytes required to mmap
+ for(el = cfg; el != NULL; el = el->next) {
+ pr_mem_size += strlen((char*) el->param) + 1;
+ }
- if (str == NULL)
- goto out;
-
- // allocating protected memory region for parameter
- param_size = 1 + strlen(str);
-
- res = (char*) mmap(NULL, param_size, PROT_READ | PROT_WRITE, MAP_PRIVATE |
- MAP_ANON, -1, 0);
- if (!res) {
- log_err(LD_BUG,"(Sandbox) failed allocate protected memory!");
+ // allocate protected memory
+ pr_mem_base = (char*) mmap(NULL, pr_mem_size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON, -1, 0);
+ if (pr_mem_base == MAP_FAILED) {
+ log_err(LD_BUG,"(Sandbox) failed allocate protected memory! mmap: %s",
+ strerror(errno));
+ ret = -1;
goto out;
}
- // copying from non protected to protected + pointer reassign
- memcpy(res, str, param_size);
+ pr_mem_next = pr_mem_base;
+ pr_mem_left = pr_mem_size;
+
+ // change el value pointer to protected
+ for (el = cfg; el != NULL; el = el->next) {
+ char *param_val = (char*) el->param;
+ int param_size = strlen(param_val) + 1;
+
+ if (pr_mem_left - param_size >= 0) {
+ // copy to protected
+ memcpy(pr_mem_next, param_val, param_size);
+
+ // re-point el parameter to protected
+ free((char*) el->param);
+ el->param = (intptr_t) pr_mem_next;
+ el->prot = 1;
+
+ // move next available protected memory
+ pr_mem_next += param_size;
+ pr_mem_left -= param_size;
+ } else {
+ log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
+ ret = -2;
+ goto out;
+ }
+ }
// protecting from writes
- if (mprotect(res, param_size, PROT_READ)) {
- log_err(LD_BUG,"(Sandbox) failed to protect memory!");
- return NULL;
+ if (mprotect(pr_mem_base, pr_mem_size, PROT_READ)) {
+ log_err(LD_BUG,"(Sandbox) failed to protect memory! mprotect: %s",
+ strerror(errno));
+ ret = -3;
+ goto out;
}
out:
- return res;
+ return ret;
}
#ifdef __NR_stat64
@@ -719,8 +748,8 @@ sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, int fr)
elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
elem->syscall = SCMP_SYS(stat64);
elem->pindex = 0;
- elem->param = (intptr_t) prot_strdup((char*) file);
- elem->prot = 1;
+ elem->param = (intptr_t) strdup(file);
+ elem->prot = 0;
elem->next = *cfg;
*cfg = elem;
@@ -763,8 +792,8 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr)
elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
elem->syscall = SCMP_SYS(open);
elem->pindex = 0;
- elem->param = (intptr_t) prot_strdup((char*) file);
- elem->prot = 1;
+ elem->param = (intptr_t) strdup(file);
+ elem->prot = 0;
elem->next = *cfg;
*cfg = elem;
@@ -806,8 +835,8 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr)
elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
elem->syscall = SCMP_SYS(openat);
elem->pindex = 1;
- elem->param = (intptr_t) prot_strdup((char*) file);;
- elem->prot = 1;
+ elem->param = (intptr_t) strdup(file);
+ elem->prot = 0;
elem->next = *cfg;
*cfg = elem;
@@ -849,8 +878,8 @@ sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com)
elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
elem->syscall = SCMP_SYS(openat);
elem->pindex = 1;
- elem->param = (intptr_t) prot_strdup((char*) com);;
- elem->prot = 1;
+ elem->param = (intptr_t) strdup(com);
+ elem->prot = 0;
elem->next = *cfg;
*cfg = elem;
@@ -1121,7 +1150,7 @@ initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
if (install_sigsys_debugging())
return -1;
- if (init_addrinfo()) {
+ if (init_addrinfo() || prot_strings(cfg)) {
return -4;
}