aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2021-10-23 06:17:38 -0400
committerMike Frysinger <vapier@gentoo.org>2021-10-23 18:18:03 -0400
commit1db325a29ffd8f764b9142fdf41b9933de547658 (patch)
tree07473b76781b437ff0fcfdf00248a5d0407e7df5 /libsandbox
parentlibsandbox: move symbols.h.in parsing to scripts (diff)
downloadsandbox-1db325a29ffd8f764b9142fdf41b9933de547658.tar.gz
sandbox-1db325a29ffd8f764b9142fdf41b9933de547658.tar.bz2
sandbox-1db325a29ffd8f764b9142fdf41b9933de547658.zip
libsandbox: tweak how undefined symbols are declared
Rather than always set undefined symbols to the same constant, expand it to a range of constants, and give every symbol a unique value. For dynamic symbol processing, this isn't a big deal as such symbols will never show up, but when handling syscalls that don't have a matching C library symbol, we need to make sure that we have unique entries. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'libsandbox')
-rw-r--r--libsandbox/libsandbox.h4
-rw-r--r--libsandbox/trace.c4
-rw-r--r--libsandbox/wrapper-funcs/__pre_check.c8
3 files changed, 10 insertions, 6 deletions
diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h
index 96bb7c1..fbea6ba 100644
--- a/libsandbox/libsandbox.h
+++ b/libsandbox/libsandbox.h
@@ -46,6 +46,10 @@
#define SB_SAFE_OPEN_CHAR(_path, _mode) \
SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode)
+/* Symbols that don't exist in the C library will be <= this value. */
+#define SB_NR_UNDEF -99999
+#define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF)
+
bool is_sandbox_on(void);
bool before_syscall(int, int, const char *, const char *, int);
bool before_syscall_access(int, int, const char *, const char *, int);
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index 7660d47..ae5f935 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -305,7 +305,7 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
state.regs = regs;
state.nr = nr = se->sys;
state.func = name = se->name;
- if (nr == SB_NR_UNDEF) goto done;
+ if (!SB_NR_IS_DEFINED(nr)) goto done;
else if (nr == SB_NR_MKDIR) state.pre_check = sb_mkdirat_pre_check;
else if (nr == SB_NR_MKDIRAT) state.pre_check = sb_mkdirat_pre_check;
else if (nr == SB_NR_UNLINK) state.pre_check = sb_unlinkat_pre_check;
@@ -313,7 +313,7 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs)
else state.pre_check = NULL;
/* Hmm, add these functions to the syscall table and avoid this if() ? */
- if (nr == SB_NR_UNDEF) goto done;
+ if (!SB_NR_IS_DEFINED(nr)) goto done;
else if (nr == SB_NR_CHMOD) return trace_check_syscall_C (&state);
else if (nr == SB_NR_CHOWN) return trace_check_syscall_C (&state);
else if (nr == SB_NR_CREAT) return trace_check_syscall_C (&state);
diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c
index 28ad91f..e7db0a2 100644
--- a/libsandbox/wrapper-funcs/__pre_check.c
+++ b/libsandbox/wrapper-funcs/__pre_check.c
@@ -5,19 +5,19 @@
* Licensed under the GPL-2
*/
-#if SB_NR_MKDIR != SB_NR_UNDEF && SB_NR_MKDIRAT == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_MKDIR) && !SB_NR_IS_DEFINED(SB_NR_MKDIRAT)
# include "mkdirat_pre_check.c"
#endif
-#if SB_NR_OPEN != SB_NR_UNDEF && SB_NR_OPENAT == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_OPEN) && !SB_NR_IS_DEFINED(SB_NR_OPENAT)
# include "openat_pre_check.c"
#endif
-#if SB_NR_OPEN64 != SB_NR_UNDEF && SB_NR_OPENAT64 == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_OPEN64) && !SB_NR_IS_DEFINED(SB_NR_OPENAT64)
# include "openat64_pre_check.c"
#endif
-#if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
+#if SB_NR_IS_DEFINED(SB_NR_UNLINK) && !SB_NR_IS_DEFINED(SB_NR_UNLINKAT)
# include "unlinkat_pre_check.c"
#endif