diff options
author | Mike Frysinger <vapier@gentoo.org> | 2021-10-23 06:17:38 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2021-10-23 18:18:03 -0400 |
commit | 1db325a29ffd8f764b9142fdf41b9933de547658 (patch) | |
tree | 07473b76781b437ff0fcfdf00248a5d0407e7df5 /libsandbox | |
parent | libsandbox: move symbols.h.in parsing to scripts (diff) | |
download | sandbox-1db325a29ffd8f764b9142fdf41b9933de547658.tar.gz sandbox-1db325a29ffd8f764b9142fdf41b9933de547658.tar.bz2 sandbox-1db325a29ffd8f764b9142fdf41b9933de547658.zip |
libsandbox: tweak how undefined symbols are declared
Rather than always set undefined symbols to the same constant, expand
it to a range of constants, and give every symbol a unique value. For
dynamic symbol processing, this isn't a big deal as such symbols will
never show up, but when handling syscalls that don't have a matching C
library symbol, we need to make sure that we have unique entries.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'libsandbox')
-rw-r--r-- | libsandbox/libsandbox.h | 4 | ||||
-rw-r--r-- | libsandbox/trace.c | 4 | ||||
-rw-r--r-- | libsandbox/wrapper-funcs/__pre_check.c | 8 |
3 files changed, 10 insertions, 6 deletions
diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h index 96bb7c1..fbea6ba 100644 --- a/libsandbox/libsandbox.h +++ b/libsandbox/libsandbox.h @@ -46,6 +46,10 @@ #define SB_SAFE_OPEN_CHAR(_path, _mode) \ SB_SAFE_OPEN_CHAR_AT(AT_FDCWD, _path, _mode) +/* Symbols that don't exist in the C library will be <= this value. */ +#define SB_NR_UNDEF -99999 +#define SB_NR_IS_DEFINED(nr) (nr > SB_NR_UNDEF) + bool is_sandbox_on(void); bool before_syscall(int, int, const char *, const char *, int); bool before_syscall_access(int, int, const char *, const char *, int); diff --git a/libsandbox/trace.c b/libsandbox/trace.c index 7660d47..ae5f935 100644 --- a/libsandbox/trace.c +++ b/libsandbox/trace.c @@ -305,7 +305,7 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs) state.regs = regs; state.nr = nr = se->sys; state.func = name = se->name; - if (nr == SB_NR_UNDEF) goto done; + if (!SB_NR_IS_DEFINED(nr)) goto done; else if (nr == SB_NR_MKDIR) state.pre_check = sb_mkdirat_pre_check; else if (nr == SB_NR_MKDIRAT) state.pre_check = sb_mkdirat_pre_check; else if (nr == SB_NR_UNLINK) state.pre_check = sb_unlinkat_pre_check; @@ -313,7 +313,7 @@ static bool trace_check_syscall(const struct syscall_entry *se, void *regs) else state.pre_check = NULL; /* Hmm, add these functions to the syscall table and avoid this if() ? */ - if (nr == SB_NR_UNDEF) goto done; + if (!SB_NR_IS_DEFINED(nr)) goto done; else if (nr == SB_NR_CHMOD) return trace_check_syscall_C (&state); else if (nr == SB_NR_CHOWN) return trace_check_syscall_C (&state); else if (nr == SB_NR_CREAT) return trace_check_syscall_C (&state); diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c index 28ad91f..e7db0a2 100644 --- a/libsandbox/wrapper-funcs/__pre_check.c +++ b/libsandbox/wrapper-funcs/__pre_check.c @@ -5,19 +5,19 @@ * Licensed under the GPL-2 */ -#if SB_NR_MKDIR != SB_NR_UNDEF && SB_NR_MKDIRAT == SB_NR_UNDEF +#if SB_NR_IS_DEFINED(SB_NR_MKDIR) && !SB_NR_IS_DEFINED(SB_NR_MKDIRAT) # include "mkdirat_pre_check.c" #endif -#if SB_NR_OPEN != SB_NR_UNDEF && SB_NR_OPENAT == SB_NR_UNDEF +#if SB_NR_IS_DEFINED(SB_NR_OPEN) && !SB_NR_IS_DEFINED(SB_NR_OPENAT) # include "openat_pre_check.c" #endif -#if SB_NR_OPEN64 != SB_NR_UNDEF && SB_NR_OPENAT64 == SB_NR_UNDEF +#if SB_NR_IS_DEFINED(SB_NR_OPEN64) && !SB_NR_IS_DEFINED(SB_NR_OPENAT64) # include "openat64_pre_check.c" #endif -#if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF +#if SB_NR_IS_DEFINED(SB_NR_UNLINK) && !SB_NR_IS_DEFINED(SB_NR_UNLINKAT) # include "unlinkat_pre_check.c" #endif |