summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lua_scripts/mapping.lua7
-rw-r--r--lua_scripts/pathmaps/devel/00_default.lua8
-rw-r--r--luaif/luaif.c53
-rwxr-xr-xwrappers/dpkg-checkbuilddeps2
4 files changed, 68 insertions, 2 deletions
diff --git a/lua_scripts/mapping.lua b/lua_scripts/mapping.lua
index b70c632..629bbaf 100644
--- a/lua_scripts/mapping.lua
+++ b/lua_scripts/mapping.lua
@@ -339,6 +339,13 @@ function sbox_execute_conditional_actions(binary_name,
return sbox_execute_rule(binary_name,
func_name, rp, path, rule_cand)
end
+ elseif (rule_cand.if_redirect_ignore_is_active) then
+ if (sb.test_redirect_ignore(
+ rule_cand.if_redirect_ignore_is_active)) then
+
+ return sbox_execute_rule(binary_name,
+ func_name, rp, path, rule_cand)
+ end
else
-- there MUST BE unconditional actions:
if (rule_cand.use_orig_path
diff --git a/lua_scripts/pathmaps/devel/00_default.lua b/lua_scripts/pathmaps/devel/00_default.lua
index 09daadf..ceb7b2a 100644
--- a/lua_scripts/pathmaps/devel/00_default.lua
+++ b/lua_scripts/pathmaps/devel/00_default.lua
@@ -123,12 +123,16 @@ perl_lib_test = {
}
perl_bin_test = {
+ { if_redirect_ignore_is_active = "/usr/bin/perl",
+ map_to = target_root, readonly = true },
{ if_active_exec_policy_is = "Rootstrap",
map_to = target_root, readonly = true },
{ map_to = tools, readonly = true }
}
python_bin_test = {
+ { if_redirect_ignore_is_active = "/usr/bin/python",
+ map_to = target_root, readonly = true },
{ if_active_exec_policy_is = "Rootstrap",
map_to = target_root, readonly = true },
{ map_to = tools, readonly = true }
@@ -327,8 +331,8 @@ devel_mode_rules_usr_bin = {
readonly = true},
-- 19. perl & python:
- -- processing depends on the
- -- name of the current mapping mode.
+ -- processing depends on SBOX_REDIRECT_IGNORE and
+ -- name of the current mapping mode.
-- (these are real prefixes, version number may
-- be included in the name (/usr/bin/python2.5 etc))
{prefix = "/usr/bin/perl", actions = perl_bin_test},
diff --git a/luaif/luaif.c b/luaif/luaif.c
index e6f8b25..2801bdd 100644
--- a/luaif/luaif.c
+++ b/luaif/luaif.c
@@ -764,6 +764,58 @@ static int lua_sb_procfs_mapping_request(lua_State *l)
return 1;
}
+/* "sb.test_redirect_ignore", to be called from lua code
+ * Parameters (in stack):
+ * 1. string: unmapped path
+ * Returns (in stack):
+ * 1. flag (boolean): true if the path is listed in environment
+ * variable "SBOX_REDIRECT_IGNORE", false otherwise
+ *
+ * Note: It would be nice if the value of SBOX_REDIRECT_IGNORE could be
+ * cached, but it can't; it can be changed by the current process.
+*/
+static int lua_sb_test_redirect_ignore(lua_State *l)
+{
+ char *env_sbox_redirect_ignore = NULL;
+ int result = 0; /* boolean; default result is "false" */
+ int n;
+ const char *path = NULL;
+ char *tok = NULL;
+ char *tok_state = NULL;
+
+ n = lua_gettop(l);
+ if (n != 1) {
+ SB_LOG(SB_LOGLEVEL_DEBUG, "lua_sb_test_redirect_ignore FAILS: lua_gettop = %d", n);
+ goto out;
+ }
+
+ env_sbox_redirect_ignore = getenv("SBOX_REDIRECT_IGNORE");
+ if (!env_sbox_redirect_ignore) {
+ SB_LOG(SB_LOGLEVEL_DEBUG, "no SBOX_REDIRECT_IGNORE");
+ goto out;
+ }
+ env_sbox_redirect_ignore = strdup(env_sbox_redirect_ignore);
+ SB_LOG(SB_LOGLEVEL_DEBUG, "SBOX_REDIRECT_IGNORE is '%s'",
+ env_sbox_redirect_ignore);
+
+ path = lua_tostring(l, 1);
+ if (!path) goto out;
+
+ tok = strtok_r(env_sbox_redirect_ignore, ":", &tok_state);
+ while (tok) {
+ result = !strcmp(path, tok);
+ if (result) goto out; /* return if matched */
+ tok = strtok_r(NULL, ":", &tok_state);
+ }
+
+ out:
+ if (env_sbox_redirect_ignore) free(env_sbox_redirect_ignore);
+ lua_pushboolean(l, result);
+ SB_LOG(SB_LOGLEVEL_DEBUG, "lua_sb_test_redirect_ignore(%s) => %d",
+ path, result);
+ return 1;
+}
+
/* mappings from c to lua */
static const luaL_reg reg[] =
{
@@ -786,6 +838,7 @@ static const luaL_reg reg[] =
{"isprefix", lua_sb_isprefix},
{"test_path_match", lua_sb_test_path_match},
{"procfs_mapping_request", lua_sb_procfs_mapping_request},
+ {"test_redirect_ignore", lua_sb_test_redirect_ignore},
{NULL, NULL}
};
diff --git a/wrappers/dpkg-checkbuilddeps b/wrappers/dpkg-checkbuilddeps
index b2dbd5c..fb78725 100755
--- a/wrappers/dpkg-checkbuilddeps
+++ b/wrappers/dpkg-checkbuilddeps
@@ -31,6 +31,8 @@ args="$*"
prog="$0"
progbase=`basename $0`
+SBOX_REDIRECT_IGNORE=""
+
function error_not_inside_sb2()
{
echo "SB2: $progbase: This wrapper can only be used from inside"