diff options
| -rw-r--r-- | include/sb2.h | 19 | ||||
| -rw-r--r-- | lua_scripts/create_reverse_rules.lua | 26 | ||||
| -rw-r--r-- | lua_scripts/main.lua | 2 | ||||
| -rw-r--r-- | lua_scripts/mapping.lua | 37 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/devel/00_default.lua | 6 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/emulate/00_default.lua | 4 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/install/00_default.lua | 4 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/simple/00_default.lua | 6 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/tools/00_default.lua | 4 | ||||
| -rw-r--r-- | luaif/luaif.c | 29 | ||||
| -rw-r--r-- | luaif/paths.c | 79 | ||||
| -rw-r--r-- | preload/Makefile | 3 | ||||
| -rw-r--r-- | preload/interface.master | 7 | ||||
| -rw-r--r-- | preload/libsb2.c | 5 | ||||
| -rw-r--r-- | preload/sb_exec.c | 32 | ||||
| -rwxr-xr-x | utils/sb2 | 1 |
16 files changed, 192 insertions, 72 deletions
diff --git a/include/sb2.h b/include/sb2.h index 32ad22f..955d624 100644 --- a/include/sb2.h +++ b/include/sb2.h @@ -39,24 +39,30 @@ struct lua_instance { * - added new functions sb.get_forced_mapmode() and sb.get_session_perm() * * Differences between "59,lta-2008-12-04" and "53,lta-2008-11-10" * - part of rule selection logic is now implemented in C. + * * Differences between "60,2008-12-07" and "59,lta-2008-12-04" + * - Added special handler for /proc => sb.procfs_mapping_request() was + * added to luaif.c (and mapping.lua needs it) + * - sbox_get_mapping_requirements() now returns four values * * NOTE: the corresponding identifier for Lua is in lua_scripts/main.lua */ -#define SB2_LUA_C_INTERFACE_VERSION "59,lta-2008-12-04" +#define SB2_LUA_C_INTERFACE_VERSION "60,2008-12-07" -struct lua_instance *get_lua(void); +extern struct lua_instance *get_lua(void); #if 0 -char *sb_decolonize_path(const char *path); +extern char *sb_decolonize_path(const char *path); #endif -int sb_next_execve(const char *filename, char *const argv [], +extern int sb_next_execve(const char *filename, char *const argv [], char *const envp[]); -int do_exec(const char *exec_fn_name, const char *file, +extern int do_exec(const char *exec_fn_name, const char *file, char *const *argv, char *const *envp); -time_t get_sb2_timestamp(void); +extern time_t get_sb2_timestamp(void); + +extern char *procfs_mapping_request(char *path); /* ------ debug/trace logging system for sb2: */ #define SB_LOGLEVEL_uninitialized (-1) @@ -100,6 +106,7 @@ extern char *sbox_orig_ld_preload; extern char *sbox_orig_ld_library_path; extern char *sbox_binary_name; extern char *sbox_real_binary_name; +extern char *sbox_orig_binary_name; extern int pthread_library_is_available; /* flag */ extern pthread_t (*pthread_self_fnptr)(void); diff --git a/lua_scripts/create_reverse_rules.lua b/lua_scripts/create_reverse_rules.lua index fc712dc..abd4421 100644 --- a/lua_scripts/create_reverse_rules.lua +++ b/lua_scripts/create_reverse_rules.lua @@ -71,7 +71,7 @@ function reverse_one_rule(output_rules, rule, n) allow_reversing = false end - local d_path + local d_path = nil if (rule.use_orig_path) then new_rule.use_orig_path = true d_path = forward_path @@ -85,21 +85,27 @@ function reverse_one_rule(output_rules, rule, n) elseif (rule.replace_by) then d_path = rule.replace_by new_rule.replace_by = forward_path + elseif (rule.custom_map_funct) then + new_rule.error = string.format( + "--Notice: custom_map_funct rules can't be reversed, please mark it 'virtual'", + new_rule.name) else new_rule.error = string.format( "--ERROR: Rule '%s' does not contain any actions", new_rule.name) end - local idx - if (rule.prefix) then - new_rule.prefix = d_path - new_rule.orig_prefix = rule.prefix - idx = test_rev_rule_position(output_rules, d_path..":") - elseif (rule.path) then - new_rule.path = d_path - new_rule.orig_path = rule.path - idx = test_rev_rule_position(output_rules, d_path) + local idx = nil + if (d_path ~= nil) then + if (rule.prefix) then + new_rule.prefix = d_path + new_rule.orig_prefix = rule.prefix + idx = test_rev_rule_position(output_rules, d_path..":") + elseif (rule.path) then + new_rule.path = d_path + new_rule.orig_path = rule.path + idx = test_rev_rule_position(output_rules, d_path) + end end if (idx ~= nil) then diff --git a/lua_scripts/main.lua b/lua_scripts/main.lua index 4915486..ef0b8a7 100644 --- a/lua_scripts/main.lua +++ b/lua_scripts/main.lua @@ -15,7 +15,7 @@ debug_messages_enabled = sb.debug_messages_enabled() -- -- NOTE: the corresponding identifier for C is in include/sb2.h, -- see that file for description about differences -sb2_lua_c_interface_version = "59,lta-2008-12-04" +sb2_lua_c_interface_version = "60,2008-12-07" function do_file(filename) if (debug_messages_enabled) then diff --git a/lua_scripts/mapping.lua b/lua_scripts/mapping.lua index 6771339..22a48be 100644 --- a/lua_scripts/mapping.lua +++ b/lua_scripts/mapping.lua @@ -50,6 +50,22 @@ end -- end isprefix = sb.isprefix +function sb2_procfs_mapper(binary_name, func_name, rp, path, rule) + local ret_path = path; + + if (debug_messages_enabled) then + sb.log("debug", "sb2_procfs_mapper "..path.." : "..rp) + end + + local mapped = sb.procfs_mapping_request(path) + + -- Returns exec_policy, path, readonly_flag + if (mapped) then + ret_path = mapped + end + return nil, ret_path, false +end + -- Load mode-specific rules. -- A mode file must define three variables: -- 1. rule_file_interface_version (string) is checked and must match, @@ -71,6 +87,8 @@ function load_and_check_rules() export_chains = {} exec_policy_chains = {} + -- Differences between version 17 and 18: + -- - added sb2_procfs_mapper() -- Differences between version 16 and 17: -- - Added support for hierarcic rules (i.e. rule -- trees. 16 supports only linear rule lists) @@ -82,7 +100,7 @@ function load_and_check_rules() -- (previously only one was expected) -- - variables "esc_tools_root" and "esc_target_root" -- were removed - local current_rule_interface_version = "17" + local current_rule_interface_version = "18" do_file(rule_file_path) @@ -400,7 +418,7 @@ function sbox_translate_path(rule, binary_name, func_name, path) if (rule.custom_map_funct ~= nil) then exec_policy, ret, readonly_flag = rule.custom_map_funct( - binary_name, func_name, rp, path, rules[n]) + binary_name, func_name, rp, path, rule) if (rule.readonly ~= nil) then readonly_flag = rule.readonly end @@ -428,7 +446,9 @@ end -- path resolution takes place. The primary purpose of this is to -- determine where to start resolving symbolic links; shorter paths than -- "min_path_len" should not be given to sbox_translate_path() --- returns "rule", "rule_found", "min_path_len" +-- returns "rule", "rule_found", "min_path_len", "call_translate_for_all" +-- ("call_translate_for_all" is a flag which controls optimizations in +-- the path resolution code) function sbox_get_mapping_requirements(binary_name, func_name, full_path) -- loop through the chains, first match is used local min_path_len = 0 @@ -440,17 +460,22 @@ function sbox_get_mapping_requirements(binary_name, func_name, full_path) sb.log("error", string.format("Unable to find chain for: %s(%s)", func_name, full_path)) - return nil, false, 0 + return nil, false, 0, false end rule, min_path_len = find_rule(chain, func_name, full_path) if (not rule) then -- error, not even a default rule found sb.log("error", string.format("Unable to find rule for: %s(%s)", func_name, full_path)) - return nil, false, 0 + return nil, false, 0, false + end + + local call_translate_for_all = false + if (rule.custom_map_funct) then + call_translate_for_all = true end - return rule, true, min_path_len + return rule, true, min_path_len, call_translate_for_all end -- diff --git a/lua_scripts/pathmaps/devel/00_default.lua b/lua_scripts/pathmaps/devel/00_default.lua index 938b708..8c9e53a 100644 --- a/lua_scripts/pathmaps/devel/00_default.lua +++ b/lua_scripts/pathmaps/devel/00_default.lua @@ -8,7 +8,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- tools = tools_root @@ -461,7 +461,7 @@ simple_chain = { -- ----------------------------------------------- -- 90. Top-level directories that must not be mapped: {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true, readonly = true}, @@ -514,7 +514,7 @@ qemu_chain = { {prefix = "/tmp", map_to = session_dir}, {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = "/etc/resolv.conf", diff --git a/lua_scripts/pathmaps/emulate/00_default.lua b/lua_scripts/pathmaps/emulate/00_default.lua index 052222e..368816d 100644 --- a/lua_scripts/pathmaps/emulate/00_default.lua +++ b/lua_scripts/pathmaps/emulate/00_default.lua @@ -3,7 +3,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- sb1_compat_dir = sbox_target_root .. "/scratchbox1-compat" @@ -84,7 +84,7 @@ mapall_chain = { -- {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = sbox_dir .. "/share/scratchbox2", diff --git a/lua_scripts/pathmaps/install/00_default.lua b/lua_scripts/pathmaps/install/00_default.lua index 9721d5b..bb8a28f 100644 --- a/lua_scripts/pathmaps/install/00_default.lua +++ b/lua_scripts/pathmaps/install/00_default.lua @@ -4,7 +4,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- if (tools_root and tools_root ~= "/") then @@ -31,7 +31,7 @@ default_chain = { { prefix = "/usr/local/bin", func_name = ".*exec.*", map_to = tools_target }, { prefix = "/dev", func_name = "open.*", use_orig_path = true }, - { prefix = "/proc", use_orig_path = true }, + { dir = "/proc", custom_map_funct = sb2_procfs_mapper}, { prefix = "/sys", use_orig_path = true }, { prefix = session_dir, use_orig_path = true }, diff --git a/lua_scripts/pathmaps/simple/00_default.lua b/lua_scripts/pathmaps/simple/00_default.lua index 617cf27..b8e3434 100644 --- a/lua_scripts/pathmaps/simple/00_default.lua +++ b/lua_scripts/pathmaps/simple/00_default.lua @@ -7,7 +7,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- tools = tools_root @@ -61,7 +61,7 @@ simple_chain = { {prefix = "/tmp", map_to = session_dir}, {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {prefix = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = "/etc/resolv.conf", use_orig_path = true}, {prefix = "/etc/apt", map_to = target_root}, @@ -83,7 +83,7 @@ qemu_chain = { {prefix = "/tmp", map_to = session_dir}, {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = "/etc/resolv.conf", use_orig_path = true}, {prefix = tools, use_orig_path = true}, diff --git a/lua_scripts/pathmaps/tools/00_default.lua b/lua_scripts/pathmaps/tools/00_default.lua index 9320d58..76ecf18 100644 --- a/lua_scripts/pathmaps/tools/00_default.lua +++ b/lua_scripts/pathmaps/tools/00_default.lua @@ -6,7 +6,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- -- If the permission token exists and contains "root", tools_root directories @@ -54,7 +54,7 @@ mapall_chain = { -- {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = sbox_user_home_dir .. "/.scratchbox2", diff --git a/luaif/luaif.c b/luaif/luaif.c index 1f7ab38..ba07663 100644 --- a/luaif/luaif.c +++ b/luaif/luaif.c @@ -690,6 +690,34 @@ static int lua_sb_test_path_match(lua_State *l) return 1; } +/* "sb.procfs_mapping_request", to be called from lua code */ +static int lua_sb_procfs_mapping_request(lua_State *l) +{ + int n; + char *path; + char *resolved_path; + + n = lua_gettop(l); + if (n != 1) { + lua_pushstring(l, NULL); + return 1; + } + + path = strdup(lua_tostring(l, 1)); + + resolved_path = procfs_mapping_request(path); + + if (resolved_path) { + /* mapped to somewhere else */ + lua_pushstring(l, resolved_path); + free(resolved_path); + } else { + /* no need to map this path */ + lua_pushnil(l); + } + free(path); + return 1; +} /* mappings from c to lua */ static const luaL_reg reg[] = @@ -711,6 +739,7 @@ static const luaL_reg reg[] = {"get_session_perm", lua_sb_get_session_perm}, {"isprefix", lua_sb_isprefix}, {"test_path_match", lua_sb_test_path_match}, + {"procfs_mapping_request", lua_sb_procfs_mapping_request}, {NULL, NULL} }; diff --git a/luaif/paths.c b/luaif/paths.c index 5e36632..3fd069d 100644 --- a/luaif/paths.c +++ b/luaif/paths.c @@ -497,10 +497,12 @@ static int call_lua_function_sbox_get_mapping_requirements( const char *binary_name, const char *func_name, const char *full_path_for_rule_selection, - int *min_path_lenp) + int *min_path_lenp, + int *call_translate_for_all_p) { int rule_found; int min_path_len; + int call_translate_for_all; SB_LOG(SB_LOGLEVEL_NOISE, "calling sbox_get_mapping_requirements for %s(%s)", @@ -514,21 +516,26 @@ static int call_lua_function_sbox_get_mapping_requirements( lua_pushstring(luaif->lua, binary_name); lua_pushstring(luaif->lua, func_name); lua_pushstring(luaif->lua, full_path_for_rule_selection); - /* 3 arguments, returns (rule, rule_found_flag, min_path_len) */ - lua_call(luaif->lua, 3, 3); + /* 3 arguments, returns 4: (rule, rule_found_flag, + * min_path_len, call_translate_for_all) */ + lua_call(luaif->lua, 3, 4); - rule_found = lua_toboolean(luaif->lua, -2); - min_path_len = lua_tointeger(luaif->lua, -1); + rule_found = lua_toboolean(luaif->lua, -3); + min_path_len = lua_tointeger(luaif->lua, -2); + call_translate_for_all = lua_toboolean(luaif->lua, -1); if (min_path_lenp) *min_path_lenp = min_path_len; + if (call_translate_for_all_p) + *call_translate_for_all_p = call_translate_for_all; - /* remove "flag" and "min_path_len"; leave "rule" to the stack */ - lua_pop(luaif->lua, 2); + /* remove last 3 values; leave "rule" to the stack */ + lua_pop(luaif->lua, 3); - SB_LOG(SB_LOGLEVEL_DEBUG, "sbox_get_mapping_requirements -> %d,%d", - rule_found, min_path_len); + SB_LOG(SB_LOGLEVEL_DEBUG, "sbox_get_mapping_requirements -> %d,%d,%d", + rule_found, min_path_len, call_translate_for_all); SB_LOG(SB_LOGLEVEL_NOISE, - "call_lua_function_sbox_get_mapping_requirements: at exit, gettop=%d", + "call_lua_function_sbox_get_mapping_requirements:" + " at exit, gettop=%d", lua_gettop(luaif->lua)); return(rule_found); } @@ -609,6 +616,7 @@ static char *sb_path_resolution( struct path_entry_list prefix_path_list; int ro_tmp; char *path_copy; + int call_translate_for_all = 0; if (nest_count > 16) { SB_LOG(SB_LOGLEVEL_ERROR, @@ -646,7 +654,7 @@ static char *sb_path_resolution( if (call_lua_function_sbox_get_mapping_requirements( luaif, binary_name, func_name, abs_path, - &min_path_len_to_check)) { + &min_path_len_to_check, &call_translate_for_all)) { /* has requirements: * skip over path components that we are not supposed to check, * because otherwise rule recognition & execution could fail. @@ -839,18 +847,47 @@ static char *sb_path_resolution( } work = work->pe_next; if (work) { - char *next_dir = NULL; + if (call_translate_for_all) { + /* call_translate_for_all is set when + * path resolution must call + * sbox_translate_path() for each component; + * this happens when a "custom_map_funct" has + * been set. "custom_map_funct" may use any + * kind of strategy to decide when mapping + * needs to be done, for example, the /proc + * mapping function looks at the suffix, and + * not at the prefix... + */ + if (prefix_mapping_result) { + free(prefix_mapping_result); + } + prefix_mapping_result = + call_lua_function_sbox_translate_path( + SB_LOGLEVEL_NOISE, + luaif, binary_name, + "PATH_RESOLUTION/2", + work->pe_full_path, &ro_tmp); + drop_policy_from_lua_stack(luaif); + } else { + /* "standard mapping", based on prefix or + * exact match. Ok to skip sbox_translate_path() + * because here it would just add the component + * to end of the path; instead we'll do that + * here. This is a performance optimization. + */ + char *next_dir = NULL; - if (asprintf(&next_dir, "%s/%s", - prefix_mapping_result, - work->pe_last_component_name) < 0) { - SB_LOG(SB_LOGLEVEL_ERROR, - "asprintf failed"); - } - if (prefix_mapping_result) { - free(prefix_mapping_result); + if (asprintf(&next_dir, "%s/%s", + prefix_mapping_result, + work->pe_last_component_name) < 0) { + SB_LOG(SB_LOGLEVEL_ERROR, + "asprintf failed"); + } + if (prefix_mapping_result) { + free(prefix_mapping_result); + } + prefix_mapping_result = next_dir; } - prefix_mapping_result = next_dir; } else { free(prefix_mapping_result); } diff --git a/preload/Makefile b/preload/Makefile index ab8a4b7..6127b39 100644 --- a/preload/Makefile +++ b/preload/Makefile @@ -1,4 +1,5 @@ -objs := wrappers.o libsb2.o sb_exec.o sb_l10n.o glob.o glob64.o fdpathdb.o +objs := wrappers.o libsb2.o sb_exec.o sb_l10n.o glob.o glob64.o \ + fdpathdb.o procfs.o ifeq ($(shell uname -s),Linux) LIBSB2_LDFLAGS = -Wl,-soname=$(LIBSB2_SONAME) \ diff --git a/preload/interface.master b/preload/interface.master index 49ae917..11bd29c 100644 --- a/preload/interface.master +++ b/preload/interface.master @@ -305,7 +305,8 @@ WRAP: int lutimes(const char *filename, const struct timeval tv[2]) : \ fail_if_readonly(filename,-1,EROFS) WRAP: int mkdir(const char *pathname, mode_t mode) : \ - map(pathname) fail_if_readonly(pathname,-1,EROFS) + map(pathname) fail_if_readonly(pathname,-1,EROFS) \ + create_nomap_nolog_version WRAP: int mkdirat(int dirfd, const char *pathname, mode_t mode) : \ map_at(dirfd,pathname) fail_if_readonly(pathname,-1,EROFS) WRAP: int mkfifo(const char *pathname, mode_t mode) : \ @@ -400,7 +401,9 @@ WRAP: int stat64(const char *file_name, struct stat64 *buf) : map(file_name) -- * "newpath" is location where the symlink will be created. WRAP: int symlink(const char *oldpath, const char *newpath) : \ dont_resolve_final_symlink map(newpath) \ - fail_if_readonly(newpath,-1,EROFS) + fail_if_readonly(newpath,-1,EROFS) \ + create_nomap_nolog_version + WRAP: int symlinkat(const char *oldpath, int newdirfd, const char *newpath) : \ dont_resolve_final_symlink map_at(newdirfd,newpath) \ fail_if_readonly(newpath,-1,EROFS) diff --git a/preload/libsb2.c b/preload/libsb2.c index 1c4a065..3bd71f5 100644 --- a/preload/libsb2.c +++ b/preload/libsb2.c @@ -1159,6 +1159,7 @@ char *sbox_orig_ld_preload = NULL; char *sbox_orig_ld_library_path = NULL; char *sbox_binary_name = NULL; char *sbox_real_binary_name = NULL; +char *sbox_orig_binary_name = NULL; int sb2_global_vars_initialized__ = 0; @@ -1210,6 +1211,10 @@ void sb2_initialize_global_variables(void) cp = getenv("__SB2_REAL_BINARYNAME"); if (cp) sbox_real_binary_name = strdup(cp); } + if (!sbox_orig_binary_name) { + cp = getenv("__SB2_ORIG_BINARYNAME"); + if (cp) sbox_orig_binary_name = strdup(cp); + } if (sbox_session_dir) { /* seems that we got it.. */ diff --git a/preload/sb_exec.c b/preload/sb_exec.c index 216fb74..daf0270 100644 --- a/preload/sb_exec.c +++ b/preload/sb_exec.c @@ -567,7 +567,8 @@ static char **duplicate_argv(char *const *argv) return(my_argv); } -static char **prepare_envp_for_do_exec(char *binaryname, char *const *envp) +static char **prepare_envp_for_do_exec(const char *orig_file, + const char *binaryname, char *const *envp) { char **p; int envc = 0; @@ -576,6 +577,7 @@ static char **prepare_envp_for_do_exec(char *binaryname, char *const *envp) int has_ld_library_path = 0; int i; char *new_binaryname_var; + char *new_orig_file_var; int has_sbox_session_dir = 0; int has_sbox_session_mode = 0; const int sbox_session_dir_varname_len = strlen("SBOX_SESSION_DIR"); @@ -627,19 +629,17 @@ static char **prepare_envp_for_do_exec(char *binaryname, char *const *envp) "restored to %s", sbox_session_dir); } - /* allocate new environment. Add 7 extra elements (all may not be + /* allocate new environment. Add 8 extra elements (all may not be * needed always) */ - my_envp = (char **)calloc(envc + 7, sizeof(char *)); + my_envp = (char **)calloc(envc + 8, sizeof(char *)); for (i = 0, p=(char **)envp; *p; p++) { - if (strncmp(*p, "__SB2_BINARYNAME=", - strlen("__SB2_BINARYNAME=")) == 0) { - /* this is current process' name, skip it */ - continue; - } - if (strncmp(*p, "__SB2_REAL_BINARYNAME=", - strlen("__SB2_REAL_BINARYNAME=")) == 0) { - /* skip current process' real binary name */ + if (strncmp(*p, "__SB2_", strlen("__SB2_")) == 0) { + /* __SB2_* are temporary variables that must not + * be relayed to the next executable => skip it. + * Such variables include: __SB2_BINARYNAME, + * __SB2_REAL_BINARYNAME, __SB2_ORIG_BINARYNAME + */ continue; } if (strncmp(*p, "SBOX_SESSION_MODE=", @@ -718,6 +718,11 @@ static char **prepare_envp_for_do_exec(char *binaryname, char *const *envp) "asprintf failed to create __SB2_BINARYNAME"); } my_envp[i++] = new_binaryname_var; /* add the new process' name */ + if (asprintf(&new_orig_file_var, "__SB2_ORIG_BINARYNAME=%s", orig_file) < 0) { + SB_LOG(SB_LOGLEVEL_ERROR, + "asprintf failed to create __SB2_ORIG_BINARYNAME"); + } + my_envp[i++] = new_orig_file_var; /* add the new process' name */ /* allocate slot for __SB2_REAL_BINARYNAME that is filled later on */ my_envp[i++] = strdup("__SB2_REAL_BINARYNAME="); @@ -855,11 +860,12 @@ static int prepare_exec(const char *exec_fn_name, my_file = strdup(orig_file); - my_envp = prepare_envp_for_do_exec(binaryname, orig_envp); + my_envp = prepare_envp_for_do_exec(orig_file, binaryname, orig_envp); if (SB_LOG_IS_ACTIVE(SB_LOGLEVEL_DEBUG)) { /* create a copy of intended environment for logging, * before sb_execve_preprocess() gets control */ - my_envp_copy = prepare_envp_for_do_exec(binaryname, orig_envp); + my_envp_copy = prepare_envp_for_do_exec(orig_file, + binaryname, orig_envp); } my_argv = duplicate_argv(orig_argv); @@ -721,6 +721,7 @@ function initialize_new_sb2_session() mkdir -p $SBOX_SESSION_DIR mkdir $SBOX_SESSION_DIR/tmp + mkdir $SBOX_SESSION_DIR/proc mkdir $SBOX_SESSION_DIR/rules mkdir $SBOX_SESSION_DIR/rev_rules |