From 576ed39bde4ec3034e22aa08b61e7084a87553a5 Mon Sep 17 00:00:00 2001 From: Lauri Aarnio Date: Mon, 8 Dec 2008 16:58:31 +0200 Subject: Fixed /proc/self/exe (and /proc//exe) - Implemented a special mapping function for /proc, to be able to map the symlink at /proc/self/exe. - This can be described as a countermeasure to side-effects of mapping exec parameters: /proc/self/exe (as well as /proc//exe, which is the same thing) need special care if the binary was started by anything else than direct exec. Examples: a) if CPU transparency is used, the real /proc/self/exe points to e.g. Qemu. Now SB2 can make it look like the link points to the binary which is running under qemu. b) if "ld.so-start" was used, the real /proc/self/exe points to ld.so and not to the binary itself. Again, SB2 maps that to a symlink which points to the correct binary. Other related things: - all mapping modes use this feature now - Lua <=> C interface version had to be incremented - Lua mapping code <=> mapping rules version had to be incremented --- lua_scripts/create_reverse_rules.lua | 26 ++++++++++++-------- lua_scripts/main.lua | 2 +- lua_scripts/mapping.lua | 37 ++++++++++++++++++++++++----- lua_scripts/pathmaps/devel/00_default.lua | 6 ++--- lua_scripts/pathmaps/emulate/00_default.lua | 4 ++-- lua_scripts/pathmaps/install/00_default.lua | 4 ++-- lua_scripts/pathmaps/simple/00_default.lua | 6 ++--- lua_scripts/pathmaps/tools/00_default.lua | 4 ++-- 8 files changed, 60 insertions(+), 29 deletions(-) (limited to 'lua_scripts') diff --git a/lua_scripts/create_reverse_rules.lua b/lua_scripts/create_reverse_rules.lua index fc712dc..abd4421 100644 --- a/lua_scripts/create_reverse_rules.lua +++ b/lua_scripts/create_reverse_rules.lua @@ -71,7 +71,7 @@ function reverse_one_rule(output_rules, rule, n) allow_reversing = false end - local d_path + local d_path = nil if (rule.use_orig_path) then new_rule.use_orig_path = true d_path = forward_path @@ -85,21 +85,27 @@ function reverse_one_rule(output_rules, rule, n) elseif (rule.replace_by) then d_path = rule.replace_by new_rule.replace_by = forward_path + elseif (rule.custom_map_funct) then + new_rule.error = string.format( + "--Notice: custom_map_funct rules can't be reversed, please mark it 'virtual'", + new_rule.name) else new_rule.error = string.format( "--ERROR: Rule '%s' does not contain any actions", new_rule.name) end - local idx - if (rule.prefix) then - new_rule.prefix = d_path - new_rule.orig_prefix = rule.prefix - idx = test_rev_rule_position(output_rules, d_path..":") - elseif (rule.path) then - new_rule.path = d_path - new_rule.orig_path = rule.path - idx = test_rev_rule_position(output_rules, d_path) + local idx = nil + if (d_path ~= nil) then + if (rule.prefix) then + new_rule.prefix = d_path + new_rule.orig_prefix = rule.prefix + idx = test_rev_rule_position(output_rules, d_path..":") + elseif (rule.path) then + new_rule.path = d_path + new_rule.orig_path = rule.path + idx = test_rev_rule_position(output_rules, d_path) + end end if (idx ~= nil) then diff --git a/lua_scripts/main.lua b/lua_scripts/main.lua index 4915486..ef0b8a7 100644 --- a/lua_scripts/main.lua +++ b/lua_scripts/main.lua @@ -15,7 +15,7 @@ debug_messages_enabled = sb.debug_messages_enabled() -- -- NOTE: the corresponding identifier for C is in include/sb2.h, -- see that file for description about differences -sb2_lua_c_interface_version = "59,lta-2008-12-04" +sb2_lua_c_interface_version = "60,2008-12-07" function do_file(filename) if (debug_messages_enabled) then diff --git a/lua_scripts/mapping.lua b/lua_scripts/mapping.lua index 6771339..22a48be 100644 --- a/lua_scripts/mapping.lua +++ b/lua_scripts/mapping.lua @@ -50,6 +50,22 @@ end -- end isprefix = sb.isprefix +function sb2_procfs_mapper(binary_name, func_name, rp, path, rule) + local ret_path = path; + + if (debug_messages_enabled) then + sb.log("debug", "sb2_procfs_mapper "..path.." : "..rp) + end + + local mapped = sb.procfs_mapping_request(path) + + -- Returns exec_policy, path, readonly_flag + if (mapped) then + ret_path = mapped + end + return nil, ret_path, false +end + -- Load mode-specific rules. -- A mode file must define three variables: -- 1. rule_file_interface_version (string) is checked and must match, @@ -71,6 +87,8 @@ function load_and_check_rules() export_chains = {} exec_policy_chains = {} + -- Differences between version 17 and 18: + -- - added sb2_procfs_mapper() -- Differences between version 16 and 17: -- - Added support for hierarcic rules (i.e. rule -- trees. 16 supports only linear rule lists) @@ -82,7 +100,7 @@ function load_and_check_rules() -- (previously only one was expected) -- - variables "esc_tools_root" and "esc_target_root" -- were removed - local current_rule_interface_version = "17" + local current_rule_interface_version = "18" do_file(rule_file_path) @@ -400,7 +418,7 @@ function sbox_translate_path(rule, binary_name, func_name, path) if (rule.custom_map_funct ~= nil) then exec_policy, ret, readonly_flag = rule.custom_map_funct( - binary_name, func_name, rp, path, rules[n]) + binary_name, func_name, rp, path, rule) if (rule.readonly ~= nil) then readonly_flag = rule.readonly end @@ -428,7 +446,9 @@ end -- path resolution takes place. The primary purpose of this is to -- determine where to start resolving symbolic links; shorter paths than -- "min_path_len" should not be given to sbox_translate_path() --- returns "rule", "rule_found", "min_path_len" +-- returns "rule", "rule_found", "min_path_len", "call_translate_for_all" +-- ("call_translate_for_all" is a flag which controls optimizations in +-- the path resolution code) function sbox_get_mapping_requirements(binary_name, func_name, full_path) -- loop through the chains, first match is used local min_path_len = 0 @@ -440,17 +460,22 @@ function sbox_get_mapping_requirements(binary_name, func_name, full_path) sb.log("error", string.format("Unable to find chain for: %s(%s)", func_name, full_path)) - return nil, false, 0 + return nil, false, 0, false end rule, min_path_len = find_rule(chain, func_name, full_path) if (not rule) then -- error, not even a default rule found sb.log("error", string.format("Unable to find rule for: %s(%s)", func_name, full_path)) - return nil, false, 0 + return nil, false, 0, false + end + + local call_translate_for_all = false + if (rule.custom_map_funct) then + call_translate_for_all = true end - return rule, true, min_path_len + return rule, true, min_path_len, call_translate_for_all end -- diff --git a/lua_scripts/pathmaps/devel/00_default.lua b/lua_scripts/pathmaps/devel/00_default.lua index 938b708..8c9e53a 100644 --- a/lua_scripts/pathmaps/devel/00_default.lua +++ b/lua_scripts/pathmaps/devel/00_default.lua @@ -8,7 +8,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- tools = tools_root @@ -461,7 +461,7 @@ simple_chain = { -- ----------------------------------------------- -- 90. Top-level directories that must not be mapped: {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true, readonly = true}, @@ -514,7 +514,7 @@ qemu_chain = { {prefix = "/tmp", map_to = session_dir}, {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = "/etc/resolv.conf", diff --git a/lua_scripts/pathmaps/emulate/00_default.lua b/lua_scripts/pathmaps/emulate/00_default.lua index 052222e..368816d 100644 --- a/lua_scripts/pathmaps/emulate/00_default.lua +++ b/lua_scripts/pathmaps/emulate/00_default.lua @@ -3,7 +3,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- sb1_compat_dir = sbox_target_root .. "/scratchbox1-compat" @@ -84,7 +84,7 @@ mapall_chain = { -- {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = sbox_dir .. "/share/scratchbox2", diff --git a/lua_scripts/pathmaps/install/00_default.lua b/lua_scripts/pathmaps/install/00_default.lua index 9721d5b..bb8a28f 100644 --- a/lua_scripts/pathmaps/install/00_default.lua +++ b/lua_scripts/pathmaps/install/00_default.lua @@ -4,7 +4,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- if (tools_root and tools_root ~= "/") then @@ -31,7 +31,7 @@ default_chain = { { prefix = "/usr/local/bin", func_name = ".*exec.*", map_to = tools_target }, { prefix = "/dev", func_name = "open.*", use_orig_path = true }, - { prefix = "/proc", use_orig_path = true }, + { dir = "/proc", custom_map_funct = sb2_procfs_mapper}, { prefix = "/sys", use_orig_path = true }, { prefix = session_dir, use_orig_path = true }, diff --git a/lua_scripts/pathmaps/simple/00_default.lua b/lua_scripts/pathmaps/simple/00_default.lua index 617cf27..b8e3434 100644 --- a/lua_scripts/pathmaps/simple/00_default.lua +++ b/lua_scripts/pathmaps/simple/00_default.lua @@ -7,7 +7,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- tools = tools_root @@ -61,7 +61,7 @@ simple_chain = { {prefix = "/tmp", map_to = session_dir}, {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {prefix = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = "/etc/resolv.conf", use_orig_path = true}, {prefix = "/etc/apt", map_to = target_root}, @@ -83,7 +83,7 @@ qemu_chain = { {prefix = "/tmp", map_to = session_dir}, {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = "/etc/resolv.conf", use_orig_path = true}, {prefix = tools, use_orig_path = true}, diff --git a/lua_scripts/pathmaps/tools/00_default.lua b/lua_scripts/pathmaps/tools/00_default.lua index 9320d58..76ecf18 100644 --- a/lua_scripts/pathmaps/tools/00_default.lua +++ b/lua_scripts/pathmaps/tools/00_default.lua @@ -6,7 +6,7 @@ -- Rule file interface version, mandatory. -- -rule_file_interface_version = "17" +rule_file_interface_version = "18" ---------------------------------- -- If the permission token exists and contains "root", tools_root directories @@ -54,7 +54,7 @@ mapall_chain = { -- {prefix = "/dev", use_orig_path = true}, - {prefix = "/proc", use_orig_path = true}, + {dir = "/proc", custom_map_funct = sb2_procfs_mapper}, {prefix = "/sys", use_orig_path = true}, {prefix = sbox_user_home_dir .. "/.scratchbox2", -- cgit v1.2.3