Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Building sys-apps/sandbox with -flto disables sandbox functionality #347

Open
Peter-Levine opened this issue Jun 8, 2019 · 8 comments
Open

Comments

@Peter-Levine
Copy link

I came across this while trying to figure out why a testcase that was supposed to fail due to a problem with sandbox was succeeding. sys-apps/sandbox will build with -flto without issue. But it will not adequately function to prevent sandbox access violations or report them. This can be tested by starting a sandbox shell and trying to create a file outside of it, eg.:

cd /usr/local
sandbox
touch ~/testfile

When built without -flto flags, you get Permission denied. But if built with -flto, the command succeeds without error.

@jiblime
Copy link
Contributor

jiblime commented Jun 8, 2019

Are you sure you are running the commands correctly?
touch ~/testfile will create a testfile within your current user's home directory, which you (in a regular scenario) have rw access.

$ cd /usr/local
$ sandbox
$ touch testfile
touch: cannot touch 'testfile': Permission denied
$ touch ~/testfile
$ ls $_
/home/non-root-user/testfile

@javashin
Copy link

javashin commented Jun 8, 2019

this seems to be happen to me too :

sudo su
igloo-l440 /home/javashin/Desktop # cd /usr/local
igloo-l440 /usr/local # sandbox
============================= Gentoo path sandbox ==============================
Detection of the support files.
Verification of the required files.
Setting up the required environment variables.
The protected environment has been started.

Process being started in forked instance.
igloo-l440 /usr/local # touch ~/testfile
igloo-l440 /usr/local # touch testfile
igloo-l440 /usr/local #

see no Permission denied anywhere

@javashin
Copy link

javashin commented Jun 8, 2019

with no lto :

cd /usr/local/
igloo-l440 /usr/local # sandbox
============================= Gentoo path sandbox ==============================
Detection of the support files.
Verification of the required files.
Setting up the required environment variables.
The protected environment has been started.

Process being started in forked instance.
igloo-l440 /usr/local # touch testfile ---- > creates fine testfile in /usr/local
igloo-l440 /usr/local # touch ~/.testfile
touch: cannot touch '/root/.testfile': Permission denied

@Peter-Levine
Copy link
Author

Are you sure you are running the commands correctly?
touch ~/testfile will create a testfile within your current user's home directory, which you (in a regular scenario) have rw access.

Yes. sandbox should prevent that action regardless of permission. The example I gave was to demonstrate the issue for any user. But even as root, something trivial like this should suffice:

cd /usr/local
sandbox
touch /testfile

With a functioning sandbox, you get:

 * ACCESS DENIED:  open_wr:      /testfile
 * ACCESS DENIED:  utimensat:    /testfile
touch: cannot touch '/testfile': Permission denied

But when sandbox is built with lto, the command succeeds and the file is created.

@ionenwks
Copy link

ionenwks commented Jun 8, 2019

Tried as well (tried both built with gcc 8.3 and gcc 9.1 on a system where nothing else is built with lto), I get the same results. I'm amazed this issue exist to be honest, it's a pretty bad deal.

@jelinekto
Copy link
Contributor

jelinekto commented Jun 10, 2019

I can reproduce with every version of sandbox currently available in the Portage tree.

@InBetweenNames
Copy link
Owner

Confirmed!

@InBetweenNames
Copy link
Owner

Wow, that's a pretty serious one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants