Changeset 18988


Ignore:
Timestamp:
Aug 2, 2006, 12:48:29 AM (14 years ago)
Author:
pguyot (Paul Guyot)
Message:

-t now forbids renaming files/dirs and deleting directories outside the sandbox.

Location:
trunk/base
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/base/src/darwintracelib1.0/darwintrace.c

    r18781 r18988  
    44 * All rights reserved.
    55 *
    6  * $Id: darwintrace.c,v 1.19 2006/07/28 10:11:09 pguyot Exp $
     6 * $Id: darwintrace.c,v 1.20 2006/08/02 00:48:28 pguyot Exp $
    77 *
    88 * @APPLE_BSD_LICENSE_HEADER_START@
     
    632632}
    633633#endif
     634
     635#if DARWINTRACE_SANDBOX
     636/* Trap attempts to remove directories outside the sandbox.
     637 */
     638int rmdir(const char* path) {
     639#define __rmdir(x) syscall(SYS_rmdir, (x))
     640        int result = 0;
     641        int isInSandbox = __darwintrace_is_in_sandbox(path);
     642        if (isInSandbox == 1) {
     643                dprintf("darwintrace: rmdir was allowed at %s\n", path);
     644        } else if (isInSandbox == 0) {
     645                /* outside sandbox, but sandbox is defined: forbid */
     646                dprintf("darwintrace: removing directory %s was forbidden\n", path);
     647                __darwintrace_log_op("sandbox_violation", NULL, path, 0);
     648                errno = EACCES;
     649                result = -1;
     650        }
     651       
     652        if (result == 0) {
     653                result = __rmdir(path);
     654        }
     655       
     656        return result;
     657}
     658#endif
     659
     660#if DARWINTRACE_SANDBOX
     661/* Trap attempts to rename files/directories outside the sandbox.
     662 */
     663int rename(const char* from, const char* to) {
     664#define __rename(x,y) syscall(SYS_rename, (x), (y))
     665        int result = 0;
     666        int isInSandbox = __darwintrace_is_in_sandbox(from);
     667        if (isInSandbox == 1) {
     668                dprintf("darwintrace: rename was allowed at %s\n", from);
     669        } else if (isInSandbox == 0) {
     670                /* outside sandbox, but sandbox is defined: forbid */
     671                dprintf("darwintrace: renaming from %s was forbidden\n", from);
     672                __darwintrace_log_op("sandbox_violation", NULL, from, 0);
     673                errno = EACCES;
     674                result = -1;
     675        }
     676
     677        if (result == 0) {
     678                isInSandbox = __darwintrace_is_in_sandbox(to);
     679                if (isInSandbox == 1) {
     680                        dprintf("darwintrace: rename was allowed at %s\n", to);
     681                } else if (isInSandbox == 0) {
     682                        /* outside sandbox, but sandbox is defined: forbid */
     683                        dprintf("darwintrace: renaming to %s was forbidden\n", to);
     684                        __darwintrace_log_op("sandbox_violation", NULL, to, 0);
     685                        errno = EACCES;
     686                        result = -1;
     687                }
     688        }
     689       
     690        if (result == 0) {
     691                result = __rename(from, to);
     692        }
     693       
     694        return result;
     695}
     696#endif
  • trunk/base/tests/trace/Makefile

    r18781 r18988  
    1010        @PORTSRC=$(PORTSRC) $(bindir)/port clean > /dev/null
    1111        @touch delete-trace
     12        @touch rename-trace
     13        @mkdir rmdir-trace
    1214        @rm -f create-trace
    1315        @rm -rf mkdir-trace
     
    1517        @PORTSRC=$(PORTSRC) $(bindir)/port -t test > output 2>&1 || (cat output; exit 1)
    1618        @rm -f delete-trace
     19        @rm -f rename-trace
     20        @rm -f rename-new-trace
    1721        @rm -f create-trace
    1822        @rm -rf mkdir-trace
     23        @rm -rf rmdir-trace
    1924        @rm -f /tmp/hello-trace
    2025        @sed -e "s|${PWD}|PWD|g" < output > output.sed
  • trunk/base/tests/trace/Portfile

    r18781 r18988  
    1 # $Id: Portfile,v 1.5 2006/07/28 10:11:10 pguyot Exp $
     1# $Id: Portfile,v 1.6 2006/08/02 00:48:29 pguyot Exp $
    22
    33PortSystem 1.0
     
    2525        system "rm /tmp/hello-trace"
    2626        catch {system "mkdir mkdir-trace"}
     27        catch {system "rmdir rmdir-trace"}
     28        catch {system "mv rename-trace rename-new-trace"}
    2729        system "mkdir -p /usr/bin"
    2830}
  • trunk/base/tests/trace/master

    r18781 r18988  
    88Warning: A creation/deletion/modification was attempted outside sandbox: PWD/delete-trace
    99Warning: A creation/deletion/modification was attempted outside sandbox: PWD/mkdir-trace
     10Warning: A creation/deletion/modification was attempted outside sandbox: PWD/rename-trace
     11Warning: A creation/deletion/modification was attempted outside sandbox: PWD/rmdir-trace
Note: See TracChangeset for help on using the changeset viewer.