| 1 |
On Tuesday 31 March 2009 07:52:24 Mike Frysinger wrote: |
| 2 |
> partly because the QA notices about untraceable static binaries that |
| 3 |
> sandbox-1.6 emits, but mostly because i wanted to bust solar's balls, i did |
| 4 |
> a mini hack fest the other nite and added ptrace() support into sandbox for |
| 5 |
> static binaries. seems to work for me, but if someone notices something |
| 6 |
> new and freaky, you've been warned! |
| 7 |
|
| 8 |
some notes from the wild: |
| 9 |
- some packages might fail now that didnt before due to /etc/ld.so.* |
| 10 |
violations. no, this isnt a bug in sandbox. it was a bug that older |
| 11 |
sandboxes didnt catch it. every case ive seen so far means the package is |
| 12 |
wrongly running `ldconfig` on the entire tree during src_install(). this is a |
| 13 |
pointless waste of cpu time, i/o time, hawaii time, and other crap. disable |
| 14 |
it in your package. |
| 15 |
- tracing of multilib is supported (so 32bit x86 on 64bit x86_64 host) |
| 16 |
- parisc and blackfin are now supported |
| 17 |
- static binaries that violate sandbox are killed immediately. this is |
| 18 |
different from normal sandbox where the application is returned an error and |
| 19 |
it keeps on running. this is due to ptrace limitations where there is no way |
| 20 |
for the parent doing the tracing to tell the traced child to skip execution of |
| 21 |
the next syscall. our choices as the tracer are (1) let it happen and modify |
| 22 |
the syscall return or (2) kill it immediately. since (1) allows the syscall |
| 23 |
to occur (say something like unlink(/foo/bar), that clearly isnt acceptable. |
| 24 |
unless i missed something in ptrace in which case people should point it out |
| 25 |
to me. |
| 26 |
|
| 27 |
> side note, i think sandbox-1.6-r1 should be good for stable. only one |
| 28 |
> minor compliant about 1.6, and that's fixed in 1.6-r1. |
| 29 |
|
| 30 |
and this is in the process so if people found something wrong, please post it: |
| 31 |
https://bugs.gentoo.org/265376 |
| 32 |
-mike |
Archives