X-Git-Url: http://mj.ucw.cz/gitweb/?a=blobdiff_plain;f=box%2Fbox.c;h=71ec68c75cd9767d690c429de13379e1a1b8f360;hb=838fb3edf9936878e0e052942a15c2eb605a6916;hp=d834ffdaaa9b7dbf0b5930569618b6cb9a6a5af8;hpb=cfcf95ad52c253fbd104419ae202a2fc85eb32e2;p=eval.git diff --git a/box/box.c b/box/box.c index d834ffd..71ec68c 100644 --- a/box/box.c +++ b/box/box.c @@ -7,6 +7,8 @@ #define _LARGEFILE64_SOURCE #define _GNU_SOURCE +#include "autoconf.h" + #include #include #include @@ -24,6 +26,7 @@ #include #include #include +#include #include #if defined(CONFIG_BOX_KERNEL_AMD64) && !defined(CONFIG_BOX_USER_AMD64) @@ -289,7 +292,9 @@ static unsigned char syscall_action[NUM_ACTIONS] = { S(get_thread_area) = A_YES, S(set_tid_address) = A_YES, S(exit_group) = A_YES | A_SAMPLE_MEM, -#ifndef CONFIG_BOX_USER_AMD64 +#ifdef CONFIG_BOX_USER_AMD64 + S(arch_prctl) = A_YES, +#else S(oldfstat) = A_YES, S(ftruncate64) = A_YES, S(_llseek) = A_YES, @@ -420,6 +425,7 @@ static struct path_rule default_path_rules[] = { { "/proc/meminfo", A_YES }, { "/proc/self/stat", A_YES }, { "/proc/self/exe", A_YES }, // Needed by FPC 2.0.x runtime + { "/proc/self/maps", A_YES }, // Needed by glibc when it reports arena corruption }; static struct path_rule *user_path_rules; @@ -718,6 +724,11 @@ set_syscall_nr(struct syscall_args *a, arg_t sys) die("ptrace(PTRACE_SETREGS): %m"); } +static void +sanity_check(void) +{ +} + #else static void @@ -741,6 +752,19 @@ set_syscall_nr(struct syscall_args *a, arg_t sys) die("ptrace(PTRACE_SETREGS): %m"); } +static void +sanity_check(void) +{ +#if !defined(CONFIG_BOX_ALLOW_INSECURE) + struct utsname uts; + if (uname(&uts) < 0) + die("uname() failed: %m"); + + if (!strcmp(uts.machine, "x86_64")) + die("Running 32-bit sandbox on 64-bit kernels is inherently unsafe. Please get a 64-bit version."); +#endif +} + #endif /*** Syscall checks ***/ @@ -1316,6 +1340,7 @@ main(int argc, char **argv) if (optind >= argc) usage(); + sanity_check(); uid = geteuid(); if (setreuid(uid, uid) < 0) die("setreuid: %m");