From: Martin Mares <mj@ucw.cz>
Date: Mon, 5 Jul 2010 15:11:34 +0000 (+0200)
Subject: Box: Let the 32-bit version refuse to run on 64-bit kernels
X-Git-Url: http://mj.ucw.cz/gitweb/?a=commitdiff_plain;h=bf755d50d117057d2be1197341e1d91bc5f1a808;p=eval.git

Box: Let the 32-bit version refuse to run on 64-bit kernels
---

diff --git a/box/box.c b/box/box.c
index d834ffd..fb62376 100644
--- a/box/box.c
+++ b/box/box.c
@@ -24,6 +24,7 @@
 #include <sys/signal.h>
 #include <sys/sysinfo.h>
 #include <sys/resource.h>
+#include <sys/utsname.h>
 #include <linux/ptrace.h>
 
 #if defined(CONFIG_BOX_KERNEL_AMD64) && !defined(CONFIG_BOX_USER_AMD64)
@@ -718,6 +719,11 @@ set_syscall_nr(struct syscall_args *a, arg_t sys)
     die("ptrace(PTRACE_SETREGS): %m");
 }
 
+static void
+sanity_check(void)
+{
+}
+
 #else
 
 static void
@@ -741,6 +747,19 @@ set_syscall_nr(struct syscall_args *a, arg_t sys)
     die("ptrace(PTRACE_SETREGS): %m");
 }
 
+static void
+sanity_check(void)
+{
+#if !defined(CONFIG_BOX_ALLOW_INSECURE)
+  struct utsname uts;
+  if (uname(&uts) < 0)
+    die("uname() failed: %m");
+
+  if (!strcmp(uts.machine, "x86_64"))
+    die("Running 32-bit sandbox on 64-bit kernels is inherently unsafe. Please get a 64-bit version.");
+#endif
+}
+
 #endif
 
 /*** Syscall checks ***/
@@ -1316,6 +1335,7 @@ main(int argc, char **argv)
   if (optind >= argc)
     usage();
 
+  sanity_check();
   uid = geteuid();
   if (setreuid(uid, uid) < 0)
     die("setreuid: %m");