diff options
author | Mike Frysinger <vapier@gentoo.org> | 2009-03-08 07:14:17 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2009-03-08 08:47:05 -0400 |
commit | 7b0b914b4ea0e594867bad91fe1aaffa0c21d87b (patch) | |
tree | a0cbb36e49c17f91017c75c1c9b2e0cc80a1f53e /libsandbox/libsandbox.h | |
parent | libsandbox: push errno save/restore down in openat() (diff) | |
download | sandbox-7b0b914b4ea0e594867bad91fe1aaffa0c21d87b.tar.gz sandbox-7b0b914b4ea0e594867bad91fe1aaffa0c21d87b.tar.bz2 sandbox-7b0b914b4ea0e594867bad91fe1aaffa0c21d87b.zip |
libsandbox: handle symlinks properly
Make sure we handle edge cases that involve symlinks and functions that
operate on symlinks. This includes newer style *at functions that can go
between operating on symlinks and operating on the linked files, and on
symlinks to files that live in explicitly denied paths.
URL: http://bugs.gentoo.org/254914
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Mike Auty <ikelos@gentoo.org>
Diffstat (limited to 'libsandbox/libsandbox.h')
-rw-r--r-- | libsandbox/libsandbox.h | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libsandbox/libsandbox.h b/libsandbox/libsandbox.h index 8ed6d70..5e45b23 100644 --- a/libsandbox/libsandbox.h +++ b/libsandbox/libsandbox.h @@ -17,10 +17,10 @@ #define _FUNCTION_SANDBOX_SAFE(test) \ (!is_sandbox_on() || (test)) -#define FUNCTION_SANDBOX_SAFE_AT(_dirfd, _path) \ - _FUNCTION_SANDBOX_SAFE(before_syscall(_dirfd, WRAPPER_NR, STRING_NAME, _path)) +#define FUNCTION_SANDBOX_SAFE_AT(_dirfd, _path, _flags) \ + _FUNCTION_SANDBOX_SAFE(before_syscall(_dirfd, WRAPPER_NR, STRING_NAME, _path, _flags)) #define FUNCTION_SANDBOX_SAFE(_path) \ - FUNCTION_SANDBOX_SAFE_AT(AT_FDCWD, _path) + FUNCTION_SANDBOX_SAFE_AT(AT_FDCWD, _path, 0) #define FUNCTION_SANDBOX_SAFE_ACCESS_AT(_dirfd, _path, _flags) \ _FUNCTION_SANDBOX_SAFE(before_syscall_access(_dirfd, WRAPPER_NR, STRING_NAME, _path, _flags)) @@ -40,7 +40,7 @@ int canonicalize(const char *, char *); bool is_sandbox_on(void); -bool before_syscall(int, int, const char *, const char *); +bool before_syscall(int, int, const char *, const char *, int); bool before_syscall_access(int, int, const char *, const char *, int); bool before_syscall_open_int(int, int, const char *, const char *, int); bool before_syscall_open_char(int, int, const char *, const char *, const char *); |