isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,726 Commits 1 Branch 0 Tags
0f40753d46bfd704869e77d25c765a81ff1e3457
Commit Graph

1666 Commits

Author SHA1 Message Date
Todd C. Miller
339746730c ptrace_intercept_execve: plug memory leak of get_execve_info() buffer 2022-05-05 19:06:19 -06:00
Todd C. Miller
35ea534b3e Move register definitions to exec_ptrace.h 2022-05-05 13:37:26 -06:00
Todd C. Miller
d3a1bf4216 Add support for intercepting 32-bit binaries on 64-bit systems. 
We need to define the ptrace register struct ourselves for the
32-bit system since there is no good way to get it from the system
headers.  Currently only implemented for x86_64 and aarch64.
 2022-05-05 09:29:05 -06:00
Todd C. Miller
de678ba775 Add setters and getters for ptrace(2) register access. 
This will be used when running 32-bit binaries from a 64-bit sudo.
 2022-05-05 09:17:58 -06:00
Todd C. Miller
f53053a66f exec_ptrace_handled: don't return early if ptrace_intercept_execve() fails. 
We need to continue the traced process even if there is a fatal
error.  Otherwise, sudo will appear to hang as the running process
is left in PTRACE_EVENT stop.
 2022-05-05 09:15:50 -06:00
Todd C. Miller
bbbb6e2ace Don't use PTRACE_GETREGS, it is too complicated when runing compat binaries. 
Unlike PTRACE_GETREGSET, PTRACE_GETREGS requires that we manually
map registers from 64-bit to 32-bit layouts when running, e.g. a
32-bit binary from a 64-bit sudo process.
 2022-05-05 08:53:51 -06:00
Todd C. Miller
4ab6a87b96 Initialize intercept_allow_setid to true if we use ptrace(2) and seccomp(2). 2022-05-04 13:32:28 -06:00
Todd C. Miller
e84fdd99fd If the process is already being traced, just resume it and clear flags. 
This makes it possible to run sudo in ptrace intercept mode from within
a shell (or other process) that is already being traced by sudo.
 2022-05-03 13:34:40 -06:00
Todd C. Miller
cc52ab770c exec_ptrace_handled: fix delivery of non-stop signals. 
We need to deliver signals to the tracee as long as it is not
a group stop.  Fixes a hang while tracing another sudo process.
 2022-05-03 12:54:10 -06:00
Todd C. Miller
4cac34b86d Make SIGCHLD handler more consistent with the pty version. 
No real change other than a few debug statements.
 2022-05-03 09:38:28 -06:00
Todd C. Miller
3ee8bcefb0 Kill the command if intercept_setup() or ptrace_seize() fail. 2022-05-03 09:25:58 -06:00
Todd C. Miller
1d17415b69 Add support for intercepting x32 binaries on Linux x64_64. 2022-05-02 14:36:34 -06:00
Todd C. Miller
307b4f69b8 Fix typos 2022-04-29 19:03:20 -06:00
Todd C. Miller
cdc35afff3 Short-circuit the policy check if the command doesn't exist. 
Otherwise, both sudo and the shell will report the error.
 2022-04-29 13:22:51 -06:00
Todd C. Miller
b75a8be34d Use PTRACE_GETREGS/PTRACE_SETREGS on platforms that support it. 
This has a better chance of working on things like user-mode Linux.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
4010d06ed0 In ptrace(2) intercept mode, add execveat to the seccomp(2) filter. 
This allows us to avoid logging the initial command twice regardless
of whether the kernel supports execveat(2) or not.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
52cacfc302 For ptrace intercept mode, do not do a policy check for the initial command. 
We can skip the policy check for the execve(2) of the initial command
since it has already been check.  Otherwise, we would log the command
twice.  When using fexecve(2) due to a digest check, there should
be no need to skip the initial command since it will be executed
via execveat(2) not execve(2).  However, on older kernels without
execveat(2), glibc will emulate fexecve(2) using /proc which will
result in the extra log entry.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
5d385b3c58 Enable intercept and log_subcmds for SELinux using ptrace and seccomp. 2022-04-29 13:09:03 -06:00
Todd C. Miller
423fbedb65 Suspend the child process and wait for SIGUSR when using ptrace. 
This fixes a race condition in ptrace-based intercept mode when
running the command in a pty.  It was possible for the monitor to
receive SIGCHLD when the command sent itself SIGSTOP before the
main sudo process did.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
fe80dc0bc2 Check architecture in the seccomp filter. 
Currently only supports the native architecture.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
8e7ead57f6 Add support for replacing argv in ptrace intecept mode. 
The new argv is written below the tracee's stack and the system
call argument is replaced with the new argv address.
 2022-04-29 13:09:03 -06:00
Todd C. Miller
8e375445fb Check the policy for ptrace-based intercept mode. 2022-04-29 13:08:59 -06:00
Todd C. Miller
3e73644cde Add support for getting the execve(2) arguments via ptrace(2). 
This will be used to perform a policy check in intercept mode.
 2022-04-29 12:35:34 -06:00
Todd C. Miller
01733a5214 Add scaffolding for ptrace-based intercept mode. 2022-04-29 12:35:31 -06:00
Todd C. Miller
22866f2423 Handle multiple child processes in the SIGCHLD handler. 
This is required by the uncoming ptrace intercept code.
 2022-04-29 08:02:57 -06:00
Todd C. Miller
46edc4e198 Stop using the WCONTINUED flag with waitpid(2). 
We don't use it for anything other than a debug message and it will
cause problems when intercept mode starts using ptrace(2).
 2022-04-29 08:02:57 -06:00
Todd C. Miller
d2da56dacc Add struct command details * to struct monitor_closure. 
This will be used in the future by the ptrace intercept code.
 2022-04-20 13:58:22 -06:00
Todd C. Miller
841375783a Don't require a pty for intercept or log_subcmmds. 
The code to take back control of the tty before a policy check
doesn't appear to be needed.  If the command is run in its own pty,
sudo has control over the user's tty.  If the command is run in
the user's tty, sudo should be in the foreground process group.
 2022-04-20 11:56:26 -06:00
Todd C. Miller
839c189373 Translate "unable to set limit privileges" strings. 2022-04-20 13:55:51 -06:00
Todd C. Miller
dcb2fb26a5 Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS 2022-04-01 11:14:59 -06:00
Todd C. Miller
e2692f1095 Write the \r\n pair to ttyfp if possible, falling back on fp. 
This is consistent with the vfprintf() call and fixes a problem
introduced by the last commit where the newline could be written
before the message instead of after.
 2022-03-15 17:33:58 -06:00
Todd C. Miller
210875796d sudo_conversation_printf: convert trailing nl to cr + nl combo. 
This fixes output when the terminal is in raw mode and is consistent
with how sudo_conversation() behaves.
 2022-03-14 20:11:38 -06:00
Todd C. Miller
de47380350 Block SIGCHLD when forking the mailer. 
Otherwise, it may be picked up by the signal handler instead of our
waitpid(2) call.
Don't warn if waitpid() returns 0 in a SIGCHLD handler.
 2022-03-14 13:54:12 -06:00
Todd C. Miller
1f64aca229 Unset LANGUAGE when running tests, otherwise it may override LC_ALL. 
Bug #1025.
 2022-03-14 13:51:03 -06:00
Todd C. Miller
c131b27474 For 'make check-verbose' run fuzzers with -verbose=1 
This is the default for libFuzzer but not for the stub fuzzer lib.
 2022-03-03 10:45:56 -07:00
Todd C. Miller
cdee5d48da Add check-verbose Makefile target that runs tests in verbose mode. 2022-03-02 13:32:08 -07:00
Todd C. Miller
2c329dbe42 verbose flag is boolean, not int 2022-03-01 15:47:47 -07:00
Todd C. Miller
e9155a067c Regenerate dependencies. 2022-03-01 11:32:23 -07:00
Todd C. Miller
a199abe0e5 Only display test totals unless run in verbose mode. 2022-02-28 20:18:54 -07:00
Todd C. Miller
f793042bec command_allowed: plug memory leak on strdup() failure. 
Coverity CID 249972
 2022-02-24 07:49:30 -07:00
Todd C. Miller
a299406291 Add fallback if /proc/self/stat or /proc/pid/psinfo is missing or invalid. 
If the /proc file indicates no terminal is present there is no fallback.
Bug #1020
 2022-02-02 08:32:44 -07:00
Todd C. Miller
5e30d01205 Quiet a PVS-Studio format string warning. 2022-01-19 09:20:42 -07:00
Todd C. Miller
757c3a1d37 When applying fallback limits, make sure we don't reduce rlim_max. 
Fixes a problem where sudo could reduce the max stack size on some
systems if the original limit was higher than the fallback limit,
but not unlimited/infinity.
 2022-01-11 13:30:20 -07:00
Todd C. Miller
1c95ab8852 Don't modify the stack limit if it is >= SUDO_STACK_MIN. 2022-01-11 13:21:32 -07:00
Todd C. Miller
2e08db3695 If sudo is not set-user-ID root, check for the no_new_privs flag on Linux. 
This flag disables set-user-ID at execve(2) time and may be set by
default for some containers.  GitHub issue #129.
 2022-01-09 17:31:06 -07:00
Todd C. Miller
48bc498a6f Add pam_askpass_service sudoers setting for "sudo -A". 
This makes it possible to use a different PAM configuration for
when "sudo -A" is used.  The main use case is to only use PAM modules
that can interact with the askpass program.  GitHub issue #112.
 2022-01-08 11:35:03 -07:00
Todd C. Miller
e22cc72530 Back out changes to enable SELinux by default. 
This may return in a future release in a different form.
 2021-12-22 11:13:22 -07:00
Todd C. Miller
f9f39cde20 dir_is_writable: don't treat EPERM from faccessat() as a fatal error. 
We can get EPERM on Linux with SELinux.  GitHub issue #122.
 2021-11-27 12:34:16 -07:00
Todd C. Miller
7085a64475 Avoid symbol name clash with is_writable() function variable. 
Rename "is_writable" variable to "writable".
 2021-11-09 13:39:30 -07:00
Todd C. Miller
7c8746bc70 Document resource limit support in command_info[] and Bump plugin API minor. 
This is supported beginning with sudo 1.9.9 and plugin API 1.17.
 2021-11-09 12:57:25 -07:00