mawk: add a --sandbox option |
|||||||
Issue descriptiongawk provides a --sandbox flag to harden usage at runtime: -S --sandbox Runs gawk in sandbox mode, disabling the system() function, input redirection with getline, output redirection with print and printf, and loading dynamic extensions. Command execution (through pipelines) is also disabled. This effectively blocks a script from accessing local resources (except for the files specified on the command line). it'd be nice if mawk had similar functionality.
,
Nov 7 2017
,
Nov 7 2017
implemented: https://chromium-review.googlesource.com/756575 lets see what the test systems think
,
Nov 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/31693df8f2418127b3b9a35d445082ad681629ab commit 31693df8f2418127b3b9a35d445082ad681629ab Author: Mike Frysinger <vapier@chromium.org> Date: Wed Nov 08 23:10:25 2017 mawk: add sandbox support The first patch adds -W sandbox support to mawk like exists in gawk: the system() function, file redirects, and pipelines are disabled. The second patch adds a configure flag to turn on the sandbox all the time, and then we opt into that. BUG= chromium:767182 TEST=precq passes Change-Id: I976e929ef02e623ec8a733d28141f1076e45a0c5 Reviewed-on: https://chromium-review.googlesource.com/756575 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [add] https://crrev.com/31693df8f2418127b3b9a35d445082ad681629ab/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch [add] https://crrev.com/31693df8f2418127b3b9a35d445082ad681629ab/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch [add] https://crrev.com/31693df8f2418127b3b9a35d445082ad681629ab/sys-apps/mawk/mawk.bashrc
,
Nov 14 2017
,
Nov 14 2017
Note that this causes issues with Crouton: https://github.com/dnschneid/crouton/issues/3506
,
Nov 14 2017
on the upside, it means the patch is WAI ;) i didn't send out a PSA for these mawk changes, but i think dnschneid@ had at least a few days notice per other conversations ;) maybe we should add gawk to the dev image so it'll at least be available in /usr/local. i don't plan on messing with the sandbox there since it isn't the one shipped in the verified rootfs.
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/00d6d29a7cd623bc785ba2eca9676c7947fa3a35 commit 00d6d29a7cd623bc785ba2eca9676c7947fa3a35 Author: Mike Frysinger <vapier@chromium.org> Date: Thu Nov 16 04:21:08 2017 target-chromium-os-dev: make gawk available in dev images This lets people use a more featureful awk when using a dev image (and one w/out sandbox restrictions like we have in mawk now). This shouldn't have a negative impact on testing as `awk` will still point to `mawk`. BUG= chromium:767182 TEST=precq passes Change-Id: Ied09f1d3456ba090c30a069579d80294987290c9 Reviewed-on: https://chromium-review.googlesource.com/769358 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Nicolas Boichat <drinkcat@chromium.org> [rename] https://crrev.com/00d6d29a7cd623bc785ba2eca9676c7947fa3a35/virtual/target-chromium-os-dev/target-chromium-os-dev-1-r26.ebuild [modify] https://crrev.com/00d6d29a7cd623bc785ba2eca9676c7947fa3a35/virtual/target-chromium-os-dev/target-chromium-os-dev-1.ebuild
,
Nov 16 2017
i'll leave this open until i get a chance to send it upstream
,
Nov 21 2017
Just to circle back, crouton is now happy with the sandboxing: https://github.com/dnschneid/crouton/pull/3514 I somehow stumbled upon the change ahead of time, but if you know or suspect an upcoming change will break crouton, firing off a quick bug on the crouton tracker would be much appreciated.
,
Dec 15 2017
looks like he has a github page for submitting reports: https://github.com/ThomasDickey/original-mawk/issues/49
,
Jul 30
,
Aug 2
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 Deleted