Yes. I think it's what Coverity did, and this may cause many false positives.<br><br>I got a example like this:<br><br><span style="color: rgb(255, 0, 0);">Event chroot_call: Called chroot: "chroot(&"/home/polo/chroot/")"
</span><br><span style="color: rgb(51, 204, 0);">At conditional (1): "chroot(&"/home/polo/chroot/") != 0" taking false path
</span><br>7 if (chroot("/home/polo/chroot/") != 0) {
<br>8 perror("chroot");
<br>9 return 0;
<br>10 }
<br><span style="color: rgb(51, 204, 0);">At conditional (2): "chdir(&"../../") != 0" taking true path
</span><br>11 if (chdir("../../") != 0) {
<br><span style="color: rgb(255, 0, 0);">Event chroot: Called function "perror" after chroot() but before calling chdir("/")
</span><br>12 perror("chdir");
<br>13 return 0;
<br>14 }
<br>15 if (chdir("/") != 0) {
<br>16 perror("chdir");
<br>17 return 0;
<br>18 }
<br>19 <br>20 char *arrays[]={"bash", NULL};
<br>21 execvp("bash", arrays);<br><br><div class="gmail_quote">2010/9/19 Zhongxing Xu <span dir="ltr"><<a href="mailto:xuzhongxing@gmail.com">xuzhongxing@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><br><div class="gmail_quote">2010/9/19 ียภฺ <span dir="ltr"><<a href="mailto:ioripolo@gmail.com" target="_blank">ioripolo@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Zhongxing,<br><br><div class="im">Here are several simple examples( assume all function can successfully execute ):<br><ul><li>workding directory: /home/polo/test/chr</li></ul><div style="margin-left: 40px;">chroot("/var/local/ftp"); // root changed.<br>
chdir("../../"); // working directory changed to "/home/polo/", it's out of the jail.<br>chdir("/"); // enter the jail. working directory changed to "/var/local/ftp".<br>
foo(); // call any other function, ok<br></div><ul><li>workding directory: /home/polo/test/chr</li></ul><div style="margin-left: 40px;">chroot("/var/local/ftp"); // root changed.<br>
chdir("/"); // enter the jail. working directory changed to "/var/local/ftp".<br>chdir("../../"); // working directory is still "/var/local/ftp", can't escape from the jail.<br>
foo(); // call any other function, ok<br></div><ul><li>workding directory: /home/polo/test/chr</li></ul><div style="margin-left: 40px;">chroot("/var/local/ftp"); // root changed.<br>
chdir("../../"); // working directory changed to "/home/polo/", it's out of the jail.<br>
foo(); // call any other function, may access files outside of the jail.<br><br></div>Above is my understanding of chroot and chdir. So IMO the full state transition is something like:<div>
<br><br>
NO_CHROOT ---chroot(foo)--> ROOT_CHANGED ---------------chdir(/) --> JAIL_ENTERED<br></div><div> | |<br>
--chdir('..') --> ROOT_CHANGED --chdir('..')-->JAIL_ENTERED<br>
| |<br> --foo() -->JAIL_BROKEN or bug --foo()-->JAIL_ENTERED<br>
</div><br><div style="margin-left: 40px;"><br></div></div></blockquote><div><br><br>This FSM looks consistent with your examples. So when we have a call with the state being ROOT_CHANGED then should we emit a warning, isn't it?<br>
</div><div><div></div><div class="h5"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div style="margin-left: 40px;"></div><div class="gmail_quote">
2010/9/18 Zhongxing Xu <span dir="ltr"><<a href="mailto:xuzhongxing@gmail.com" target="_blank">xuzhongxing@gmail.com</a>></span><div>
<div></div><div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><br><div class="gmail_quote">2010/9/17 ียภฺ <span dir="ltr"><<a href="mailto:ioripolo@gmail.com" target="_blank">ioripolo@gmail.com</a>></span><div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Zhongxing,<br><br>I think "use enums to represent the type state" it's ok for now, but i am not sure it meets the needs in future if we need more precise analysis.<br><br>More comments inline below.<br><br>
<div class="gmail_quote">2010/9/16 Zhongxing Xu <span dir="ltr"><<a href="mailto:xuzhongxing@gmail.com" target="_blank">xuzhongxing@gmail.com</a>></span><div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Lei,<br><br>Instead of introducing new symbols, how about use enums to represent the type state? <br><br>For example, we could use the following states:<br><br>NO_CHROOT, ROOT_CHANGED, JAIL_ENTERED, JAIL_BROKEN<br><br>
NO_CHROOT ---chroot(foo)--> ROOT_CHANGED ---chdir(/)--> JAIL_ENTERED<br>
|<br> ------chdir('..')--> JAIL_BROKEN <br></blockquote></div><div><br>IMO, it's something like this:<div>
<br>
<br>NO_CHROOT ---chroot(foo)--> ROOT_CHANGED ---chdir(/) --> JAIL_ENTERED
</div><div> |<br> ------chdir('..') --> ROOT_CHANGED<br>
|<br> ------foo() -->JAIL_BROKEN<br><br>What you think?<br></div></div></div></blockquote>
</div><div><br>Sorry, I'm not sure about this. Do you have any references that explain what you are checking for?<br> </div><div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="gmail_quote"><div><div><br></div></div><div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>These states are stored directly in the GDM and operated by the ChrootChecker. Is this sufficient for checking this?<br></blockquote></div><div><br>OK, I'll do this later.<br> </div><div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><div class="gmail_quote"><div><div></div><div>On Tue, Sep 14, 2010 at 4:09 PM, ียภฺ <span dir="ltr"><<a href="mailto:ioripolo@gmail.com" target="_blank">ioripolo@gmail.com</a>></span> wrote:<br></div></div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div>
hi, clang<br><div style="margin-left: 40px;"><br>This patch try to check improper use of chroot.<br><br>In order to implement this checker, i add a subclass (SymbolEnv) of SymbolData to represent some environment variables. Now it contains only one kind of environment variables(JailKind).Then adds several states to the Jail Symbol.<br>
<br>This is an experimental checker, and i don't know it is the right way to do this stuff.<br><br>I'll appreciate it if there are any advice about this patch.</div><br><font color="#888888"><br clear="all"><br>-- <br>
Best regards!<br>
<br>Lei Zhang<br>
</font><br></div></div><div>_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a><br>
<a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
<br></div></blockquote></div><br>
</blockquote></div></div><font color="#888888"><br><br clear="all"><br>-- <br>Best regards!<br><br>Lei Zhang<br>
</font></blockquote></div></div><br>
</blockquote></div></div></div><font color="#888888"><br><br clear="all"><br>-- <br>Best regards!<br><br>Lei Zhang<br>
</font></blockquote></div></div></div><br>
</blockquote></div><br><br clear="all"><br>-- <br>Best regards!<br><br>Lei Zhang<br>