-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
746 lines (701 loc) · 39.7 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
2022-12-13 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* LibSecRm version 3.2
Significant portability updates. LibSecRm now compiles on FreeBSD
and macOS. Allow setting the number of iterations using an
environment variable. Improvements in banning. Improvements in the
build system. Improvements in code quality. Significant improvements
in the documentation. New unit tests.
* configure.ac: Updated using Autoconf 2.71. Added enabling all
Automake warnings. Added calling AM_PROG_AR as recommended by
Automake warnings. More portable checking for brk() and sbrk(). Use
dedicated macros to check for the 'long long int', mode_t, pid_t and
ssize_t types. Changed the program's configured name, add URL in
AC_INIT(). Added checking for the "-fanalyzer" and "-fstack-check"
compiler options. Added checking for the pvalloc(), realpath(),
canonicalize_file_name() and strtoul() functions. Added checking for
limits.h.
* src/{lsr_banning.c, lsr_memory.c, lsr_public.c.in, lsr_truncate.c,
lsr_unlink.c, lsr_wiping.c}: Moved the compatibility flags to
lsr_cfg.h.in.
* src/lsr_cfg.h.in: Added compatibility flags to allow compiling on
FreeBSD and macOS. Added constants for the pvalloc() realpath(),
canonicalize_file_name() and strtoul() functions. Updated the
package names.
* src/lsr_banning.c, src/lsr_cfg.h.in, src/lsr_priv.h.in,
src/lsr_wiping.c: Use the new constant HAVE_LONG_LONG_INT. Define
__lsr_fcntl_signal_received() only when needed.
* src/lsr_public.c.in, src/libsecrm.h.in: Added the missing rmdir()
function, as reported by cppcheck.
* src/lsr_banning.c (__lsr_check_forbidden_file_name): A new function
for checking of banning a canonical name.
* src/lsr_banning.c (__lsr_is_forbidden_file): Use realpath() or
canonicalize_file_name() if available. Moved the common code to
__lsr_check_forbidden_file_name(). Port fixes from LibHideIP: free
memory when needed, avoid infinite loops. Keep the buffer length
without malloc() and fix zeroing it.
* src/lsr_wiping.c (__lsr_set_npasses): Allow setting the number of
wiping iterations/passes.
* src/lsr_priv.h.in: Stopped redefining mode_t and ssize_t - the new,
dedicated macros do it for us. Added declaration of the new
__lsr_set_npasses() function. Define off64_t only when not detected
and not already defined.
* src/libsecrm.c (__lsr_main): Set the number of wiping iterations
from an environment variable.
* src/libsecrm.h.in: Define the environment variable for the number
of wiping iterations/passes. Define off64_t only when not detected
and not already defined.
* src/lsr_wiping.c (__lsr_fd_truncate): Declare res_sig when needed.
* src/lsr_truncate.c (generic_truncate): Delete unused values.
* src/lsr_unlink.c (unlinkat): Initialize the return value in case
when some code is skipped (found by Codacy).
* src/lsr_memory.c (brk): Fixed casts without const.
* src/lsr_public.c.in: Added declarations missing on some systems.
* src/lsr_opens.c (fopen64, freopen64, open64): Define only when found
on the system.
* src/lsr_truncate.c (truncate64, ftruncate64): Define only when found
on the system.
* src/lsr_creat.c (creat64): Define only when found on the system.
* src/lsr_memory.c (pvalloc, aligned_alloc): Define only when found on
the system.
* src/lsr_banning.c, src/lsr_memory.c: Declare some functions manually
when their declarations cannot be enabled on the system.
* src/lsr_banning.c, src/libsecrm.c: Changed #if to #ifdef for the
sys/time.h include.
* src/*.{c,h,in}, test/*.{c,h}, */Makefile.am, doc/libsecrm.texi.in:
Updated license blocks.
* Makefile.am: Renamed 'pack' to 'x-pack'. Replaced ac_prototype.m4
with ax_prototype.m4.
* src/Makefile.am: Renamed 'randomnames' to 'x-randomnames' and made
it PHONY.
* src/randomize_names_*.sh: Apply fixes recommended by Codacy.
* test/lsrtest_unlink.c (unlink_and_verify): Initialize the return
value in case when some code is skipped (found by Codacy).
* test/lsrtest_other.c (test_symb_var): Added checking if private
variables cannot be found either, not just functions.
* test/lsrtest_other.c (test_iter_env): Added checking if the number
of wiping iterations is properly set from an environment variable.
* test/lsrtest_opens.c: Added tests for symlinks.
* test/lsrtest_fopens.c: Many more tests of the "w+" mode. Added
tests for symlinks.
* test/lsrtest_common.c (teardown_test): Added deleting the link file.
* test/Makefile.am: Moved common elements to variables. Renamed
'zcompile' to 'x-compile'. Added a flag to use config.h.
* m4/ax_gcc_warn_unused_result.m4: Updated for Autoconf 2.71.
* m4/ax_prototype.m4: Replaced ac_prototype.m4 and updated for
Autoconf 2.71.
* README, INSTALL: Moved building RPMs the new way above the old way.
Other small updates.
* doc/libsecrm.texi.in: Many improvements in the documentation: made
URLs into proper links, use the TeXinfo @file, @samp, @command,
@code and @verbatim properly, added a link to the home page on the
"What is LibSecRm" page, added "Reporting issues". Described the new
environment variable for the number of wiping iterations/passes.
Other small changes.
* doc/Makefile.am: Added flags for generating the HTML documentation.
* doc/sf_bogdro.css: Added a CSS file for the HTML documentation.
* libsecrm.spec.in: Fixed config file attributes.
2021-01-09 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* LibSecRm version 2.9
Added intercepting posix_fallocate64(). Portability improvements.
LibSecRm should work better with some filesystems which have i-node
numbers greater than 2^32-1 and compile under non-ANSI-C. Checked
running LibSecRm under GCC address & undefined behaviour sanitizers.
Added more unit tests.
* configure.ac: added checking for the stat64(), lstat64() and
fstatat64() functions. Updated the test for the ptrdiff_t type by
adding stddef.h (and a check for it). Added creating doc/libsecrm.3.
Checking for the mkfifo() function for future unit tests. Checking
for the posix_fallocate64() function. Changed the 'intercept-malloc'
option to be '--enable-', not '--with-'. Added checking for the
-Wstringop-truncation and -Wduplicated-branches compiler options.
* m4: removed unused files
* src/lsr_cfg.h.in: added new constants
* src/*.c*: added a preprocessor block that marks ANSI C as disabled,
for internal testing compiler compatibility.
* src/lsr_unlink.c (__lsr_rename): choose a new character to wipe the
filename if the chosen one is the same as the original (at least the
first one).
* src/lsr_unlink.c (rmdir): prefer lstat64() if available. Check also
for lstat() and skip if not available.
* src/lsr_unlink.c (unlinkat): open the file in exclusive mode, just
like in the other functions
* src/lsr_banning.c (check_dir, __lsr_is_forbidden_fs,
__lsr_can_wipe_filename): prefer stat64() if available. Check
also for stat() and skip if not available.
* src/lsr_banning.c (__lsr_can_wipe_dirname, __lsr_is_forbidden_file):
prefer lstat64() if available. Check also for lstat() and skip if
not available.
* src/lsr_banning.c (__lsr_can_wipe_filename_atdir): prefer fstatat64()
if available. Check also for fstatat() and skip if not available.
* src/lsr_banning.c (__lsr_can_wipe_filedesc): prefer fstat64()
if available. Check also for fstat() and skip if not available.
* src/lsr_banning.c (__lsr_is_forbidden_fd): fix a potential overflow
* src/lsr_banning.c (__lsr_is_forbidden_file): replace rindex() with
the more portable strrchr().
* src/lsr_wiping.c (__lsr_fd_truncate): prefer fstat64() if available.
Check also for fstat() and skip if not available.
* src/lsr_truncate.c (posix_fallocate64): a new intercepted function
* src/lsr_truncate.c (generic_posix_fallocate): a new generic function
to support both posix_fallocate() and posix_fallocate64().
* src/lsr_truncate.c (fallocate, generic_posix_fallocate): Check also
for fstat() and skip if both fstat64() and fstat() are not available.
* src/lsr_opens.c (generic_fopen, generic_freopen, generic_open,
generic_openat): code simplification and size reduce
* src/lsr_public.c.in (lsr_posix_fallocate, lsr_fallocate): fixed
compiling without ANSI C
* src/lsr_priv.h.in: corrected some declarations to avoid warnings
* src/banning_generic.c (__banning_is_banned): fixed using the user
banning filename instead of the global one
* Makefile.am: stop using 'tar --delete', for systems where GNU tar is
not installed or is not the default. Marked the 'pack' target PHONY
* test/*.c, test/lsrtest_common.h: added a prolog macro with logging
common for all tests
* test/lsrtest_banning.c, test/lsrtest_unlink.c: moved common code to
separate functions.
* test/*.c: Fixed some compiler warnings.
* test/lsrtest_unlink.c: free()ing pointers in tests when GNU libc is
detected (it's allowed in this case and removes sanitizer errors).
Moved test_unlink_banned() out of the unlinkat() test block. Added
tests for unlinkat() and remove() with symbolic links.
* test/lsrtest_fopens.c: added tests for a device file and for an
object in the /proc filesystem. Added tests for the "w+" open mode.
* test/lsrtest_other.c: a new test for finding a private symbol in
the library and for the function filling the wiping buffer.
* test/lsrtest_truncate.c: added a test for posix_fallocate64()
* test/Makefile.am: added the new lsrtest_other test, added a target
to just compile the tests
* doc/libsecrm.3.in: created from doc/libsecrm.3 to allow ./configure
substitutions later.
* doc/Makefile.am: added distributing libsecrm.3.in
* doc/libsecrm.texi.in, doc/libsecrm.3.in: updated the addresses
* doc/libsecrm.texi.in: more blocks in @command{}. Added the new
public function - lsr_posix_fallocate64(). Substituting the return
and argument types for lsr_brk() and lsr_sbrk()
* libsecrm.spec.in: removed obsolete commented-out commands, updated
the URL, added BugURL. Using macros for common elements.
2019-02-08 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* LibSecRm version 2.8
Added intercepting new functions. Fixed initialization code - fixed
lookup for fopen() and made intercepting malloc() disabled by
default, because it causes the library to crash. Many improvements
in checking if an object is banned from being wiped. Improvements
in code portability and compatibility. Better code maintainability,
updated copyright and documentation. Improvements in unit tests and
new tests added.
* configure.ac: moved AC_LANG(C) before AC_PROG_LIBTOOL for improved
compatibility. Checking for sys/sysmacros.h for compatibility with
future glibc versions, which define makedev() there. Added checking
for the -Wno-nonnull-compare compiler flag to avoid warnings about
defensive programming code. Added checking for the stat() function.
Added checking for the -Wchkp, -Wformat-overflow=2, -Wrestrict
-Wduplicated-cond, and -Woverlength-strings compiler warning options
* missing: script updated from new autoconf
* src/libsecrm.c (__lsr_copy_string): put variables before code
* src/libsecrm.c (__lsr_main): better casting of time() result to
avoid warnings. Set the internal flag when initializing. When the
fopen() functions can't be found by versioned lookup, try normal
lookup. This should fix compatibility with newer systems and make
banning work there.
* src/*.c: define LSR_VOID to be 'void' in ANSI C and use that in
function definitions for better readability
* src/libsecrm.h.in, src/lsr_memory.c, src/lsr_public.c.in,
src/lsr_banning.c: added defining the constants (_DEFAULT_SOURCE,
_ISOC11_SOURCE, _POSIX_C_SOURCE) for better compatibility with new
C libraries
* src/lsr_unlink.c (__lsr_rename), src/lsr_banning.c
(__lsr_is_forbidden_file), src/lsr_memory.c (sbrk): fixed variable
types to avoid warnings
* src/lsr_cfg.h.in: added missing constants
* src/lsr_banning.c (__lsr_can_wipe_dirname): added a new function for
checking if directories apply for wiping. This allowed to make
__lsr_check_file_ban() and __lsr_check_file_ban_proc() static
* src/lsr_banning.c: re-wrote some of the functions to use device-IDs
and i-node numbers, to be independent of the current directory and
to improve banning checks
* src/lsr_banning.c (__lsr_can_wipe_filedesc): check if the i-node
does not match a banned file
* src/lsr_banning.c (check_dir, __lsr_check_file_ban_proc): improved
checking directory entries
* src/lsr_banning.c (__lsr_is_forbidden_file): check if the filename
does not start with a banned filesystem's name. Check the final
found object's type. Add support for symlink targets with paths not
absolute, but relative to the symlink. Check the file's base name
against the list of forbidden files, not the whole path.
* src/lsr_banning.c (__lsr_is_forbidden_fs): added a new function for
checking if the object's filesystem's device ID is one of the
forbidden filesystems
* src/lsr_banning.c (__lsr_can_wipe_filedesc, __lsr_can_wipe_dirname
__lsr_can_wipe_filename_atdir, __lsr_can_wipe_filename): added code
to check if the object is not on one of the forbidden filesystems
* src/lsr_banning.c (__lsr_can_wipe_filename,
__lsr_can_wipe_filename_atdir): added a flag to allow either to
check the given object or the target object (if the given name turns
out to be a link)
* src/lsr_banning.c (__lsr_is_forbidden_fd): read the name of the file
connected to the open file descriptor and check if it is one of the
forbidden files.
* src/lsr_memory.c, src/lsr_priv.h.in, src/libsecrm.c,
src/lsr_public.c.in: intercepting the aligned_alloc() function
* src/lsr_creat.c, src/lsr_opens.c, src/truncate.c: created generic
32-/64-bit functions with common code to be called from the
intercepted functions
* src/lsr_public.c.in, src/lsr_truncate.c: simplified the missing
functions' declarations
* src/lsr_public.c.in (lsr_open, lsr_openat64, lsr_openat): fixed
invalid variable names to remove potential compile-time errors in
code base on old-style varargs
* src/lsr_opens.c (open, open64, openat, openat64): move the logger
after parameter initialization to display it properly in code based
on old-style varargs
* src/lsr_public.c.in: fixed the declaration of __lsr_fill_buffer
* README, INSTALL, doc/libsecrm.texi.in: added the new configure
option: --enable-intercept-malloc
* libsecrm.spec.in: made the spec file more portable (assuming that
the required macros are properly defined on the target systems) and
removed some rpmlint warnings and errors
* doc/libsecrm.texi.in, doc/libsecrm.3: added new URLs, updated the
description
* test/*.c, test/Makefile.am: split the unit tests into separate
files, one for each functionality/compilation unit with intercepted
functions
* test/lsrtest_banning.c (test_banned_in_userfile_prog,
test_banned_in_userfile_file): if the "HOME" environment variable is
not set, leave. Banning will not crash because of this, so no need
to test
2017-04-25 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* LibSecRm version 2.5
Many code improvements and simplifications in readability and
maintenance. Improvements to code related with banning the library
from interfering with fragile files and programs. Fixed wiping in
freopen* functions and memory. Improvements to performance. New
unit tests.
* src/libsecrm-priv.h.in: rename to lsr_priv.h.in, for consistency
with the other libraries. Move extern "C" before the first extern.
Added LSR_SET_ERRNO and LSR_GET_ERRNO macros to simplify code in many
places. Added LSR_MEMCOPY, LSR_MEMSET and the respective replacement
functions' declarations. Added __lsr_copy_string declaration. Added
LSR_MAKE_ERRNO_VAR for declaring and initializing a variable that
holds the temporary errno value. Remove #defines for 64-bit versions
of functions that LibSecRm defines unconditionally anyway. Added a
warning when glibc 2.11 is used.
* test/lsrtest.c: added a test for wiping open files. Added tests
related to banning. Deleting also the banned file after its tests.
* src/lsr_banning.c (check_map): correct the expected sscanf() result
* README, INSTALL, doc/libsecrm.texi.in: added a note that compiling
with a C++ compiler won't work right now due to some variable
casting constructs that are forbidden in C++. Added a note saying
that glibc 2.11 (and potentially other versions) has a bug which may
cause LibSecRm to hang during initialization in dl(v)sym.
* src/*.c: simplified errno usage - not setting where not checked
after or when not in a user-called function. Use macros to set and
get errno where required. Simplify memcpy/strncpy/memset usage to
macros and conditionally-defined functions. All public functions
should now either preserve errno or keep the value set by the
original functions. Moved calling __lsr_set_signal_lock and
__lsr_unset_signal_unlock to __lsr_fd_truncate. This removes
duplicated code and variables and improves code maintenance.
* src/libsecrm.c: added __lsr_copy_string and replacements for the
memcpy and memset functions.
* src/libsecrm.c (__lsr_set_signal_lock): fixed undeclared variable
in case memset is not available.
* src/lsr_wiping.c (__lsr_fd_truncate): synchronise the file when an
additional pass of wiping with zeros is defined. Use separate
variables for the size to pass to write(), for easy comparison with
write_res, the writing result. Use a variable for the loop limit
statement - diff/buffer_size - which can be calculated just once.
* src/banning-generic.c: a generic file with functions related to
banning programs and files from being interfered with by the library.
Improved code deduplication and maintenance. The file will be used
in LibSecRm, LibHideIP and LibNetBlock.
* src/lsr_banning.c: include and use banning-generic.c.
* src/lsr_opens.c (freopen, freopen64): wipe the file being opened,
not the file being closed. Allow the standard streams to be wiped.
* src/truncate.c (posix_fallocate, fallocate): fall back to the
original function if stat.h is not available.
* src/lsr_opens.c (fopen64, fopen, freopen64, freopen, open64, open,
openat64, openat): check if truncating before checking for banning.
Saves much time when working.
* src/truncate.c, src/lsr_opens.c, src/lsr_unlink.c, src/lsr_creat.c:
checking object type before wiping.
* src/lsr_unlink.c (unlinkat): checking for real openat() existence
before using it and now not leaving without renaming if openat() is
unavailable.
* src/lsr_banning.c (check_dir): fix logger
* configure.ac, src/lsr_truncate, src/lsr_cfg.h.in: check for fstat64
and make stat64 struct variable definitions depend on existence of
fstat64, not just stat.h. If fstat64() is not available, use regular
fstat().
* src/lsr_wiping.c (__lsr_fill_buffer): not overflowing the buffer in
case of wiping size < 3. Fixed special cases in buffer length.
* src/lsr_memory.c (pvalloc): fixed the wiping length in case it was
originally a multiple of the page size.
* src/libsecrm.c (__lsr_main): correctly intercepting pvalloc()
* src/lsr_creat.c, src/lsr_memory.c, src/lsr_opens.c,
src/lsr_public.c.in, lsr_truncate.c: surrounded external definitions
with >extern "C"<.
2015-09-04 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* LibSecRm version 2.0
Library marked as not requiring executable stack (security reasons).
Fixed fallocate(), posix_fallocate() and brk() (in case of systems
without sbrk()). Fixed unlink()&friends with file renaming. Fixed
errno setting. Fixed banning functions. Added unit tests. Minor
code cleanup.
* configure.ac: checking for the -Wl,-z -Wl,noexecstack compiler
option and -z noexecstack linker option. Rearranging the check for
libdl to enable the default behaviour (adding it to the LIBS) - this
allows using tests and removes the need to preload libdl along with
libsecrm. Checking for the "check" library for unit tests. Checking
for the symlink() and mkdir() functions for tests. Checking for the
fstatat() function for use in unlinkat.
* test: added unit tests for LibSecRm
* src/lsr_truncate.c (posix_fallocate, fallocate): fixed wiping size
* libsecrm.spec.in: changed the LibSecRm URL address to SourceForge
and updated filename for the new version
* src/lsr_banning.c: created new constants for common #defines
* src/lsr_memory.c (brk): leaving with ENOSYS only if original brk()
is not available. When sbrk() is unavailable (which we need), just
call original brk().
* src/libsecrm-priv.h.in: added SET_ERRNO_MISSING to set the errno
when the original function is missing on the system. Fixed the value
* src/randomize_names_perl.sh: optimized the name matching
* README, INSTALL, doc/libsecrm.texi.in: described in detail how to
hide LibSecRm by randomizing internal names
* src/Makefile.am: added the "randomnames" target for easy internal
name randomization (hiding LibSecRm from simple symbol listing)
* src/lsr_unlink.c (__lsr_rename): if renaming failed, use the
previous name for the next renaming iteration. Otherwise, if a file
couldn't have been renamed, it wouldn't be deleted by unlink() etc.
* src/lsr_banning.c (__lsr_is_forbidden_file): a new function that
checks for known files that shouldn't be overwritten by LibSecRm
* src/lsr_unlink.c (unlink, unlinkat, remove, rmdir): using the
new function, __lsr_is_forbidden_file, to check if a filename is
known and banned.
* src/lsr_unlink.c (unlinkat): using fstatat() to check the object type
* src/lsr_truncate.c: wiping regular files only
2013-06-02 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* LibSecRm version 1.9
Allow working without dynamic memory allocation. Portability
improvements (fixes for compilation without some header
files or functions). Other small fixes and updates.
* src/lsr_banning.c: fixes for compilation without some header
files or functions. Added including the missing malloc.h file.
* configure.ac: checking for the -O3 compiler option. No longer
requiring malloc(). Checking for the basename() function.
* README, INSTALL, doc/libsecrm.texi.in: changed "rpm" to "RPM",
commands in separate paragraphs
* src/Makefile.am: made libsecrm.h not distributed
* src/lsr_truncate.c: removed including the unnecessary malloc.h file
* src/lsr_unlink.c: more checks for NULL
* src/lsr_wiping.c (__lsr_fd_truncate): fixed freeing an
unallocated buffer. Using a static buffer if malloc() unavailable.
Initializing the list of selected patterns.
* doc/libsecrm.texi.in: added a note about renaming deleted objects
* src/lsr_memory.c: initializing the list of selected patterns
* src/lsr_unlink.c (__lsr_rename): checking for basename().
* src/lsr_banning.c, src/libsecrm.c, src/lsr_unlink.c: corrected
the location of GCC attributes in function parameter lists
2012-10-11 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* LibSecRm version 1.8
Portability improvements. Banning mechanism fixed and updated
with new possibilities.
* src/lsr_wiping.c: portability improvements in declarations.
* README, INSTALL, doc/libsecrm.texi.in, ChangeLog, doc/libsecrm.3:
documentation updates and corrections.
* src/lsr_truncate.c (fallocate, posix_fallocate): fixed compiling
for non-ANSI-C compilers.
* configure.ac: added a summary of enabled options. Added two new
command-line banning-related options: --enable-environment
(enables additional banning files pointed to by environment
variables) and --enable-user-files (enables additional banning
files in users' home directories). Using AS_HELP_STRING to format
help for options. Added the --with-passes option to allow specifying
the number of passes at configure time, not only at compile time.
Added the --with-buffer-size option to allow specifying the buffer
size at configure time, not only at compile time.
* src/libsecrm-priv.h.in.h: added missing LSR_ prefixes
* src/lsr_banning.c: support for banning files pointed to by
environment variables and additional banning files in users' home
directories. Fixed checking if a file or program is banned.
* src/libsecrm.h.in: added constants for the names of the
environment variable poiting to an additional banning file location
and additional banning files in users' home directories.
* src/Makefile.am: made libsecrm.h not only in PUBLIC_INTERFACE,
since now it is used in lsr_banning.c.
* src/lsr_public.c.in: added additional declaration of fallocate() in
case the function is missing on the target system.
2012-02-26 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.7
Made the header file SWIG-enabled, updated copyright, code cleanup,
documentation update. New wiping methods: Schneier and DoD.
* src/lsr_banning.c (__lsr_check_prog_ban, __lsr_check_file_ban):
stopping the checking as soon as a match is found. Preserving errno.
* src/lsr_banning.c (__lsr_check_file_ban, check_map): checking if
fopen() is available before using it.
* src/lsr_banning.c: more debug messages
* src/lsr_banning.c (__lsr_check_file_ban_proc): the process which is
manipulating the file can have it open.
* src/{libsecrm.h.in,lsr_public.c.in}: changed the prefix from "lsr"
to "libsecrm" on internal libsecrm functions (leaving "lsr" on the
replaced functions)
* src/libsecrm.h.in: SWIG compatibility.
* README, INSTALL: added information about SWIG and new wiping methods
* doc/libsecrm.texi.in: a new chapter about the development library
and using libsecrm with SWIG. Added the new wiping methods.
* src/lsr_truncate.c: moved the wiping code to a separate file
* src/lsr_wiping.c: a new file with wiping code (from lsr_truncate.c),
containing the wiping methods: Gutmann, random, Schneier (new) and
DoD (new)
* configure.ac: added the "--enable-schneier-method" and
"--enable-dod-method" options to enable the new Schneier's and DoD
wiping methods
* src/lsr_unlink.c (unlinkat): checking if banned before opening files
* src/lsr_unlink.c: allowing wiping descriptors of value zero
2011-10-08 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.6
* doc/libsecrm.texi.in: fixed wrong filename in one place.
* configure.ac: added new C compiler flags to check for:
-Wwrite-strings and -Waggregate-return. Added generating a file
for pkg-config.
* libsecrm.pc.in: a data file for pkg-config.
* libsecrm.spec.in: added the pkg-config file to the -devel package
* Makefile.am: added the file for pkg-config. Made the documentation
newer than its source files in the distribution (so it won't be
recompiled unless required).
* INSTALL: added the --enable-public-interface configure option.
* doc/libsecrm.texi.in: add more description to the
--enable-public-interface configure option.
* README, INSTALL, doc/libsecrm.texi.in: changed "program" to
"library" when talking about libsecrm.
* src/lsr_public.c.in: added version information to the library's
public interface.
* src/libsecrm.h.in: added version information to the library's
public interface, removed dependency on unistd.h, added stdint.h
instead (should be more common).
2011-03-17 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.5
Run flawfinder, rats and cppcheck on the code and fixed a few
performance and syntax problems.
* README: added the glibc license block. Updated RPM creating.
Described configure option --enable-public-interface.
* doc/libsecrm.texi.in: updated RPM creating.
* configure.ac: fixed double CFLAGS on compile, better checking
for the intptr_t data type. Checking for fallocate(),
posix_fallocate() and liunx/falloc.h.
* libsecrm.spec.in: added README, COPYING, AUTHORS and ChangeLog
to the RPM package.
* src/libsecrm-priv.h.in: fixed declarations for C++.
* src/lsr_public.c.in, src/libsecrm.h.in: added a buffer wiping
function to the public interface, lsr_fill_buffer(), and a helper
function that returns the number of compiled passes -
lsr_get_number_of_passes(). Added lsr_fallocate() and
lsr_posix_fallocate().
* src/lsr_truncate.c: added fallocate() and posix_fallocate().
2010-05-22 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.4
Upgrade to newer autotools, gcc and libtool. Added some copyright
notices when using code from the GNU C library. Run flawfinder on
the code and changed some parts according to the result. Fixed
compiling on non-ANSI-C compilers.
* doc/libsecrm.texi.in: Update. Added one more limitation of LibSecRm.
* configure.ac: added AC_CONFIG_MACRO_DIR, recommended by libtoolize.
* libsecrm.spec.in: corrected warnings displayed by rpmlint
* configure, configure.ac: new command line option
--enable-public-interface to enable/disable the public interface
of the library, to hide LibSecRm better.
* libsecrm-priv.h.in: added LSR_ANSIC (for function prototypes) here.
* src/lsr_memory.c: added pvalloc().
* src/lsr_public.c.in, src/libsecrm.h.in: added lsr_pvalloc().
* src/randomize_names*: updated name randomization scripts.
2009-05-08 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.3
New compie-time options: defining LAST_PASS_ZERO causes an additional
wiping with zeros to be performed, defining ALL_PASSES_ZERO causes
all passes to use zeros for wiping. Added simple scripts that
randomize the library's public function names so it is harder to
detect.
* lsr_memory.c: brk() and sbrk() now wipe also the memory being freed.
* README, INSTALL, info, manpage, libsecrm.spec.in: update
* libsecrm.h.in, lsr_memory.c: defining _BSD_SOURCE for better
compatibility with OpenBSD, just in case.
* src/Makefile.am: fixed still one file too many distributed
* configure.ac: fixed command-line parameters, added
"--enable-last-zero" and "--enable-all-zeros".
2009-02-20 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.2
Displaying error messages about stat macros (during compiling) only
if sys/stat.h is present. No more public variables and non-namespaced
function names.
* libsecrm-priv.h.in: fixed PATH_STYLE vs. PATH_SEP typo. Defining
GCC_WARN_UNUSED_RESULT to an empty string if not supported by the
compiler.
* lsr_banning.c: fixed checking for unistd.h. Changed MAXPATHLEN to
LSR_MAXPATHLEN.
* lsr_banning.c (__lsr_check_prog_ban): checking if fopen() is present
* configure.ac: added a check for -O2 compiler flag. Searching for
varargs.h if stdarg.h not available.
* libsecrm.spec.in: added CFLAGS='-march=i386' to configure stage.
* doc/libsecrm.texi.in: removed "indicateurl", since OpenBSD's
makeinfo doesn't like it. Added a note on how to hide Libsecrm.
* lsr_public.c.in, lsr_opens.c: better checking for stdarg.h/varargs.h.
* lsr_memory.c: wiping with randomly-selected pattern.
* lsr_unlink.c: added the rmdir() function. Renaming the object back
to its original name if unlinking failed.
* src/Makefile.am: fixed too many files distributed
2008-11-30 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.1
Added some memory management functions. Changed "! STDC_HEADERS" to
"!defined STDC_HEADERS". Verified compiling on OpenBSD. Defining
_ATFILE_SOURCE for *at() functions' declarations.
* docs: added the libsecrm website addresses on SourceForge. Added
info about wiping memory. Added one more "thanks" to the manpage.
* lsr_cfg.h: moved GCC_WARN_UNUSED_RESULT to libsecrm-priv.h
* libsecrm-priv.h: made some function declarations more portable.
* lsr_public.c: made some external function declarations more
portable. Calling the original functions no matter whether
they've been found on the system. Libsecrm's replacements will be
called anyway.
* configure: automatically generating version numbers in
libsecrm.spec, src/lsr_cfg.h and doc/libsecrm.texi. Automatically
generating src/libsecrm.h, src/lsr_public.c and src/libsecrm-priv.h,
for portability. Checking for 64-bit functions and defining their
prototypes by hand if necessary. Checking for dlvsym() in libdl.
Changed the docs' path in the configure warning.
* lsr_truncate.c: fill_buffer now public as __lsr_fill_buffer. It also
checks for NULL in "selected".
* libsecrm.c: better checking for dlvsym().
* libsecrm.spec: changed the URLs. Updated description.
2008-07-13 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 1.0
Removed the "errno" bug, discovered while working on wipefreespace,
thanks to Patrick 'marlowe' McDonald. Using Gutmann method by
default. It can be switched off with
./configure --enable-random-method
* configure.ac: Added new compiler options to check for: -O1
-Wuninitialized, -Winit-self, -Wlogical-op, -fstack-protector-all,
-Wno-long-long. A new option to select the shred-like wiping method.
No more using autoconf variables - total independence.
* THANKS: a new file with the list of people I'd like to thank.
* lsr_truncate.c, libsecrm-priv.h: implemented the full Gutmann
method.
* lsr_banning.c (check_map): better typecasting with the tmp_inode.
* libsecrm.c: much better signal return type handling.
2008-05-02 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 0.9
The Konqueror bug turned out to be really in Konqueror, not
libsecrm. This release brings only portability corrections - both
in 'configure' and source files.
* configure.ac: Better portability. Less relying on autoconf
variables.
* libsecrm.c: Better checking for libdl/dlsym.
2007-11-28 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 0.8
Defining _GNU_SOURCE only if not already defined. Setting nagative
errno codes, like it's usually done. Best (probably) checks if a
file is used. Some banning checks moved after object checks to
improve performance.
* lsr_public.c: now pre-ANSI-compatible (I hope). Better openat()
and openat64() declarations. Checking if openat() and unlinkat()
available and returning -ENOSYS if not instead of calling
nonexistent functions.
* libsecrm-priv.h: added openat(), openat64() and unlinkat()
declarations, if these functions are not available.
* configure.ac: check for openat() and unlinkat(), added checks
for 2 more compiler options, double quoting all of them. Better
checking for format warnings. Corrections in m4/ax_gcc_option.m4.
Checking for RTLD_NEXT in fcntl.h. Defining _GNU_SOURCE only if not
already defined.
* lsr_opens.c, lsr_creat.c: printing flags/mode in octal.
* lsr_opens.c (open64, open): banning a file pattern for
'rpm --addsign' to work.
* lsr_banning.c: new file with functions checking if a file or program
is not to be tampered with (moved from libsecrm.c). Added checking
if a file is already opened, using /proc filesystem (probably the
best way to do it, taken from 'fuser' source). Slow, but effective.
2007-11-11 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 0.7
Using old wipe-anything technique if new signal+fcntl is not
available. Signal & fcntl stuff now only in one function (called
for every wiping). Renaming libsecrm.h to libsecrm-priv.h
Libsecrm is now a library for developers, too. It has a header file
- ${prefix}/include/libsecrm.h and a "import library" libsecrm.a.
Big portability corrections, some to non-ANSI compilers. Libsecrm
now compiles on OpenBSD. Checking compiler options instead of
asuuming them.
* libsecrm-priv.h: internal header file renamed from libsecrm.h.
Defining ftruncate/64, if needed. Defining path separator (needed
for opening the banning files).
* lsr_unlink.c (__lsr_rename): fixed bugs with strncpy(). Now
returning NULL in case of error instead of the old name. Syncing
only if necessary (number of passes > 1).
* docs: more requirements for compiling. Adding info saying
that write permissions to the file being wiped are required. Minor
corrections. Added info about not supporting the syscall()
functions. Added info on using libsecrm as a development library.
* libsecrm.c: some cleanup. Fixed not closing ban files before return.
Fixed stack error. Fixed banning - empty lines always matched.
* lsr_opens.c (open, open64): removed useless doubled checking.
* lsr_creat.c: supporting the creat() and creat64() functions.
* configure.ac: Checking for renameat() existence. Checking for
F_SETLEASE, F_GETSIG and F_SETSIG and printing a warning if not
available. Better portability.
* libsecrm.h: public interface header file. Old contents renamed to
libsecrm-priv.h
* lsr_public.c: public interface source file.
* lsr_truncate.c (__lsr_fd_truncate): fsync()ing only if number
of passes > 1. Memory leak fixed.
2007-09-16 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 0.6.
Better signal handling (needed because of the Xpdf/libfreetype
issue). Adding support for banning programs and files from
messing with them, via config files in ${prefix}/etc. More
info in the docs. 64-bit functions now active.
* configure.ac: Better portability.
2007-09-08 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 0.5
* better portability (checking for the 'long long' type). Xpdf issue
fixed, but only on sysmes with GNU/Linux kernel >= 2.4 (using
fcntl() to check if a file is already open). Better error handling.
* lsr_opens.c: non-serious bugs fixed.
2007-08-06 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 0.4 (0.3 lived less than half a day on the net)
* Switched to GPLv3. New compile macro 'BUF_SIZE' in CFLAGS available.
Using #pragmas for better compile-time error checking.
* lsr_truncate.c: Checking if file is regular or a link instead
of checking simply for non-directories. Memory leaks fixed.
One function for all actions. Making 'buf' and 'seleced' local
helps process/thread-safety. No action is taken if stat() is not
available, stat() returns error or file is not a regular file/link.
Portability corrections. More error checking. Openeing files in
exclusive mode.
* lsr_unlink.c: Portability corrections. Using stat64/lstat64/fstat64,
if the system uses it. Single function for renaming files. Renaming
done only if action will be taken, not unconditionally. Sync after
each rename. No action is taken if lstat()/fstat() is not available,
it returns an error or the object is not a regular file.
Workaround an issue with Kate/DCOP: if file name matches
".ICEauthority", the file is NOT wiped and NOT truncated.
Workaround an issue with BASH and here-documents: if file name
matches "sh-thd-", the file is NOT wiped and NOT truncated. BASH
unlinks the file before reading from it.
* libsecrm.h: Better compile-time macro 'PASSES' handling. Separating
64 bit and non-64 bit versions. More 'const'. Conditionally declare
renameat().
* lsr_opens.c (freopen, freopen64): Using ftruncate/64 instead of
truncate/64, because the file may have been opened in some kind
of exclusive mode and normal truncate would fail as it would need
to open the file once more. This also doesn't increase the number
of file handles associated with the same file. If getting the file
descriptor fails, truncate/64 is used.
* lsr_opens.c (fdopen): removed, because the original function never
wipes any data (man fdopen).
* doc update with full texts of licences.
2007-07-14 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* libsecrm version 0.2.
* lsr_unlink.c (unlink, unlinkat): Bugs fixed.
* lsr_unlink.c: Better error handling. Memory checks.
* lsr_opens.c: Better error handling.
2007-07-08 Bogdan Drozdowski <bogdro /at\ users . sourceforge . net>
* First release of libsecrm, version 0.1.
Replaces the following functions: fopen, freopen, fdopen, open,
openat, unlink, unlinkat, truncate, ftruncate (or the 64-bit
versions of these, if needed).