2021-06-14  Alï Polatel  <alip@exherbo.org>

	pandora: preparation for v0.5.1.

	README: update for syd-2.

	firefox: bump profile to API version 2.

	sydbox: fix spacing in about.

	pandora: depend on/use SydBox-2.

	man: update sydbox.exherbo.org.

	man: update, mention differences on bpf and notify.

	sydbox: Preparation for v2.0.1.

2021-06-13  Alï Polatel  <alip@exherbo.org>

	bench: add benchmark comparing ptrace vs. seccomp-user-notify.

	sydbox: avoid filtering stat calls if magic lock is set in core config.

	sydbox: do not warn about invalid key for magic.

	sydbox: comment out debug print.

	paludis: add API version 2 profile.

	sydbox: init raise_fail and safe on startup.

	Preparation for v2.0.0.

	sydbox: improve the exec start (take 2)

	sydbox: improve the exec start.

	sydbox: fix exit code handling for some cases.

	autotools: include sys/syscall in pidfd_open check.

	rename acl lists: s/white|black/allow|deny/list.

	sydbox: pinktrace is no longer a dependency.

	sydbox: fix valgrind errors or suppress.

	tests: improve valgrind.

	update test-lib.sh from latest git.git, small fixes.

	sydbox: avoid freeing memory in signal handler.

	sydbox: free killed processes on exit.

	sydbox: free seccomp notification request and response on exit.

	sydbox: update valgrind suppressions (take 5)

	sydbox: update valgrind suppressions (take 4)

	sydbox: update valgrind suppressions (take 3)

	sydbox: update valgrind suppressions (take 2)

	sydbox: update valgrind suppressions.

	sydbox: add valgrind suppressions file.

	sydbox: enable proc_stat in process is alive check.

	sydbox: fix invalid read.

	sydbox: implement dump chdir.

	sydbox: fix valgrind invalid read/write.

	update cwd after multithreaded exec switch.

	sydbox: skip dead processes for proc_has_task.

	fix sigchld, no proc_stat on process alive, sandbox {send,recv}msg & getsockname

	sydbox: comment out debug prints.

	tests: split core-basic into more units.

	implement multithreaded execve leader switch w/o ptrace.

2021-06-12  Alï Polatel  <alip@exherbo.org>

	more debug prints, some to be reverted.

	say about multithreaded execve on raise safe.

	sydbox: dump chdirs and on raise safe say.

	paludis: core/restrict/file_control option is gone.

	README: bye bye ptrace, hello seccomp user notify.

	sydbox: fix dump multithreaded execve.

	sydbox: drop restrict file control tests.
	The option config/restrict/file_control was removed.

	tests: add test program for multithreaded execve.

	sydbox: replace pink_name_errno with errno2name.

	sydbox: avoid alive check for killed processes.

	sydbox: try to avoid EMFILE by closing pidfd on clone/execve waits.

	sydbox: try to avoid EMFILE by opening memfd on each read/write.

	sydbox: auto-bind whitelist during listen() rather than bind()
	This prevents a security issue where an attacker can get a permit
	to connect to an otherwise unpermitted address by trying unsuccessfully
	to bind to the address. This commit prevents this by waiting for the
	listen() system call to permit the bind() address for connect().

2021-06-11  Alï Polatel  <alip@exherbo.org>

	sydbox: fix bind auto-whitelisting for UNIX sockets.

2021-06-11  Ali Polatel  <alip@exherbo.org>

	paludis: allow getaddrinfo() w/ AI_ADDRCONFIG on musl.
	musl makes two connect() calls if getaddrinfo() is called with
	AI_ADDRCONFIG in flags arguments. This can be verified with the
	following command:

	> strace -e trace=network \
	>    python -c "import socket; socket.getaddrinfo('127.0.0.1', 80, 0, 0, 0, socket.AI_ADDRCONFIG)"

	On a musl system we see two connect() system calls:

	> connect(3, {sa_family=AF_INET, sin_port=htons(65535), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
	> connect(3, {sa_family=AF_INET6, sin6_port=htons(65535), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0

	This change whitelists 127.0.0.1:65535 and ::1:65535 in the paludis
	profile.

	Reference: https://git.musl-libc.org/cgit/musl/tree/src/network/getaddrinfo.c?id=ad795d56ba3fb9d69f524ee676e3b1e2355cceb7#n68

2021-06-11  Alï Polatel  <alip@exherbo.org>

	parent_process: revert IN_CLONE and proc logic.

	filter mode argument of f?access* system calls.

	more detailed violations for raise_fail.

	fix open flag logic.

	warn when no command is given.

	tweak filter_ioctl.

	tweak general restrict levels.

	refuse to run when no sandboxing or restrict is defined.

	fix general level defs.

	improve open flag filtering.

	improve use_notify.

	add export option to export seccomp filters on startup.

	sync filter_openat with filter_open.

	more dump improvements.

	dump: don't close-exec std{in,out,err}

	more dump improvements.

	improve open readonly flags.

	dump: more improvements and fixes.

	dump: make output more compact.

	sydbox: improve process cleanup.

	call notify_id_valid once.

	tests: start testing bind and connect (take 2)

	sydbox: clean up stale processes during --test.

	test: tweak CFLAGS for static test binaries.

	sydbox: fix core/restrict option parsing.

	sydbox: stop wrapping pinktrace functions in dump.

	autotools: fix warning about canonical target, update pthreads warning.

	sydbox: do not link against pthreads.

	autotools: require Linux-5.6 or newer, update README.

	remove unused code.

	sys_accept: improve comments.

	tests: start testing bind and connect.

	update man page and sydbox --help output.

	be a bit more verbose for --test.

	README: update for recent changes.

	man: update for new restrict option names.

	consolidate restrict option names.

	implement auto whitelist bind for seccomp user notify.

	reap zombies on new process creation.

	reap zombies more often.

	improve write stat.

	fix compiler warning.

	update man page, fix compiler warnings.

	many improvements, sandbox faccessat2.

	more tweaks for seccomp filters.

	implement general permitted system calls.

	link the build statically by default.

	pandora: enable restrict.mmap by default.

	new option config/restrict/mmap.

	update manual page for recent options and security.

	improved defaults for sandboxing.

	Revert "Partially Revert "allow allow and deny modes to be used in bpf-only mode""
	This reverts commit d621f5d9d14ea709f274e6a1d401c0f51dc4cd68.

2021-06-11  Alï Polatel  <alip@exherbo.org>

	Partially Revert "allow allow and deny modes to be used in bpf-only mode"
	If --bpf is specified, all sandbox modes default to deny.

	This reverts commit 6ac7941617f1bbd4700cef55cbd9e59eab07e154.

2021-06-11  Alï Polatel  <alip@exherbo.org>

	add --bpf argument to run in bpf only mode.

	allow allow and deny modes to be used in bpf-only mode.

	deny notify system calls if running in bpf only mode.

	add sydbox -t, don't require config cross memory attach, use /proc/pid/mem

	libsyd: add /proc/$pid/mem interface.

	test cross memory attach function, wip.

	fix a test, add a todo item about improving it.

	autotools: simplify pthread cflags/libs handling.

	add aux files for pthread.

	fix the main loop, run wait in a thread.

	fix the exit jump at exit.

	setup alarms for notify_seccomp_{receive,respond}

	avoid timeouts in poll, various improvements.

	pandora: drop follow_fork.

	improve exit tracking a bit.

	smarter and simpler exit notification.

	update manual page, ptrace is history.

	handle multithreaded execve.

	handle ENOENT from seccomp_notify_receive.

	handle ENOENT from seccomp_notify_respond.

	avoid alarm usage.

	fix exit filter.

	further tweak alarm setup.

	increase timeouts.

	increase timeouts.

	fix chdir tests, remove foreach option test.

	tweak zombie reaping, interrupts, timeouts.

2021-06-11  Alï Polatel  <alip@exherbo.org>

	remove unused, obsolete options.
	core/trace/use_ptrace
	core/trace/use_seize
	core/trace/use_seccomp
	core/trace/follow_fork
	core/trace/exit_kill

	All ptrace() leftovers or now hard-enabled like use seccomp.

2021-06-11  Alï Polatel  <alip@exherbo.org>

	tweak timers, fix tests, all tests pass now.

	improvements to path lookup.

	fix access violation exit return value.

	fix auxillary system call hooks.

	fix the magic stat.

	fix file and network sandboxing.

	fix read sandboxing, fix process data share.

	autotools and test fixes.

	more improvements for open.

	enable syscall hook, tweak chdir.

	clone, exec hooks are working, syscall is to do.

	enable exec, clone and syscall events.

	fix process is alive check in reap zombies.

	reap zombies and exit properly.

	fix abnormal exit code reporting.

	return 128 on abnormal exit under seccomp user notify.
	There's no easy way to extract more information about the signal easily.

	fix the main seccomp loop for zombie processes.

	fix child_is_alive issue, 1000 ms for polling.

	seccomp user notify, more work, first core tests pass.

	autotools: warn about pidfd_{open,getfd,send_signal} presence.

	fix seccomp user notify loop.

	fix include path.

	parser profile-2 beginning.

	start working on new rules.

	more work on seccomp user notify.

	fcntl: fix remaining, comment out broken seccomp filters.

	add say_errno.

	fix parent_{read,write}_int in main loop.

	sydbox: fix mmap and filter seccomp filters.

	sydbox: fix the -a/--arch option.

	update TODO.

	autotools: check/set pidfd_open, pidfd_getfd numbers.

	misc: update prep-env for clang-{10.0->11}

	seccomp: improve --arch argument.

	man: document -d command line parameter.

	replace ptrace with seccomp user notify.
	This is an attempt to replace ptrace with seccomp user notify.
	The main loop is done. The double fork to transfer notify fd and exit
	code is done.
	The system call filters for all read, write, exec and network sandboxing
	is done.
	The connection to dereferencing the system call pointer arguments is
	missing.

2021-06-11  Ali Polatel  <alip@exherbo.org>

	fix and improve benchmark script.

2021-06-05  Alï Polatel  <alip@exherbo.org>

	dump: fix malformed json in startup event, avoid trailing newline.

	follow fork can not be disabled when seccomp is enabled.

	Implement support for the Arm & AArch64 architectures.

	autotools: enable seccomp by default.

	add initial SourceHut build manifests.

	syd: use File::Path::rmtree, enlarge fail message buffer.

	sydbox: document -d option in help output.

	autotools: rename --without-dry-run to --disable-dump.

	dump: strip useless information out of startup event.

	avoid leaking dump fd to traced child.

	pandora: move out built_info, remove lib.rs.

	maintainer: generate CREDITS from git history.

2021-06-04  Alï Polatel  <alip@exherbo.org>

	pandora: preparation for 0.4.8.

	README: add new www links.

	Preparation for v1.2.1.

	autotools: seccomp is on by defaukt, use --disable-seccomp.

	fix SYDBOX_HAVE_SECCOMP endif scope to fix compile bug.

2021-05-31  Alï Polatel  <alip@exherbo.org>

	fix struct sysinfo name clash.
	Rename struct sysinfo to syscall_info to prevent name clash with struct
	sysinfo in <linux/sysinfo.h>.

2021-05-31  Alï Polatel  <alip@exherbo.org>

	support using seccomp-bpf filters without ptrace.
	New magic option: core/trace/use_ptrace
	Default: true

	This provides a way to use sydbox as a seccomp-bpf only sandbox.

2021-05-31  Alï Polatel  <alip@exherbo.org>

	maintainer: add gitlog-to-changelog to generate ChangeLog from git history

	pandora: initial benchmark script.

	pandora: install hyperfine as dev dependency.

	pandora: preparation for 0.4.7.

	README: add sydbox160 logo image.

	pandora: preparation for 0.4.6.

	update TODO.

	pandora: preparation for 0.4.5.

	update README about git mirror & fix sydfmt man page link.

	pandora: preparation for 0.4.4.

	autotools: fix dist data for license files.

	more copyright header foo.

	add copyright header to paludis profile.

	pandora: preparation for 0.4.3.

	update README to include a BUGS section.

	drop unused COPYRIGHT.

	autotools: add pandora sources to EXTRA_DIST.

	add LICENSE, COPYING to extra dist.

	sydbox: preparation for v1.2.0.
	Major Changes:
	- seccomp filters out !(O_WRONLY|O_RDWR|O_CREAT) for open{,at}
	- default sandbox mode changed to deny for all except read sandboxing.
	- default core/trace/use_seccomp changed to true.
	- default core/trace/use_seize changed to true.
	- default core/restrict/shared_memory_writable changed to true.

	pandora: preparation for 0.4.2.

2021-05-31  Ali Polatel  <alip@exherbo.org>

	fix read sandboxing and restrict file control tests.

2021-05-31  Alï Polatel  <alip@exherbo.org>

	fix open O_DIRECT seccomp read sandboxing test on musl.

2021-05-31  Ali Polatel  <alip@exherbo.org>

	core/restrict/*: deny with EPERM rather than EINVAL.

2021-05-31  Alï Polatel  <alip@exherbo.org>

	update README.

	pandora: add GPL-3 to LICENSE.

	sydbox: add GPL-2 to COPYING.

	pandora: rustfmt.

	start using SPDX-License-Identifier.
	91 GPL-2.0-only
	 4 GPL-3.0-or-later
	 4 BSD-3-Clause
	 3 LGPL-2.1-or-later
	 1 ZSH

	pandora: clippy.

	pandora: write whitelist home dir in login shell mode.

	preparation for 0.0.9.

	README: update links, add exlib, exheres links of pinktrace, sydbox.

	preparation for 0.0.8.

	pandora: clippy.

	pandora: rustfmt.

	pandora: execute pandora --help if sydbox not in PATH.

	pandora: use paludis profile in login shell mode.

	pandora: execute login shell under sydbox when no subcommands given.

	pandora: preparation for 0.0.7.

	update README with specific links to the manual page.

	pandora: preparation for 0.0.6.

	pandora: include sample profiles into the crate.

	README: add firefox profile link.

	add sydbox profile for firefox.

	empty spaces.

	pandora: preparation for 0.0.5.

	pandora: default to literal on core/match/no_wildcard.

	pandora: preparation for 0.0.4.

	update README.

	pandora: provide defaults for system paths in profile.

	further update README.

	pandora: give directions on profile output on exit.

	pandora: preparation for 0.0.3.

	pandora: update README about sydbox inspect branch.

	pandora: update crate name.

	update README, add header to main pandora file.

	add Pandora section to README.
	Welcome to the machine, Pandora.
	May you stay forever young.

	pandora: clippy.

	pandora: rustfmt.

	pandora: add core/restrict options into profile.

	pandora: pass sandbox options to sydbox for profile subcommand.

	keep quiet in permissive mode about violations.

	dump: more tweaks on sysent dumps.

	list all subcommands in error message.

	fix dump_fd if !SYDBOX_HAVE_DUMP_BUILTIN.

	fix test build.

	sydbox: consolidate dry-run and dump options.

	fix undocumented -d option without arguments case.

	pandora: learn profile command to run programs under permissive inspection

	pandora: more metadata.

	pandora: specify include in Cargo.toml.

	pandora: tweak cargo settings.

	pandora: define built_info module.

	pandora: prepare to publish.

	pandora: fix bind, support sendto.

	pandora: implement path limit for inspect, filter out proc pid.

	pandora: improve sandbox mode sort.

	pandora: fix clippy warnings.

	teach pandora how to execute sydbox.

	pandora: move parse_json_line out to a function.

	pandora: rustfmt.

	dump: strip unused members, improve size use.

	pandora: teach output option to inspect.

	pandora: tweak commented out read entries a bit.

	pandora: rustformat.

	pandora: enable exec sandboxing in inspect generated profiles.

	teach pandora inspect to parse sydbox core files (take 4)

	teach pandora inspect to parse sydbox core files (take 3)

	Revert "re{arrange,pack} syd_process_t to close 2 bytes hole"
	This reverts commit 943898e348ea747b3c349c6c6539b1b5a7d5b1ea.

	teach pandora inspect to parse sydbox core files (take 2)

	teach pandora inspect to parse sydbox core files.

	cargo: add release profile options.

	dump: make syd's cwd key optional.

	pandora: initial replacement for shoebox in rust.

	sockmatchtest: fix build with xfunc optional dump.

	shoebox: improve magic rule writer.

	shoebox: cwd handling to generate improved rules.

	shoebox: ignore unsupported addresses.

	shoebox: ignore netlink sockets in connect.

	shoebox: stricter execve name match.

	shoebox: fix magic event generator.

	shoebox: support whitelisting bind requests.

	shoebox: fix whitelist/write logic in whitelist_open.

	do_stat: update fake ctime.

	sort by importance in shoebox magic rules.

	default to exec and read off in shoebox magic.

	honour sandbox_dry_network.

	dump: fix port prefix in socket addresses.

	dump: prefer PINK_HAVE_IPV6 over the deprecated SYDBOX_HAVE_IPV6.

	shoebox: write debug magic info to stderr.

	dump: report path on init for dry run.

	do_execve: support sandbox dump mode.

2021-05-31  Ali Polatel  <alip@exherbo.org>

	test: basic support to inject --dry-run.

	violation: honour VIOLATION_NOOP.

	magic_query_sandbox: honour SANDBOX_DUMP.
	SANDBOX_OFF == SANDBOX_DUMP in this context.

	further tweak shoebox for magic.

2021-05-31  Ali Polatel  <alip@exherbo.org>

	dump meets sydbox --dry-run (WIP)
	* new configure flag --without-dry-run
	* new command line switch -d, --dry-run
	* shoebox learned "magic" subcommand to output sandboxing profile (WIP)

	Previously sydbox used to ship a debug version with pinktrace functions
	wrapped for primitive inspection of processes whereby sydbox-dump
	produced a log of the traced processes. This changeset exposes the same
	interface via --dry-run with small differences explained below.

	Using --dry-run as opposed to sydbox-dump omits lower level ptrace()
	details and focuses on inspection of the process rather than both the
	process and the internal flow of sydbox.

	"shoebox magic" may be used with the dump file to produce a sydbox
	configuration profile which will run the inspected process under sydbox
	whereby only the actions during the inspection run will be permitted.

2021-05-31  Alï Polatel  <alip@exherbo.org>

	re{arrange,pack} syd_process_t to close 2 bytes hole.
	> Before:
	struct syd_process {
		pid_t                      pid;                  /*     0     4 */
		pid_t                      ppid;                 /*     4     4 */
		pid_t                      tgid;                 /*     8     4 */
		short int                  abi;                  /*    12     2 */

		/* XXX 2 bytes hole, try to pack */

		int                        flags;                /*    16     4 */
		enum syd_step      trace_step;                   /*    20     4 */
		long unsigned int          sysnum;               /*    24     8 */
		long int                   subcall;              /*    32     8 */
		long int                   retval;               /*    40     8 */
		long unsigned int          clone_flags;          /*    48     8 */
		long unsigned int          new_clone_flags;      /*    56     8 */
		/* --- cacheline 1 boundary (64 bytes) --- */
		const char  *              sysname;              /*    64     8 */
		char *                     abspath;              /*    72     8 */
		struct pink_regset *       regset;               /*    80     8 */
		long int                   args[6];              /*    88    48 */
		/* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */
		struct syd_process_shared shm;                   /*   136    24 */
		UT_hash_handle             hh;                   /*   160    56 */

		/* size: 216, cachelines: 4, members: 17 */
		/* sum members: 214, holes: 1, sum holes: 2 */
		/* last cacheline: 24 bytes */
	};

	> After:
	struct syd_process {
		short int                  abi:2;                /*     0: 0  2 */
		enum syd_step      trace_step:2;                 /*     0: 2  4 */
		unsigned int               flags:8;              /*     0: 4  4 */

		/* XXX 20 bits hole, try to pack */

		pid_t                      pid;                  /*     4     4 */
		pid_t                      ppid;                 /*     8     4 */
		pid_t                      tgid;                 /*    12     4 */
		long unsigned int          sysnum;               /*    16     8 */
		long int                   subcall;              /*    24     8 */
		long int                   retval;               /*    32     8 */
		long unsigned int          clone_flags;          /*    40     8 */
		long unsigned int          new_clone_flags;      /*    48     8 */
		const char  *              sysname;              /*    56     8 */
		/* --- cacheline 1 boundary (64 bytes) --- */
		char *                     abspath;              /*    64     8 */
		struct pink_regset *       regset;               /*    72     8 */
		long int                   args[6];              /*    80    48 */
		/* --- cacheline 2 boundary (128 bytes) --- */
		struct syd_process_shared shm;                   /*   128    24 */
		UT_hash_handle             hh;                   /*   152    56 */

		/* size: 208, cachelines: 4, members: 17 */
		/* sum members: 204 */
		/* sum bitfield members: 12 bits, bit holes: 1, sum bit holes: 20 bits */
		/* last cacheline: 16 bytes */
	};

2021-05-30  Alï Polatel  <alip@exherbo.org>

	Revert "enable core/restrict/file_control by default"
	This partially reverts commit c9ae49875ad433c59a919eb1719a11ecc338055f.
	shared_memory_writable is still enabled by default.

	seccomp_apply: avoid shadowing the outer loop variable (take 2)

	seccomp_apply: avoid shadowing the outer loop variable.

2021-05-30  Ali Polatel  <alip@exherbo.org>

	fix negation logic in open, filter and mmap seccomp filters.

2021-05-30  Alï Polatel  <alip@exherbo.org>

	start testing restrict file control.

	enable core/restrict/{file_control,shared_memory_writable} by default.

	start testing read sandboxing and seccomp.

	fix tests broken by core/sandbox/write default change.

	change default sandbox mode to deny for all except read.

	enable core/trace/use_seccomp by default if --enable-seccomp.

	enable core/trace/use_seize by default.

	add benchmark for seccomp open readonly filter.

	add BSD Packet Filter Extensions manual page.

2021-05-30  Alï Polatel  <alip@exherbo.org>

	improve seccomp for read only open calls.
	Do not trace-stop the process on read only open calls
	if read sandboxing is not enabled on sydbox invocation
	by either the `-m core/sandbox/read:deny' or this magic
	command specified via -c <config-file>.

	Supported modes of action:
	1. -m core/trace/use_seccomp:1 -m core/sandbox/read:off
	2. -m core/trace/use_seccomp:1 -m core/sandbox/read:deny

	We vastly reduce the number of trace stops for case 1 which is the
	default mode of action for package builds on Exherbo unless seccomp
	support is missing either via kernel or sydbox[seccomp] option.

	For a simple make clean in sydbox-1.git master repository the total
	reduction of open calls is 658/902 ie, 27.05%.

	For a paludis-3.0.0 build the number of open trace stops before was:
	Compile paludis: 604931
	Install paludis: 1781
	whereas by filtering out calls which does not include at least one of
	O_WRONLY, O_RDWR or O_CREAT in open() and openat() calls after this
	commit we get:
	Compile paludis: 17061
	Install paludis: 1147

	Here we observe 1147/1781 ie, a %35 reduction of open trace stops in the
	install phase and a vast 17061/604931, ie 97.17% reduction in the compile
	phase.

	In an intermediary test we tried not trace stopping open() and openat()
	calls which only included the O_RDONLY flag and there was a similar
	reduction with the number 19389 in the compile phase, albeit a slightly
	smaller one compared to the final approach where we reduce a further
	~2300 calls.

	Detailed test outputs are given below with strace count of open and openat
	calls to compare with sydbox open trace stop counts. Test 1 will match the
	total output with strace whereas test 2 won't since it's paludis which invokes
	sydbox, ie. the tracer and tracee are flipped.

	Note, the openat2() system call does not have a flags argument and hence
	can not be improved using this approach. In the first test the
	strace-5.5 was used which did not have support for the openat2() system
	call. For the first tree we used strace-5.11 which had support for the
	openat2() system call. The first test was run on a host with kernel
	Linux 5.4 whereas the second build test was run on a host with Linux
	kernel 5.11

	TEST 1: SIMPLE MAKE CLEAN
	make is run on sydbox-1.git master directory.

	> 0:
	$ strace -f -e open,openat -c make clean
	% time     seconds  usecs/call     calls    errors syscall
	------ ----------- ----------- --------- --------- ----------------
	100,00    0,004513           5       902         8 openat
	------ ----------- ----------- --------- --------- ----------------
	100.00    0,004513                   902         8 total

	> Before
	$ time ./sydbox make clean
	sydbox: open stop count: 902

	> After
	$ time ./sydbox make clean
	sydbox: open stop count: 658

	TEST 2: PALUDIS BUILD
	Compile paludis-3.0.0 with the build options given below.
	tahta is the name of a simple binary repository to build pbins.

	Phase 1: r   sys-apps/paludis:0::arbor scm to ::tahta-bin replacing scm
	Phase 2: r   sys-apps/paludis:0::arbor scm to ::installed via binary created in tahta-bin replacing scm
	"Paludis, the one true package mangler"
	bash-completion -doc -gemcutter pbin pink -python ruby search-index vim-syntax -xml zsh-completion
	PROVIDERS: elfutils
	PYTHON_ABIS: -2.7 3.6 3.7 3.8 -3.9
	RUBY_ABIS: -2.5 -2.6 2.7 -3.0
	build_options: symbols=split jobs=12 dwarf_compress -recommended_tests -trace work=tidyup
	Reasons: target (to be like sys-apps/paludis:0::(install_to_slash))

	> 0:
	> strace -f -e open,openat,openat2 -c cave resolve paludis -zx1
	% time     seconds  usecs/call     calls    errors syscall
	------ ----------- ----------- --------- --------- ----------------
	 91.91    4.959775           6    736426    317153 open
	  8.09    0.436676           7     61155        90 openat
	------ ----------- ----------- --------- --------- ----------------
	100.00    5.396451           6    797581    317243 total

	> Before:

	>> Phase 1:
	=== Starting builtin_init
	=== Done builtin_init
	sydbox: open stop count: 967
	=== Running ebuild phases loadenv setup saveenv as root:root...
	=== Starting pkg_setup
	=== Done pkg_setup
	sydbox: open stop count: 125
	=== Running ebuild phases loadenv unpack saveenv as paludisbuild:paludisbuild...
	=== Starting src_unpack
	=== Done src_unpack
	sydbox: open stop count: 2877
	=== Running ebuild phases loadenv prepare saveenv as paludisbuild:paludisbuild...
	=== Starting src_prepare
	=== Done src_prepare
	sydbox: open stop count: 122
	=== Running ebuild phases loadenv configure saveenv as paludisbuild:paludisbuild...
	=== Starting src_configure
	=== Done src_configure
	sydbox: open stop count: 15298
	=== Running ebuild phases loadenv compile saveenv as paludisbuild:paludisbuild...
	=== Starting src_compile
	=== Done src_compile
	=== Starting builtin_saveenv
	=== Done builtin_saveenv
	=== Completed ebuild phases loadenv compile saveenv
	sydbox: open stop count: 551899
	=== Running ebuild phases loadenv test_expensive saveenv as paludisbuild:paludisbuild...
	=== Starting src_test_expensive
	=== Done src_test_expensive
	sydbox: open stop count: 120
	=== Starting src_install
	=== Done src_install
	sydbox: open stop count: 33523

	>> Phase 2:
	=== Starting builtin_init
	=== Done builtin_init
	sydbox: open stop count: 648
	=== Running ebuild phases loadenv pivotbin setup saveenv as root:root...
	=== Starting builtin_pivotbin
	=== Extracting package environment
	=== Switching to package environment
	=== Continuing using package environment
	=== Done builtin_pivotbin
	=== Starting pkg_setup
	=== Done pkg_setup
	=== Running ebuild phases loadenv installbin saveenv as root:root...
	=== Starting builtin_installbin
	=== Done builtin_installbin
	sydbox: open stop count: 1133
	=== Running ebuild phases loadenv preinst saveenv as root:root...
	=== Starting pkg_preinst
	=== Done pkg_preinst
	=== Writing VDB entry to '/var/db/paludis/repositories/installed/data/sys-apps---paludis/scm:0:C.833299.1622370377.607535.C'...
	=== Writing VDB entry keys ...
	=== Generating saved ebuild and environment...
	=== Finished writing VDB entry

	> After:

	>> Phase 1:
	=== Starting builtin_init
	=== Done builtin_init
	sydbox: open stop count: 383
	=== Running ebuild phases loadenv setup saveenv as root:root...
	=== Starting pkg_setup
	=== Done pkg_setup
	sydbox: open stop count: 53
	=== Running ebuild phases loadenv unpack saveenv as paludisbuild:paludisbuild...
	=== Starting src_unpack
	=== Done src_unpack
	sydbox: open stop count: 2264
	=== Running ebuild phases loadenv prepare saveenv as paludisbuild:paludisbuild...
	=== Starting src_prepare
	=== Done src_prepare
	sydbox: open stop count: 52
	=== Running ebuild phases loadenv configure saveenv as paludisbuild:paludisbuild...
	=== Starting src_configure
	=== Done src_configure
	sydbox: open stop count: 3304
	=== Running ebuild phases loadenv compile saveenv as paludisbuild:paludisbuild...
	=== Starting src_compile
	=== Done src_compile
	sydbox: open stop count: 8188
	=== Running ebuild phases loadenv test_expensive saveenv as paludisbuild:paludisbuild...
	=== Starting src_test_expensive
	=== Done src_test_expensive
	sydbox: open stop count: 50
	=== Running ebuild phases loadenv install saveenv as root:root...
	=== Starting src_install
	=== Done src_install
	sydbox: open stop count: 2767

	>> Phase 2:
	=== Starting builtin_init
	=== Done builtin_init
	sydbox: open stop count: 88
	=== Running ebuild phases loadenv pivotbin setup saveenv as root:root...
	=== Starting builtin_pivotbin
	=== Extracting package environment
	=== Switching to package environment
	=== Continuing using package environment
	=== Done builtin_pivotbin
	=== Starting pkg_setup
	=== Done pkg_setup
	=== Completed ebuild phases loadenv pivotbin setup saveenv
	=== Running ebuild phases loadenv installbin saveenv as root:root...
	=== Starting builtin_installbin
	=== Done builtin_installbin
	sydbox: open stop count: 1059
	=== Running ebuild phases loadenv preinst saveenv as root:root...
	=== Starting pkg_preinst
	=== Done pkg_preinst
	=== Completed ebuild phases loadenv preinst saveenv
	=== Writing VDB entry to '/var/db/paludis/repositories/installed/data/sys-apps---paludis/scm:0:C.2253.1622373735.768427.C'...
	=== Writing VDB entry keys ...
	=== Generating saved ebuild and environment...
	=== Finished writing VDB entry

2021-05-30  Alï Polatel  <alip@exherbo.org>

	seccomp: refactor seccomp rule application.
	No functionality changes.

2021-05-28  Alï Polatel  <alip@exherbo.org>

	re{arrange,pack} sydbox_t to close 6 bytes hole.
	> Before:
	struct sydbox {
		syd_process_t *            proctab;              /*     0     8 */
		int                        trace_options;        /*     8     4 */
		enum syd_step      trace_step;                   /*    12     4 */
		_Bool                      execve_wait;          /*    16     1 */

		/* XXX 3 bytes hole, try to pack */

		pid_t                      execve_pid;           /*    20     4 */
		int                        exit_code;            /*    24     4 */
		_Bool                      violation;            /*    28     1 */

		/* XXX 3 bytes hole, try to pack */

		char *                     program_invocation_name; /*    32     8 */
		config_t                   config;               /*    40   232 */

		/* size: 272, cachelines: 5, members: 9 */
		/* sum members: 266, holes: 2, sum holes: 6 */
		/* last cacheline: 16 bytes */
	};

	> After:
	struct sydbox {
		_Bool                      violation;            /*     0     1 */
		_Bool                      execve_wait;          /*     1     1 */

		/* Bitfield combined with previous fields */

		enum syd_step      trace_step:2;                 /*     0:16  4 */

		/* XXX 14 bits hole, try to pack */

		int                        trace_options;        /*     4     4 */
		int                        exit_code;            /*     8     4 */
		pid_t                      execve_pid;           /*    12     4 */
		char *                     program_invocation_name; /*    16     8 */
		syd_process_t *            proctab;              /*    24     8 */
		config_t                   config;               /*    32   232 */

		/* size: 264, cachelines: 5, members: 9 */
		/* sum members: 262 */
		/* sum bitfield members: 2 bits, bit holes: 1, sum bit holes: 14 bits */
		/* last cacheline: 8 bytes */
	};

2021-05-27  Alï Polatel  <alip@exherbo.org>

	more bitpacking for sandbox_t.
	> Before:
	struct sandbox {
		enum lock_state    magic_lock;                   /*     0     4 */
		struct sandbox_mode_struct mode;                 /*     4    16 */

		/* XXX 4 bytes hole, try to pack */

		aclq_t                     acl_exec;             /*    24    16 */
		aclq_t                     acl_read;             /*    40    16 */
		aclq_t                     acl_write;            /*    56    16 */
		/* --- cacheline 1 boundary (64 bytes) was 8 bytes ago --- */
		aclq_t                     acl_network_bind;     /*    72    16 */
		aclq_t                     acl_network_connect;  /*    88    16 */

		/* size: 104, cachelines: 2, members: 7 */
		/* sum members: 100, holes: 1, sum holes: 4 */
		/* last cacheline: 40 bytes */
	};

	> After:
	struct sandbox {
		struct sandbox_mode_struct mode;                 /*     0     4 */
		enum lock_state    magic_lock:2;                 /*     4: 0  4 */

		/* XXX 30 bits hole, try to pack */

		aclq_t                     acl_exec;             /*     8    16 */
		aclq_t                     acl_read;             /*    24    16 */
		aclq_t                     acl_write;            /*    40    16 */
		aclq_t                     acl_network_bind;     /*    56    16 */
		/* --- cacheline 1 boundary (64 bytes) was 8 bytes ago --- */
		aclq_t                     acl_network_connect;  /*    72    16 */

		/* size: 88, cachelines: 2, members: 7 */
		/* sum members: 84 */
		/* sum bitfield members: 2 bits, bit holes: 1, sum bit holes: 30 bits */
		/* last cacheline: 24 bytes */
	};

2021-05-27  Alï Polatel  <alip@exherbo.org>

	shrink proc_pid_t path buffer to close 3 bytes hole.
	> Before:
	struct proc_pid {
		pid_t                      pid;                  /*     0     4 */
		char                       path[41];             /*     4    41 */

		/* XXX 3 bytes hole, try to pack */

		UT_hash_handle             hh;                   /*    48    56 */

		/* size: 104, cachelines: 2, members: 3 */
		/* sum members: 101, holes: 1, sum holes: 3 */
		/* last cacheline: 40 bytes */
	};

	> After:
	struct proc_pid {
		pid_t                      pid;                  /*     0     4 */
		char                       path[36];             /*     4    36 */
		UT_hash_handle             hh;                   /*    40    56 */

		/* size: 96, cachelines: 2, members: 3 */
		/* last cacheline: 32 bytes */
	};

2021-05-27  Alï Polatel  <alip@exherbo.org>

	rearrange sysinfo_t to close 8 bytes hole.
	> Before:
	struct sysinfo {
		unsigned int               arg_index;            /*     0     4 */
		_Bool                      at_func;              /*     4     1 */
		_Bool                      null_ok;              /*     5     1 */

		/* XXX 2 bytes hole, try to pack */

		unsigned int               rmode;                /*     8     4 */
		enum syd_stat      syd_mode;                     /*    12     4 */
		_Bool                      decode_socketcall;    /*    16     1 */
		_Bool                      safe;                 /*    17     1 */

		/* XXX 2 bytes hole, try to pack */

		int                        deny_errno;           /*    20     4 */
		enum sys_access_mode access_mode;                /*    24     4 */

		/* XXX 4 bytes hole, try to pack */

		aclq_t *                   access_list;          /*    32     8 */
		aclq_t *                   access_list_global;   /*    40     8 */
		aclq_t *                   access_filter;        /*    48     8 */
		int *                      ret_fd;               /*    56     8 */
		/* --- cacheline 1 boundary (64 bytes) --- */
		char * *                   ret_abspath;          /*    64     8 */
		struct stat *              ret_statbuf;          /*    72     8 */
		struct pink_sockaddr * *   ret_addr;             /*    80     8 */
		const char  *              cache_abspath;        /*    88     8 */
		const struct stat  *       cache_statbuf;        /*    96     8 */

		/* size: 104, cachelines: 2, members: 18 */
		/* sum members: 96, holes: 3, sum holes: 8 */
		/* last cacheline: 40 bytes */
	};

	> After:
	/* Final reorganized struct: */
	struct sysinfo {
		unsigned int               arg_index;            /*     0     4 */
		_Bool                      at_func;              /*     4     1 */
		_Bool                      null_ok;              /*     5     1 */
		_Bool                      safe;                 /*     6     1 */
		_Bool                      decode_socketcall;    /*     7     1 */
		unsigned int               rmode;                /*     8     4 */
		enum syd_stat      syd_mode;                     /*    12     4 */
		enum sys_access_mode access_mode;                /*    16     4 */
		int                        deny_errno;           /*    20     4 */
		aclq_t *                   access_list;          /*    24     8 */
		aclq_t *                   access_list_global;   /*    32     8 */
		aclq_t *                   access_filter;        /*    40     8 */
		int *                      ret_fd;               /*    48     8 */
		char * *                   ret_abspath;          /*    56     8 */
		/* --- cacheline 1 boundary (64 bytes) --- */
		struct stat *              ret_statbuf;          /*    64     8 */
		struct pink_sockaddr * *   ret_addr;             /*    72     8 */
		const char  *              cache_abspath;        /*    80     8 */
		const struct stat  *       cache_statbuf;        /*    88     8 */

		/* size: 96, cachelines: 2, members: 18 */
		/* last cacheline: 32 bytes */
	};   /* saved 8 bytes! */

2021-05-27  Alï Polatel  <alip@exherbo.org>

	sysentry: define struct along with typedef.

2021-05-27  Alï Polatel  <alip@exherbo.org>

	rearrange config_t to close 8 bytes hole.
	> Before:
	struct config {
		_Bool                      magic_core_allow;     /*     0     1 */

		/* XXX 7 bytes hole, try to pack */

		sandbox_t                  box_static;           /*     8   104 */
		/* --- cacheline 1 boundary (64 bytes) was 48 bytes ago --- */
		_Bool                      restrict_file_control; /*   112     1 */
		_Bool                      restrict_shared_memory_writable; /*   113     1 */
		_Bool                      whitelist_per_process_directories; /*   114     1 */
		_Bool                      whitelist_successful_bind; /*   115     1 */
		_Bool                      whitelist_unsupported_socket_families; /*   116     1 */

		/* XXX 3 bytes hole, try to pack */

		enum violation_decision violation_decision;      /*   120     4 */
		int                        violation_exit_code;  /*   124     4 */
		/* --- cacheline 2 boundary (128 bytes) --- */
		_Bool                      violation_raise_fail; /*   128     1 */
		_Bool                      violation_raise_safe; /*   129     1 */
		_Bool                      follow_fork;          /*   130     1 */
		_Bool                      exit_kill;            /*   131     1 */
		_Bool                      use_seccomp;          /*   132     1 */
		_Bool                      use_seize;            /*   133     1 */
		_Bool                      use_toolong_hack;     /*   134     1 */

		/* XXX 1 byte hole, try to pack */

		aclq_t                     exec_kill_if_match;   /*   136    16 */
		aclq_t                     exec_resume_if_match; /*   152    16 */
		aclq_t                     filter_exec;          /*   168    16 */
		aclq_t                     filter_read;          /*   184    16 */
		/* --- cacheline 3 boundary (192 bytes) was 8 bytes ago --- */
		aclq_t                     filter_write;         /*   200    16 */
		aclq_t                     filter_network;       /*   216    16 */
		proc_pid_t *               hh_proc_pid_auto;     /*   232     8 */
		aclq_t                     acl_network_connect_auto; /*   240    16 */

		/* size: 256, cachelines: 4, members: 24 */
		/* sum members: 245, holes: 3, sum holes: 11 */
	};

	> After:
	struct config {
		_Bool                      magic_core_allow;     /*     0     1 */
		_Bool                      whitelist_unsupported_socket_families; /*     1     1 */
		_Bool                      whitelist_successful_bind; /*     2     1 */
		_Bool                      whitelist_per_process_directories; /*     3     1 */
		_Bool                      restrict_shared_memory_writable; /*     4     1 */
		_Bool                      restrict_file_control; /*     5     1 */
		_Bool                      use_toolong_hack;     /*     6     1 */
		_Bool                      use_seize;            /*     7     1 */
		sandbox_t                  box_static;           /*     8   104 */
		/* --- cacheline 1 boundary (64 bytes) was 48 bytes ago --- */
		enum violation_decision violation_decision;      /*   112     4 */
		int                        violation_exit_code;  /*   116     4 */
		_Bool                      violation_raise_fail; /*   120     1 */
		_Bool                      violation_raise_safe; /*   121     1 */
		_Bool                      follow_fork;          /*   122     1 */
		_Bool                      exit_kill;            /*   123     1 */
		_Bool                      use_seccomp;          /*   124     1 */

		/* XXX 3 bytes hole, try to pack */

		/* --- cacheline 2 boundary (128 bytes) --- */
		aclq_t                     exec_kill_if_match;   /*   128    16 */
		aclq_t                     exec_resume_if_match; /*   144    16 */
		aclq_t                     filter_exec;          /*   160    16 */
		aclq_t                     filter_read;          /*   176    16 */
		/* --- cacheline 3 boundary (192 bytes) --- */
		aclq_t                     filter_write;         /*   192    16 */
		aclq_t                     filter_network;       /*   208    16 */
		proc_pid_t *               hh_proc_pid_auto;     /*   224     8 */
		aclq_t                     acl_network_connect_auto; /*   232    16 */

		/* size: 248, cachelines: 4, members: 24 */
		/* sum members: 245, holes: 1, sum holes: 3 */
		/* last cacheline: 56 bytes */
	};   /* saved 8 bytes! */

2021-05-27  Alï Polatel  <alip@exherbo.org>

	remove old/unused process and sandbox typedefs.

	syd_process: move macros away from struct defs.
	No functionality changes.

2021-05-27  Alï Polatel  <alip@exherbo.org>

	syd_process: pack hole to save 8 bytes.
	> Before:
	struct syd_process {
	        pid_t                      pid;                  /*     0     4 */
	        pid_t                      ppid;                 /*     4     4 */
	        pid_t                      tgid;                 /*     8     4 */
	        short int                  abi;                  /*    12     2 */

	        /* XXX 2 bytes hole, try to pack */

	        int                        flags;                /*    16     4 */

	        /* XXX 4 bytes hole, try to pack */

	        long unsigned int          sysnum;               /*    24     8 */
	        long int                   subcall;              /*    32     8 */
	        long int                   retval;               /*    40     8 */
	        long unsigned int          clone_flags;          /*    48     8 */
	        long unsigned int          new_clone_flags;      /*    56     8 */
	        /* --- cacheline 1 boundary (64 bytes) --- */
	        const char  *              sysname;              /*    64     8 */
	        char *                     abspath;              /*    72     8 */
	        struct pink_regset *       regset;               /*    80     8 */
	        long int                   args[6];              /*    88    48 */
	        /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */
	        struct syd_process_shared shm;                   /*   136    24 */
	        UT_hash_handle             hh;                   /*   160    56 */
	        /* --- cacheline 3 boundary (192 bytes) was 24 bytes ago --- */
	        enum syd_step      trace_step;                   /*   216     4 */

	        /* size: 224, cachelines: 4, members: 17 */
	        /* sum members: 214, holes: 2, sum holes: 6 */
	        /* padding: 4 */
	        /* last cacheline: 32 bytes */
	};

	> After:
	struct syd_process {
	        pid_t                      pid;                  /*     0     4 */
	        pid_t                      ppid;                 /*     4     4 */
	        pid_t                      tgid;                 /*     8     4 */
	        short int                  abi;                  /*    12     2 */

	        /* XXX 2 bytes hole, try to pack */

	        int                        flags;                /*    16     4 */
	        enum syd_step      trace_step;                   /*    20     4 */
	        long unsigned int          sysnum;               /*    24     8 */
	        long int                   subcall;              /*    32     8 */
	        long int                   retval;               /*    40     8 */
	        long unsigned int          clone_flags;          /*    48     8 */
	        long unsigned int          new_clone_flags;      /*    56     8 */
	        /* --- cacheline 1 boundary (64 bytes) --- */
	        const char  *              sysname;              /*    64     8 */
	        char *                     abspath;              /*    72     8 */
	        struct pink_regset *       regset;               /*    80     8 */
	        long int                   args[6];              /*    88    48 */
	        /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */
	        struct syd_process_shared shm;                   /*   136    24 */
	        UT_hash_handle             hh;                   /*   160    56 */

	        /* size: 216, cachelines: 4, members: 17 */
	        /* sum members: 214, holes: 1, sum holes: 2 */
	        /* last cacheline: 24 bytes */
	};   /* saved 8 bytes! */

2021-05-27  Alï Polatel  <alip@exherbo.org>

	syd_process: promote flags to int from short.

	syd_process: qualify struct definitions.
	No functionality changes.

	startup_child: prepend error messages with package name for clarity.

	startup_child: report self-stop kill failure.

	splint: allow boolops.

	startup_child: fix assignment of boolean to int.
	pink_trace_me() returns negated errno.

	stat_mode: cast unused result to void.

	finish add splint target to main makefile.

	path_kill_slashes: less int-to-char conversion.

	path_make_absolute: initialize return value.

	read_one_line_file: cast unused results to void.

2021-05-26  Alï Polatel  <alip@exherbo.org>

	Revert "readlink_{alloc,copy}: fix int/ssize_t confusion in error"
	This reverts commit 5fc9b4d57fa2a2aae8c38d0f04fffcf3f9ea954c.

	readlink_{alloc,copy}: fix int/ssize_t confusion in error.

2021-05-25  Alï Polatel  <alip@exherbo.org>

	drop unused function basename_copy.

2021-05-24  Alï Polatel  <alip@exherbo.org>

	path_is_absolute: return bool rather than int.

	truncate_nl: avoid assignment of int to char.

	{beaut,simpl}ify assert.

2021-05-21  Alï Polatel  <alip@exherbo.org>

	wip: add splint target to main makefile.

	{beaut,simpl}ify the asserts.

2021-05-03  Ali Polatel  <alip@exherbo.org>

	rearrange sandbox_t to close 4 bytes hole.
	> Before:
	typedef struct {
	        enum sandbox_mode  sandbox_exec;                 /*     0     4 */
	        enum sandbox_mode  sandbox_read;                 /*     4     4 */
	        enum sandbox_mode  sandbox_write;                /*     8     4 */
	        enum sandbox_mode  sandbox_network;              /*    12     4 */
	        enum lock_state    magic_lock;                   /*    16     4 */

	        /* XXX 4 bytes hole, try to pack */

	        aclq_t                     acl_exec;             /*    24    16 */
	        aclq_t                     acl_read;             /*    40    16 */
	        aclq_t                     acl_write;            /*    56    16 */
	        /* --- cacheline 1 boundary (64 bytes) was 8 bytes ago --- */
	        aclq_t                     acl_network_bind;     /*    72    16 */
	        aclq_t                     acl_network_connect;  /*    88    16 */

	        /* size: 104, cachelines: 2, members: 10 */
	        /* sum members: 100, holes: 1, sum holes: 4 */
	        /* last cacheline: 40 bytes */
	} sandbox_t;

	> After:
	typedef struct {
	        aclq_t                     acl_exec;             /*     0    16 */
	        aclq_t                     acl_read;             /*    16    16 */
	        aclq_t                     acl_write;            /*    32    16 */
	        enum sandbox_mode  sandbox_exec;                 /*    48     4 */
	        enum sandbox_mode  sandbox_read;                 /*    52     4 */
	        enum sandbox_mode  sandbox_write;                /*    56     4 */
	        enum sandbox_mode  sandbox_network;              /*    60     4 */
	        /* --- cacheline 1 boundary (64 bytes) --- */
	        aclq_t                     acl_network_bind;     /*    64    16 */
	        aclq_t                     acl_network_connect;  /*    80    16 */
	        enum lock_state    magic_lock;                   /*    96     4 */

	        /* size: 104, cachelines: 2, members: 10 */
	        /* padding: 4 */
	        /* last cacheline: 40 bytes */
	} sandbox_t;

2021-03-14  Ali Polatel  <alip@exherbo.org>

	Preparation for v1.1.0.

2021-03-13  Ali Polatel  <alip@exherbo.org>

	acl: rearrange acl_node to close 4 bytes hole.

	sockmap: rearrange sockmap to close 4 bytes hole.

	sydbox: rearrange syd_process to close 4 bytes hole.
	No functionality changes.

	proc: rearrange proc_statinfo to close 7 bytes hole.
	No functionality changes.

	sockmatch: rearrange struct sockmatch to close 4 bytes hole.
	No functionality changes.

	sockmatch: rearrange struct sa_un to close 7 bytes hole.
	No functionality changes.

	man: update manual page for new system calls.

2021-03-12  Ali Polatel  <alip@exherbo.org>

	tests: handle missing newfstatat gracefully.

2021-03-08  Ali Polatel  <alip@exherbo.org>

	Preparation for 1.0.9.

	tests: skip unix socket matching tests for now.

	tests: set prerequisite for root user and skip tests as necessary.

	autotools: add sock-match.sh to TESTS.

	sockmatch: improve netmask handling & test.
	Gets rid off the left shift of negative value.

	use PINK_HAVE_IPV6 rather than SYDBOX_HAVE_IPV6.
	There's no autoconf check for the latter define which resulted in IPv6
	network sandboxing to be left out unconditionally.

2021-02-27  Ali Polatel  <alip@exherbo.org>

	clone_process: plug memory leak.

	add TODO for clone3.

	improve SIGCHLD handling.

	parent_process: prefer thread group id over parent pid.

	gracefully handle empty string in at functions.

	path_prefix: avoid readlink warning for std{in,out,err}

	syd_proc_fd_path: return negated errno when readlinkat fails.

	realpath_mode: workaround EACCES/ENOENT for directories in pathname.

	sys_renameat: fix conditional jump depends on uninitialized value.

	initial support for execveat.

	support execve#64 on x32.

	initial support for openat2.

	initial support for faccessat2, fix faccessat.

	initial support for renameat2.

	getcwd_long: fix TOCTOU for opendir.

	getcwd_long: fix resource leak.

	getcwd_long: check return value of lstat.

	box_check_path: fix process dead during path decode brancing.

	sockmatch_parse_ip: remove logically dead branch.

	dump_one_process: remove logically dead branch.

	syd-true-fork: check bounds of argument.

	syd-true-pthread: check bounds of argument.

	syd-abort-fork: check bounds of argument.

	syd-abort-pthread: check bounds of argument.

	syd-false-pthread: check bounds of argument.

	syd-false-fork: check bounds of argument.

	syd-mkdir-p: cast unchecked return values to void.

	syd_proc_environ: fix use of untrusted string value.

	sys_stat_common: remove logically dead branch.

	syd_prepath_at: drop unused function.

	syd_path_stat: drop unused function.

	path_lookup: more hardening.

	test-skel-1/_get_flags: plug memory leak.

	test-skel-1/at_get_fd: plug memory leak.

	path_lookup: fix uninitialized scalar variable.

	path_lookup: fix strcpy call in debugging exec path.

	syd_prepath_at: fix missing return.

	realpath_mode: fix several buffer overflows.
	Imported from freebsd.git:a7a1762082e0

	realpath_mode: fix uninitialized scalar variable.

2021-02-25  Ali Polatel  <alip@exherbo.org>

	update uthash to 2.3.0.

	trace: fix use of uninitialized value.

	realpath_mode: fix result of operation garbage or undefined.

	sys_bind: fix undefined pointer dereference.

	sockmap_remove: fix null pointer dereference.

	trace: fix value set but never read.

	dump_one_process: fix value set but never read.

	sysx_chdir: fix value set but never read.

	config_parse_file: fix value set but never read.

	startup_child: fix value set but never read.

	dump_one_process: fix value set but never read.

	sys_bind: fix branch condition evaluates to a garbage value.

	basic support for newfstatat to enter magic commands.

2021-02-15  Ali Polatel  <alip@exherbo.org>

	Handle missing syscall-enter event before clone.
	This was not reproducible with kernels 5.0.21.
	This is known to happen with kernels 5.10 or newer.

	Attached below how the incident is reflected in a dump file.
	Given PIDs:
	0: sydbox
	1: eldest child of sydbox
	2: newest child, cloned by 1

	Here, sydbox receives a ptrace clone event from pid 1, however this is
	not preceeded by a syscall-enter event as usually expected. So sydbox
	does not mark pid 1 with in-clone flag which in turn results in sydbox
	being unable to determine the parent pid of pid 2 upon receiving the
	initial ptrace trap.

	We fix this by not assuming syscall-enter before a clone event. The
	downside of this way of notification is we never know whether the thread
	was spawned with CLONE_FS or CLONE_FILES which results in less memory
	sharing between process data structures.

	```
	{
	    "event": 6,
	    "event_name": "pink",
	    "id": 1,
	    "pid": 1,
	    "pink": {
	        "errno": 0,
	        "name": "trace_seize",
	        "options": {
	            "CLONE": true,
	            "EXEC": true,
	            "EXIT": false,
	            "EXITKILL": false,
	            "FORK": true,
	            "SECCOMP": true,
	            "SYSGOOD": true,
	            "VFORK": true,
	            "VFORK_DONE": false
	        },
	        "pid": 1,
	        "return": 0
	    },
	    "time": 1613410290
	}
	...
	{
	    "event": 5,
	    "event_name": "wait",
	    "id": 1149,
	    "pid": 1,
	    "process": {
	        "pid": 1,
	        "stat": {
	            "comm": "(tests-f58175dea)",
	            "nice": 0,
	            "num_threads": 7,
	            "pgrp": 0,
	            "pid": 1,
	            "ppid": 0,
	            "state": "t",
	            "tpgid": 0,
	        },
	        "syd": {
	            "clone_flags": {
	                "CLONE_CHILD_CLEARTID": false,
	                "CLONE_CHILD_SETTID": false,
	                "CLONE_DETACHED": false,
	                "CLONE_FILES": false,
	                "CLONE_FS": false,
	                "CLONE_IO": false,
	                "CLONE_NEWIPC": false,
	                "CLONE_NEWNET": false,
	                "CLONE_NEWNS": false,
	                "CLONE_NEWPID": false,
	                "CLONE_NEWUSER": false,
	                "CLONE_NEWUTS": false,
	                "CLONE_PARENT": false,
	                "CLONE_PARENT_SETTID": false,
	                "CLONE_PTRACE": false,
	                "CLONE_SETTLS": false,
	                "CLONE_SIGHAND": false,
	                "CLONE_SYSVSEM": false,
	                "CLONE_THREAD": false,
	                "CLONE_UNTRACED": false,
	                "CLONE_VFORK": false,
	                "CLONE_VM": false
	            },
	            "cwd": "/home/alip",
	            "flag_IGNORE_ONE_SIGSTOP": false,
	            "flag_IN_CLONE": false,
	            "flag_IN_EXECVE": false,
	            "flag_IN_SYSCALL": false,
	            "flag_KILLED": false,
	            "flag_STARTUP": false,
	            "flag_STOP_AT_SYSEXIT": false,
	            "new_clone_flags": {
	                "CLONE_CHILD_CLEARTID": false,
	                "CLONE_CHILD_SETTID": false,
	                "CLONE_DETACHED": false,
	                "CLONE_FILES": false,
	                "CLONE_FS": false,
	                "CLONE_IO": false,
	                "CLONE_NEWIPC": false,
	                "CLONE_NEWNET": false,
	                "CLONE_NEWNS": false,
	                "CLONE_NEWPID": false,
	                "CLONE_NEWUSER": false,
	                "CLONE_NEWUTS": false,
	                "CLONE_PARENT": false,
	                "CLONE_PARENT_SETTID": false,
	                "CLONE_PTRACE": false,
	                "CLONE_SETTLS": false,
	                "CLONE_SIGHAND": false,
	                "CLONE_SYSVSEM": false,
	                "CLONE_THREAD": false,
	                "CLONE_UNTRACED": false,
	                "CLONE_VFORK": false,
	                "CLONE_VM": false
	            },
	            "ppid": 0,
	            "ref_CLONE_FILES": 7,
	            "ref_CLONE_FS": 7,
	            "ref_CLONE_THREAD": 7,
	            "sandbox": null,
	            "syscall_abi": 0,
	            "syscall_name": "clone",
	            "syscall_no": 56,
	            "tgid": 1
	        }
	    },
	    "process_count": 7,
	    "ptrace": {
	        "name": "CLONE",
	        "value": 3
	    },
	    "status": {
	        "WCOREDUMP": false,
	        "WEXITSTATUS": 0,
	        "WIFCONTINUED": false,
	        "WIFEXITED": false,
	        "WIFSIGNALED": false,
	        "WIFSTOPPED": true,
	        "WSTOPSIG": 5,
	        "WSTOPSIG_name": "SIGTRAP",
	        "WTERMSIG": 0,
	        "WTERMSIG_name": null,
	        "value": 198015
	    },
	    "time": 1613410290
	}
	{
	    "event": 6,
	    "event_name": "pink",
	    "id": 1150,
	    "pid": 1,
	    "pink": {
	        "errno": 0,
	        "name": "trace_resume",
	        "pid": 1,
	        "return": 0,
	        "signal": {
	            "name": "SIG_0",
	            "num": 0
	        }
	    },
	    "time": 1613410290
	}
	{
	    "event": 5,
	    "event_name": "wait",
	    "id": 1151,
	    "pid": 2,
	    "process": {
	        "pid": 2,
	        "stat": {
	            "comm": "(tests-f58175dea)",
	            "nice": 0,
	            "num_threads": 7,
	            "pgrp": 0,
	            "pid": 2,
	            "ppid": 0,
	            "state": "t",
	            "tpgid": 0,
	        },
	        "syd": null
	    },
	    "process_count": 7,
	    "ptrace": {
	        "name": "STOP",
	        "value": 128
	    },
	    "status": {
	        "WCOREDUMP": false,
	        "WEXITSTATUS": 0,
	        "WIFCONTINUED": false,
	        "WIFEXITED": false,
	        "WIFSIGNALED": false,
	        "WIFSTOPPED": true,
	        "WSTOPSIG": 5,
	        "WSTOPSIG_name": "SIGTRAP",
	        "WTERMSIG": 0,
	        "WTERMSIG_name": null,
	        "value": 8390015
	    },
	    "time": 1613410290
	}
	```

2020-06-19  Timo Gurr  <tgurr@exherbo.org>

	whitelist System Security Services Daemon (SSSD) nss socket.
	When using System Security Services Daemon (SSSD) this change prevents
	paludis/cave from spitting out errors when enumerating users/groups during
	the execution of pretend actions. Example:

	Executing pretend actions: 1 of 1
	apache-2.4.34> sydbox: 8< -- Access Violation! --
	apache-2.4.34> sydbox: connect(-1, unix:/var/lib/sss/pipes/nss)
	apache-2.4.34> sydbox: proc: id[13350] (parent:13215)
	apache-2.4.34> sydbox: cwd: `/var/tmp/paludis/build'
	apache-2.4.34> sydbox: cmdline: `id -un '
	apache-2.4.34> sydbox: >8 --

2020-06-14  Ali Polatel  <alip@exherbo.org>

	Preparation for 1.0.8.

2020-06-14  Azamat H. Hackimov  <azamat.hackimov@gmail.com>

	Fix compilation tests with GCC10.
	Fix compilation with enabled -fno-common option (GCC 10 enables it by
	default, see https://bugs.gentoo.org/708530).

2020-06-14  Ali Polatel  <alip@exherbo.org>

	Mark expected fall-through with compiler attribute.

	Sync help text with the manual page.

	Update manual page to reflect current status.

	Update machine name in upload tasks.

2020-02-07  Ali Polatel  <alip@exherbo.org>

	update README.

2016-12-18  Benedikt Morbach  <benedikt.morbach@googlemail.com>

	Preparation for v1.0.7.
	Change-Id: I8b80c6b9ff5aac88729dd44453206f85da27f711

	add tgid to process dump.
	Change-Id: I2a26e06e866dcc61158ae5beb1add1e1a5a0a710

2016-12-18  Benedikt Morbach  <benedikt.morbach@googlemail.com>

	fix hang by keeping track of TGIDs.
	event_exec would get rid of to many processes because they share
	shm.clone_thread while not actually being part of the same thread group.
	(really old bug, see fcd04af8dde3c21346a3e67e466e239e89727380)

	example:

	         "parent with magic lock"
	                     |
	        --------------------------
	        |                        |
	    ----------               ----------
	    |        |               |        |
	  pid 10   pid 11          pid 20   pid 21
	 |<-- tgid 10 -->|        |<-- tgid 20 -->|

	  - pid 10 calls execve
	  - event_exec removes everything with pid != 10 and the same
	    shm.clone_thread as pid 10, which includes pid 20 and pid 21

	(where pid is what the kernel calls tid (thread id), which may or may not
	make a lot more sense)

	Change-Id: I54f325b0deb19bd686a6c61473282bb99e2ce1dd

2016-10-25  Ali Polatel  <alip@exherbo.org>

	parent search: remove the in clone check from step 2.

	add recent flags to dump.

	add comment for future self.

	fix uninitialised value by valgrind.
	==22548== Conditional jump or move depends on uninitialised value(s)
	==22548==    at 0x4E36E72: syd_proc_ppid (proc.c:136)
	==22548==    by 0x4187FF: parent_process (sydbox.c:504)
	==22548==    by 0x41A8AC: trace (sydbox.c:1256)
	==22548==    by 0x41B781: main (sydbox.c:1636)

	fix clone/execve parent search (again)
	This time both +seccomp & -seccomp seems to work fine.

	bug_on: close dump before pause.

2016-10-24  Ali Polatel  <alip@exherbo.org>

	fix up clone/execve regression, plug a few leaks.
	Note: non-seccomp is yet to be fixed.

	libsyd: new function syd_proc_task_next.

	libsyd: new function syd_proc_task_open.

	libsyd: return negated errno in syd_proc_task_find upon failure.

	libsyd: add function syd_proc_state.

2016-10-14  Marc-Antoine Perennou  <Marc-Antoine@Perennou.com>

	avoid double free.

2016-10-10  Ali Polatel  <alip@exherbo.org>

	honour new clone flags on process cleanup after exec.
	Not tested, could leak memory.

2016-10-07  Ali Polatel  <alip@exherbo.org>

	Preparation for v1.0.6.

	fix chdir syscall hook regression for <linux-4.8.0.

	update uthash.

	ignore .gch, whatever that is.

	comment out useless initialisation.

	syd_readlink_alloc: if0 out broken test.
	This function is not yet used so comment it out till we do.

	syd_readlink_alloc: small tweak.

	new wrapper: syd_fstatat.

	fix chdir syscall hook.

	simplify system call deny.

	fix clone pid oddities.
	Tests pass now, however more testing could be useful before a release.

	fix linux-4.8 & seccomp.

	poems: fix indentation.

2016-10-06  Ali Polatel  <alip@exherbo.org>

	fix invalid free, warming up.

2016-02-09  Wouter van Kesteren  <woutershep@gmail.com>

	Merge tag 'v1.0.5'
	Preparation for v1.0.5

	Preparation for v1.0.5.
	Change-Id: Ic2f317c22743e2b2a0f32e681f7ec98e3b201a55

2016-02-09  Wouter van Kesteren  <woutershep@gmail.com>

	really fix tests.
	We forgot sydtest :(

	Change-Id: Ic5f40c7dd6266ab5a9e26f589851ae7e87f73185

2016-02-09  Wouter van Kesteren  <woutershep@gmail.com>

	Merge tag 'v1.0.4'

	Preparation for v1.0.4.
	Change-Id: Ifd19e4298e02391a5ede83c49b9434504dc7993b

2016-02-09  Wouter van Kesteren  <woutershep@gmail.com>

	fix tests.
	Don't ship test-lib.sh
	Give @LIBEXECDIR@ it's proper value.
	Actually point to sydbox-dump.

	Change-Id: I56deac09ea09abe8f1d8f2d850a527e4a174fba0

2015-12-20  Ali Polatel  <alip@exherbo.org>

	fixes a couple of critical cves.

2015-12-12  Ali Polatel  <alip@exherbo.org>

	kingbee: fix strace handling.

2015-11-26  Ali Polatel  <alip@exherbo.org>

	add poem for late the bug fix.

2015-11-24  Ali Polatel  <alip@exherbo.org>

	libsyd: relicense to GPL-3+ and readlink voodoo (not done)

	let the bee buzz all night long.

2015-11-24  Ali Polatel  <polatel@zebramo.com>

	update gitignore.

	Revert "Revert "optimize data sharing among processes""
	This reverts commit fd6e78c60d0a00aef3ef4e7f4f51f2ac48dc2c1b.
	The assertion when seccomp enabled is also fixed amended in this commit.

2015-11-22  Ali Polatel  <alip@exherbo.org>

	assert rework to make coverity scan happy.
	Compiles, tests pass but not tested w/ paludis.

	update kingbee.py which can now reproduce the assertion bug.

2015-09-23  Heiko Becker  <heirecka@exherbo.org>

	Preparation for v1.0.3.

2015-07-04  Benedikt Morbach  <benedikt.morbach@googlemail.com>

	Revert "optimize data sharing among processes"
	This reverts commit d399033dbb6f37cba95d39b50f7351f2e7052101.

	Consistently causes an assertion failure for some packages, e.g. for net-libs/serf:

	    sydbox: Assertion 'current' failed at sydbox.c:1134, function trace()
	    sydbox: SIGTERM -> 10464 <python2.7> X = terminated
	    sydbox: SIGTERM -> 10503 <cc1> X = terminated
	    sydbox: SIGTERM -> 10504 <x86_64-pc-linux> X = terminated

	Right now I can't figure out why it happens, hence revert.

	Change-Id: I86a1ef2ade6a10d0f7b1749d434b8837e9764992
	Reviewed-on: https://galileo.mailstation.de/gerrit/2749
	Reviewed-by: Jenkins <philantrop@gmail.com>
	Reviewed-by: Benedikt Morbach <moben@exherbo.org>
	Reviewed-by: Ali Polatel <polatel@gmail.com>
	Reviewed-by: Wouter van Kesteren <woutershep@gmail.com>

2015-07-03  Benedikt Morbach  <benedikt.morbach@googlemail.com>

	add .gitreview.
	for easier usage with gerrit

	Change-Id: I7542941d28751b78fede3992de44a6902751e2b2
	Reviewed-on: https://galileo.mailstation.de/gerrit/2747
	Reviewed-by: Jenkins <philantrop@gmail.com>
	Reviewed-by: Kylie McClain <somasis@exherbo.org>

2015-06-21  Ali Polatel  <alip@exherbo.org>

	fix severe bug with turkish locale.
	No functionality changes.

2015-06-06  Ali Polatel  <alip@exherbo.org>

	prelimiary poem for the bugfix;
	which needs a recheck in the morning.

2015-06-02  Ali Polatel  <alip@exherbo.org>

	fix syd_readlink_alloc.

	syd_realpath_at: fix strlcpy invocation.

2015-06-01  Ali Polatel  <alip@exherbo.org>

	write tests for syd_readlink_alloc.

	add file suite to tests.

	syd_readlink_alloc: return number of bytes.

	tweak seatest.h.

	add file-TEST.c to Makefile.am.

2015-05-31  Ali Polatel  <alip@exherbo.org>

	libsyd: more work on syd_realpath_at.

	syd_readlink_alloc: validate arguments.

	syd_readlink_alloc: start writing tests.

	syd_open_path: always use O_NOATIME.

	libsyd: new function syd_readlink_alloc.

2015-05-30  Ali Polatel  <alip@exherbo.org>

	libsyd: add file.c to Makefile.am.

2015-05-29  Ali Polatel  <alip@exherbo.org>

	libsyd: add tests for file functions.

	libsyd: unfinished work on syd_realpath_at.

2015-05-21  Ali Polatel  <alip@exherbo.org>

	libsyd: new function syd_fstat.

	libsyd: new function syd_fchdir.

	libsyd: new function syd_open_dir.

	sockmatch_parse: fix CID:84603 logically dead code)

	dump_one_process: fix CID:84606 (logically dead code)

2015-05-20  Ali Polatel  <alip@exherbo.org>

	realpath: fix CID:84610 (useless check array -> NULL)

	dump_string: fix CID:84613 (missing break in case)

	syd_time_prof: fix CID:84640 (missing va_end for varargs)

	syd_proc_fd_path: fix CID:84619 (fd leak in error path)

	magic_cmd_exec: fix CID:84627 (possibly resource leak)

	syd_proc_environ: fix CID:84615 and other issues.

	magic_cmd_exec: fix argv allocation.

2015-05-19  Ali Polatel  <alip@exherbo.org>

	magic_cmd: fix CID:84599 (invalid sizeof)

	syd_read_string: fix CID:84639 (use after free in sys_stat)

	event_startup: fix coverity CID:84641 (use after free)

2015-05-17  Wouter van Kesteren  <woutershep@gmail.com>

	fix non essensial warnings.
	dump.c: In function 'dump_pink':
	dump.c:553:23: warning: unused variable 'regset' [-Wunused-variable]
	   struct pink_regset *regset = va_arg(ap, struct pink_regset *);
	                       ^

	wildtest.c: In function 'run_test':
	wildtest.c:88:39: warning: parameter 'same_as_fnmatch' set but not used [-Wunused-but-set-parameter
	 run_test(int line, bool matches, bool same_as_fnmatch,
	                                       ^

	seatest.c: In function 'seatest_run_test':
	seatest.c:245:29: warning: unused parameter 'fixture' [-Wunused-parameter]
	 void seatest_run_test(char* fixture, char* test)
	                             ^
	seatest.c:245:44: warning: unused parameter 'test' [-Wunused-parameter]
	 void seatest_run_test(char* fixture, char* test)
	                                            ^

	and a lot of warn_unused_result in proc-TEST.c

	Change-Id: I7e529a2c18c544acdeb39687fd608526b7553283

2015-05-17  Wouter van Kesteren  <woutershep@gmail.com>

	fix uninitialized use.
	proc.c: In function 'syd_proc_environ':
	proc.c:408:9: warning: 'r' may be used uninitialized in this function [-Wmaybe-uninitialized]
	  return r;
	         ^

	Change-Id: I1d182ae7cfce65e355148bd2963f4bc280f88e92

2015-05-17  Wouter van Kesteren  <woutershep@gmail.com>

	fix potential buffer overflow.
	In function 'snprintf',
	    inlined from 'test_proc_ppid' at proc-TEST.c:31:3:
	/usr/x86_64-pc-linux-gnu/include/bits/stdio2.h:64:10: warning: call to __builtin___snprintf_chk will always overflow destination buffer
	   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
	          ^

	Change-Id: I500d27364b5ed01253299484d07f852df1705352

2015-05-17  Ali Polatel  <alip@exherbo.org>

	update TODO.

	optimize data sharing among processes.

	fix memory leak in acl_remove_pathmatch.

2015-05-17  Ali Polatel  <alip@exherbo.org>

	small optimization for sys_execve.
	Building tdb-1.3.4 under sydbox with five jobs shows a noticable change:

	BEFORE:

	==17540== HEAP SUMMARY:
	==17540==     in use at exit: 0 bytes in 0 blocks
	==17540==   total heap usage: 42,168 allocs, 42,168 frees, 6,570,200 bytes allocated

	AFTER:

	==6781== HEAP SUMMARY:
	==6781==     in use at exit: 0 bytes in 0 blocks
	==6781==   total heap usage: 40,875 allocs, 40,875 frees, 4,775,932 bytes allocated

	This is still too much and I am sure there are many more places where
	unnecessary memory allocations can be avoided.

2015-05-17  Ali Polatel  <alip@exherbo.org>

	fix execve thread <-> leader switch & parenting (aka: bad interpreter bug)

	add a license note to poems.txt.

	libsyd: new function syd_proc_parents.

	libsyd: new function syd_proc_task_find.

2015-05-17  Ali Polatel  <alip@exherbo.org>

	libsyd: fix the Good Morning bug in syd_proc_ppid.
	One of perl-5.10.2's tests, namely t/op/magic.t creates a process with a
	space in its name which caused syd_proc_ppid's fscanf invocation to
	fail.

	This change avoids using fscanf() and uses a simplified way.

	Remove poems.txt which could have involved poems with copyright issues. (Thanks Philantrop)
	Add a self-written poem released under WTFPL to thank woutershep for the bug report.

2015-05-17  Ali Polatel  <alip@exherbo.org>

	libsyd: open /proc/ with O_CLOEXEC.

	autotools: use -f with LN_S to fix subsequent invocations of install.

2015-05-16  Wouter van Kesteren  <woutershep@gmail.com>

	Restore ECHILD back to a noop.
	The patch to remove logging resulted in:

	--
	/var/log/paludis/1430818729-install-dev-lang_perl-5.20.2-r2:5.20::arbor.out-=== Done src_compile
	/var/log/paludis/1430818729-install-dev-lang_perl-5.20.2-r2:5.20::arbor.out-=== Starting builtin_saveenv
	/var/log/paludis/1430818729-install-dev-lang_perl-5.20.2-r2:5.20::arbor.out-=== Done builtin_saveenv
	/var/log/paludis/1430818729-install-dev-lang_perl-5.20.2-r2:5.20::arbor.out-=== Completed ebuild phases loadenv compile saveenv
	/var/log/paludis/1430818729-install-dev-lang_perl-5.20.2-r2:5.20::arbor.out:sydbox: wait failed (errno:10|ECHILD| No child processes)
	--
	/var/log/paludis/1430844436-install-dev-libs_apr-1.5.2:1::arbor.out-=== Done src_compile
	/var/log/paludis/1430844436-install-dev-libs_apr-1.5.2:1::arbor.out-=== Starting builtin_saveenv
	/var/log/paludis/1430844436-install-dev-libs_apr-1.5.2:1::arbor.out-=== Done builtin_saveenv
	/var/log/paludis/1430844436-install-dev-libs_apr-1.5.2:1::arbor.out-=== Completed ebuild phases loadenv compile saveenv
	/var/log/paludis/1430844436-install-dev-libs_apr-1.5.2:1::arbor.out:sydbox: wait failed (errno:10|ECHILD| No child processes)
	--
	/var/log/paludis/1430861711-install-media-libs_gegl-0.2.0-r8:0::media.out-=== Done src_compile
	/var/log/paludis/1430861711-install-media-libs_gegl-0.2.0-r8:0::media.out-=== Starting builtin_saveenv
	/var/log/paludis/1430861711-install-media-libs_gegl-0.2.0-r8:0::media.out-=== Done builtin_saveenv
	/var/log/paludis/1430861711-install-media-libs_gegl-0.2.0-r8:0::media.out-=== Completed ebuild phases loadenv compile saveenv
	/var/log/paludis/1430861711-install-media-libs_gegl-0.2.0-r8:0::media.out:sydbox: wait failed (errno:10|ECHILD| No child processes)
	--

	http://git.exherbo.org/sydbox-1.git/commit/?id=693cc12ba0f1f91fabad1beb23c1107b7800f1b1 had

	 			default:
	-				err_fatal(wait_errno, "wait failed");
	+				errno = wait_errno;
	+				die_errno("wait failed");
	 				goto cleanup;

	where err_fatal was: -#define err_fatal(e,...)	/* nothing: log_msg_errno(LOG_LEVEL_FATAL, (e), __VA_ARGS__) */

	This patch restores the goto cleanup behavior instead of a fatal die.

	Change-Id: I90d6409ffae5f3e9c2a545bf0252654e09215563

2015-05-10  Wouter van Kesteren  <woutershep@gmail.com>

	use save_errno everywhere in die_errno.
	Change-Id: I74a0a90bf072c5748fea92d7078a836eb7a06943

2015-05-10  Wouter van Kesteren  <woutershep@gmail.com>

	pkg-config → ${PKG_CONFIG}
	Caused false negative on ptrace seize test

	Change-Id: I2df928e1b0ab6d16b1cfce2f54d0c79918abd118

2015-05-07  Ali Polatel  <alip@exherbo.org>

	tweak shoebox, change shebang.

	dump pink_write_syscall.

2015-05-05  Ali Polatel  <polatel@gmail.com>

	fix value stored is never read.

	fix memcpy during statbuf caching.

	tweak prep-env.sh.

	fix use after free in sockmap_destroy.

	plug memory leak in acl_sockmatch_expand.

	libsyd: fix errno restore in syd_proc_environ.

	save errno early in die_errno.

	remove logging entirely.

2015-03-23  Wouter van Kesteren  <woutershep@gmail.com>

	blacklist kernels instead of whitelist.
	Change-Id: I1249f3de77b79e8a1696cf844bb4a4f164691e8b

2015-01-17  Ali Polatel  <alip@exherbo.org>

	more fixes for jenkins script.

	Merge branch 'jenkins'
	Conflicts:
		Makefile.am
		misc/jenkins-build.sh

	tweak jenkins-build.sh for jenkins.

	autotools: add BUGS to distribution documentation.

2015-01-13  Ali Polatel  <alip@exherbo.org>

	Preparation for v1.0.2.

	autotools: add missing files to EXTRA_DIST.

2015-01-12  Ali Polatel  <alip@exherbo.org>

	Preparation for sydbox v1.0.1.

	fix typo in makefile.

	Preparation for sydbox v1.0.0.

	libsyd: fix tests.

2015-01-10  Ali Polatel  <alip@exherbo.org>

	thousand years before the release.

	use libsyd.

	libsyd: use pid as argument (this breaks tests)

2015-01-09  Ali Polatel  <alip@exherbo.org>

	libsyd: add proc_ppid.

	shoebox: fix tree.

	bury me deep into processes.

	fix dump.

2015-01-06  Ali Polatel  <alip@exherbo.org>

	shoebox fixes.

2015-01-02  Ali Polatel  <alip@exherbo.org>

	update TODO.

	document creating a sydbox dump under cave.

	reformat access violations.

	remove remaining logging calls from report()

	replace remaining log_magic invocations with say.

	dump: more dumb fixes.

	dump: actually create the directory under /tmp.

	dump: fix dumb error on startup.

	document recent changes about dump path in BUGS.

	pythons invaded my brain.

	fix clang warning.

	create temporary directory for dump.

	disable logging, to be killed soon.

	more shoes for everyone.

	mark pthread exit check tests with FIXME.
	exit report under ptrace is never reliable, sigh...

	tweak DUMP_WAIT and DUMP_EXIT outputs.

	add --dump support to tests.

2014-12-28  Ali Polatel  <alip@exherbo.org>

	add prep-env scripts for clang and musl.

2014-10-11  Ali Polatel  <alip@exherbo.org>

	dump: append to sydcore instead of bailing out.

	add BUGS.

2014-10-10  Ali Polatel  <alip@exherbo.org>

	doc: rename README.mkd to README.

	dump: bail if shoebox file exists, give information about cwd.

	give a clue about the death message.

	move assertions and die() out of log to xfunc.

	shoebox: typo.

	remove non-interesting warning about unsupported options.

	fix syntax error in test script.

	create convenience symlink for sydbox-dump.

	update TODO.

2014-06-07  Ali Polatel  <alip@exherbo.org>

	libsyd: syd_proc_fd_{open,path}

2014-06-03  Ali Polatel  <alip@exherbo.org>

	hey libsyd.

2014-05-26  Ali Polatel  <alip@exherbo.org>

	don't share process name, read from /proc as needed.

	remove much of the logging.

	tweaks and fixes here and there.

2014-05-25  Ali Polatel  <alip@exherbo.org>

	tweak dump.

	enable more core tests.

	KISS, no need for exit ptrace-stop which offers no more guarantees than WIFEXITED anyhow

	more work on core tests.

	more work on tests, adapt realpath test for test-skel-1.c.

2014-05-23  Ali Polatel  <alip@exherbo.org>

	decrease the number of threads in pthread tests.

	move tests around, re-enable wildmatch test.

	sydtest: shut make up.

	improve sydtest, pass options to test scripts rather than make.

	update t/README.

	make sure that the temp directory is for the current user only.

	remove message from makefile, this does not belong here.

	more fixes for Makefile.test.

	Add convenience script sydtest to run installed tests.

	Add missing aggregate-results.sh from git.git.

	update test-lib.sh.in and basic tests.
	git.git, ID: 4a28f169ad29ba452e0e7bea2583914c10c58322

	add MALLOC_{CHECK,PERTURB}_ to misc/prep-env.sh.

	fix test output directory handling, add missing files.

	correct environment variable specifying tests are installed.

	create valgrind symlinks in the right place.

	Set --no-print-directory in AM_MAKEFLAGS.

	Add a note about how to run installed tests.

	install tests by default.

	start rewriting the test-suite in t/
	Old tests are still in tests/

2014-05-22  Ali Polatel  <alip@exherbo.org>

	match and store /proc/$pid whitelists more efficiently.
	Because in a multi-threaded process these whitelists (used to) become huge.

	Drop core/{abort,panic}/{decision,exit_code} options.
	These are useless options which were added to aid debugging.
	core/trace/exit_kill is the new recommended way.

	Drop core/trace/exit_wait_all option.
	Only makes sense when it defaults to true.
	exit_wait_all:false does not work at all with seccomp.

	plug memory leaks in shared thread memory.

	work on dump, main loop and shoebox.

2014-05-21  Ali Polatel  <alip@exherbo.org>

	tweak shoebox.py, don't block signals during wait()

	interrupt handling fixes, remove core/trace/interrupt option.

	make sure not to free() parents whose information is required for children

	--enable-debug to print backtraces using libunwind upon SIGUSR1.

	ignore core files.

2014-05-19  Ali Polatel  <alip@exherbo.org>

	build dump enabled sydbox-dump binary unconditionally.

2014-02-16  Ali Polatel  <alip@exherbo.org>

	shoe fixes.

	add time information to dumps.

	fix remaining thread issues, IN YOUR FACE SBCL!

2014-02-15  Ali Polatel  <alip@exherbo.org>

	more dump + clone work.

	dumpity dump.

2014-02-14  Ali Polatel  <alip@exherbo.org>

	add todo for regset dump.

2014-02-12  Ali Polatel  <alip@exherbo.org>

	shoebox: gdb & strace.

	DUMP_THREAD_NEW.

	refactor the main trace loop for the 31415926th time.

	dump PTRACE_EVENT_EXECVE.

	moar work on the dumper.

	shoebox: fix DUMP_PTRACE_EXECVE.

2014-02-11  Ali Polatel  <alip@exherbo.org>

	shoebox: shoe me.

	shoebox: SIGCHLD fix.

	more work on the dumper.

2014-02-10  Ali Polatel  <alip@exherbo.org>

	DUMP_PTRACE_EXECVE.

2014-02-09  Ali Polatel  <alip@exherbo.org>

	start working on the dumper.
	Logging was obviously a bad idea which is often not really useful when
	debugging tracing issues which are hard to tackle. (Reading files of
	+500M has never been fun :)

	This commit is the start of the JSON event dumper which will be enabled
	upon a configure switch (--enable-debug) and writes events of various
	types in JSON format to a named pipe specified by the SHOEBOX variable.

	A proof-of-concept script (shoebox.py) is written in Python which reads
	from the named pipe and outputs the information to a file using bzip2
	compression. It has primitive abilities to query the compressed json
	file afterwards which are yet to be improved.

	What's left to be done:
	0. Go out to meet your girlfriend.
	1. Write dump handlers for more events.
	2. When (1) is done ditch logging entirely.
	3. Report access violations only.
	4. Improve shoebox.py query capabilities.
	5. Use the dumper to understand and fix the sbcl hang.
	6. Tell pipping he owes alip a poem when {1..5} is done.
	7. Use shoebox.py to test sydbox internals more thoroughly.

	Note, this commit also involves my initial attempts to figure out the
	sbcl bug which drove me to write this dumper in the first place. I will
	split these changes from this commit eventually.

2014-02-08  Ali Polatel  <alip@exherbo.org>

	add a build script and make target for jenkins.
	Conflicts:
		Makefile.am

	add a build script and make target for jenkins.

2014-01-20  Ali Polatel  <alip@exherbo.org>

	Merge branch 'next'

	valgrind: fix invalid write.

	fix threaded process handling.

2014-01-14  Ali Polatel  <alip@exherbo.org>

	autotools: add man/Makefile to AC_OUTPUT.

2014-01-09  Ali Polatel  <alip@exherbo.org>

	adapt misc/prep-env.sh for exherbo.

	autotools: add man/Makefile to AC_OUTPUT.

2014-01-08  Ali Polatel  <alip@exherbo.org>

	tests: pink has gone for a walk.

	fix prep-env.sh.

2014-01-08  Ali Polatel  <alip@exherbo.org>

	rework process tracking + shared memory for threads.
	Since day 1 of sydbox, process tracking has been problematic.
	Over the years many bugs and many seemingly unrelated issues
	was caused by process tracking not working correctly.

	Due to the involvement of many ptrace(2) quirks and oddities (and the
	confusion they have caused for the author) fixing process tracking
	issues properly had to wait until now. Note, this is not a claim but
	after this commit tests show a notable difference.

	Sydbox has to keep track of many information about a process (thread
	actually, every thread acts like a process on Linux) in order to sandbox
	correctly. The main problematic ones are listed below.

	| Requirement | Definition                      | Reason                                 |
	|-------------|:--------------------------------|:---------------------------------------|
	| PPID        | Caller of clone(2) system call  | Sandbox Inheritance                    |
	| CWD         | Current working directory       | Current working directory              |
	| BIND_ZERO   | bind(2) syscall with port == 0  | Automatic Network Address Whitelisting |

	* Sandbox inheritance is related to Sydbox' per-thread sandboxing.
	* Current working directory is required to resolve paths.
	* Automatic network address whitelisting is allowing successful bind(2)
	  call addresses to subsequent connect(2) and sendto(2) calls.

	-- PPID

	Using ptrace(2) inventory, tracking the caller of clone(2) system call
	can be implemented using PTRACE_O_TRACECLONE and related tracing
	options. However, when waiting for all processes with waitpid(-1,
	status, __WALL) there is no guarantee that PTRACE_EVENT_CLONE will
	arrive before the newly spawned child's initial SIGSTOP.
	{Consult ptrace(2) manual page if these make no sense.}

	This is why sydbox-1 implements the following hack:
	(Many issues fixed with this commit)

	1. Hook at clone(2) system call entry
	2. Save the process ID (and clone flags, see below)
	3. wait() for the saved process ID (if any, fallback to -1)

	Now if the initial SIGSTOP of the cloned child arrives before
	PTRACE_EVENT_EXEC sydbox knows the parent to inherit the sandbox is the
	saved process ID.

	-- CWD

	Current working directory of a thread is shared with other threads in
	case they are created with the CLONE_FS flag. This means a thread
	calling chdir(2) will change the current working directory of other
	threads. This means saving directory information per-thread is
	problematic.

	This is why sydbox-1 uses a reference counted shared pointer to save the
	current working directory of traced threads. When the number of threads
	drop to zero, the pointer is free()d.
	(Implemented with this commit)

	-- BIND_ZERO

	When bind(2) is called with 'port == 0' Sydbox keeps track of the
	bind(2) socket descriptor to figure out the actual bind(2) port after
	the subsequent getsockname(2) system call. (Calling getsockname(2) after
	bind(2) is surely not mandatory but it is generally required for any
	useful functionality.)

	As a socket descriptor is essentially a file descriptor on Linux (or
	generally anywhere UNIX) there are two issues with this tracking:

	1. dup() family system calls and fcntl system call with F_DUPFD argument
	   which can duplicate and thereby access it with a different integer.
	2. The file descriptor table is shared between threads when the thread
	   is spawned with the CLONE_FILES clone flag.

	(1) was already adressed by Sydbox. This commit adresses (2) by using a
	reference counted shared counter to save the socket descriptor list
	of duplicated file descriptors.

	In addition this commit helps vastly with sydbox memory usage when the
	traced process is multithreaded. Given the following program to spawn
	new threads compiled including <pthread.h> and <stdlib.h> files with gcc $file -pthread
	and running under sydbox using malloc-stats.c from:
	 http://cgit.freedesktop.org/cairo/plain/util/malloc-stats.c

	(Modified version of what woutershep stole from boehm-gc tests whilst
	trying to isolate the sydbox-1 problem. THANKS!)

	---8<---
	pthread_key_t key;

	pthread_once_t key_once = PTHREAD_ONCE_INIT;

	void * entry (void *arg)
	{
	  pthread_setspecific(key, (void *)0xbad);
	  return arg;
	}

	void on_thread_exit (void *v)
	{
	  pthread_t t;
	  pthread_create (&t, NULL, entry, NULL);
	}

	void make_key (void)
	{
	  pthread_key_create (&key, on_thread_exit);
	}

	 #ifndef LIMIT
	 # define LIMIT 30
	 #endif

	int main (int argc, char *argv[])
	{
	  int i;
	  int l;

	  if (argc > 1)
	    l = atoi(argv[1]);
	  else
	    l = LIMIT;

	  pthread_once (&key_once, make_key);
	  for (i = 0; i < l; i++) {
	    pthread_t t;
	    void *res;
	    pthread_create (&t, NULL, entry, NULL);
	    pthread_join (t, &res);
	  }
	  return 0;
	}
	--->8---

	        THREADS          TOTAL                        MALLOC

	Before:
	                    num         size            num           size
	          1         314       30.993            310         26.817 (total)
	         10         7346     235.675           7342        231.499 (total)
	        100     16676108 386.665.775       16676104    386.661.599 (total)
	After:
	          1          314      31.057            310         26.881 (total)
	         10         6190     204.261           6186        200.085 (total)
	        100     11650248 269.239.351       11650244    269.235.175 (total)

	massif also shows the improvement.
	(Having plugged a couple of important memory leaks, it's actually
	possible now to run sydbox-1 under massif without eating all your RAMs)

2014-01-08  Ali Polatel  <alip@exherbo.org>

	aclq: plug memory leak.

	add utility scripts.

	tests: fix test core/violation/raise_fail:1.

	Include malloc-stats.c.

	move pinktrace-1 out.

2013-10-21  Ali Polatel  <alip@exherbo.org>

	check for F_SETLK64 and F_SETLKW64.

	check for <linux/audit.h> existence.

	don't include <linux/ptrace.h> if not available.

	rework stat32 hack on x86_64.

	autotools: disable pinktrace ia64 support.
	I do not have access to an IA64 anymore.

	emily: workaround fcntl.h bug on arm.

	pinktrace: use included seatest.[ch] instead of libcheck.

2013-10-05  Michael Forney  <mforney@mforney.org>

	Use strcpy instead of strcat for building profile name.
	strcat expects that the first string is null-terminated, which may not
	be the case after a malloc.

2013-10-04  Ali Polatel  <alip@exherbo.org>

	reset the child env and call execvp() instead of execvpe()

	pinktrace: use SYS_{t,tg}kill instead of __NR_{t,tg}kill.

	do not use <linux/binfmts.h>

	autotools: fix header check for limits.h.

2013-10-02  Ali Polatel  <alip@exherbo.org>

	remove <sys/queue.h> leftovers.

2013-10-01  Marc-Antoine Perennou  <Marc-Antoine@Perennou.com>

	fix previous commit.

2013-09-29  Ali Polatel  <alip@exherbo.org>

	optimise empty_dir heavily using getdents64()
	With this very important optimisation, sydbox uses getdents64() system
	call directly on Linux to read only 2 entries instead of a lot more
	(800+ on the test machine). 2 entries are enough (think "." and "..") to
	determine whether a directory is empty.

	This is a huge leap forward making sydbox faster than sound.

	Below is a very detailed statistical observation of the results of this
	change.

	Before:
	% c99 -DSYDBOX_NO_GETDENTS empty.c
	% strace -T -e getdents64,getdents ./a.out kingbee.d
	getdents(3, /* 820 entries */, 32768)   = 32768 <0.000865>
	+++ exited with 217 +++

	After:
	% c99 empty.c
	% strace -T -e getdents64,getdents ./a.out kingbee.d
	getdents64(3, /* 2 entries */, 64)      = 48 <0.000098>
	+++ exited with 217 +++

	This is the first of a series of optimisations aiming to eventually make
	sydbox-1 speed catch the speed of light. (Next step is to make sydbox
	faster for infinite loops.)

2013-09-21  Ali Polatel  <alip@exherbo.org>

	New magic command core/trace/exit_kill.
	This magic command allows the underlying ptrace() architecture to kill
	tracees when Sydbox exits. (Supported on Linux-3.8 or newer)

	pinktrace: new option PINK_TRACE_OPTION_EXITKILL.
	This option is supported on Linux-3.8 or newer and is used to send a
	SIGKILL to all tracees when the tracer exits.

2013-09-13  Marc-Antoine Perennou  <Marc-Antoine@Perennou.com>

	remove duplicate #endif.

2013-09-13  Ali Polatel  <alip@exherbo.org>

	make sure the define hack in e1aa031 doesn't have side affects.

2013-09-12  Marc-Antoine Perennou  <Marc-Antoine@Perennou.com>

	Revert "aclq: skip ACL_ACTION_NONE"
	This reverts commit 0c29d7d45915d22b1b5a0c3361d8e0a80a81e4b9.

	pushed by accident

2013-09-12  Marc-Antoine Perennou  <Marc-Antoine@Perennou.com>

	fix build with recent glibc/linux-headers.
	Since glibc 2.18 (http://www.sourceware.org/git/?p=glibc.git;a=commit;h=521c6785e1fc94d1f501743e9a40af9e02797df3)
	<sys/ptrace.h> defines ptrace_peeksiginfo_args which collieds with
	<linux/ptrace.h>

	aclq: skip ACL_ACTION_NONE.

2013-08-08  Ali Polatel  <alip@exherbo.org>

	proc: plug resource leak on error path for proc_environ()

	style: reduce scope of some variables.
	No code changes.

	autotools: add cppcheck target.

2013-08-04  Ali Polatel  <alip@exherbo.org>

	util: Remove close_nointr() function.
	Linux closes the descriptor unconditionally even if the close() call is
	interrupted.

	Links for reference:
	- http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html
	- http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR
	- https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain
	- http://ewontfix.com/4/
	- http://austingroupbugs.net/view.php?id=529

	close_nointr: Drop unused function

2013-07-31  Ali Polatel  <alip@exherbo.org>

	aclq: last matching pattern decides.
	Previously the first matching pattern decided the outcome. This is not
	flexible when multiple sources of patterns are checked. With the new
	matching functions the last matching pattern decides the outcome so e.g.
	further customization of a profile (think -c @paludis) is possible.

	acl_patchmatch: The last matching pattern decides.
	acl_sockmatch: Likewise.
	acl_sockmatch_saun: Likewise.
	sydbox.xml: Document match decision change.

2013-07-31  Ali Polatel  <alip@exherbo.org>

	seccomp: disable when Linux version is older than 3.5.
	SECCOMP_MODE_FILTER is new in Linux version 3.5 and when a seccomp
	enabled build of sydbox is invocated on a system with an older kernel
	version.

	main: use os_release global variable to check for seccomp support and
	      disable as necessary and issue a warning.

2013-07-29  Ali Polatel  <alip@exherbo.org>

	kingbee: fix VALGRIND_OPTS.

2013-07-27  Ali Polatel  <alip@exherbo.org>

	box: fill action value for auto whitelisted addresses.
	All members of acl queues must have action defined for them. For
	whitelist/blacklist queues this action must be one of
	ACL_ACTION_WHITELIST or ACL_ACTION_BLACKLIST. For filter queues the
	value of action _must_ be ACL_ACTION_NONE.

	Functions sysx_bind and sysx_getsockname add a new rule to the auto
	whitelisted connect acl queue yet didn't set the rule's action value
	which resulted in:

	sydbox@1374931190: ... sys:42|connect| Code must not be reached at sandbox.c:227, function box_check_access()

	Because box_check_access doesn't know how to act when this rule matches.

	sysx_bind: set whitelisted node's action to ACL_ACTION_WHITELIST
	sysx_getsockname: set whitelisted node's action to ACL_ACTION_WHITELIST

2013-07-26  Ali Polatel  <alip@exherbo.org>

	aclq: correct EAFNOSUPPORT logic in acl_append_sockmatch.
	sockmatch_parse returns 0 and sets errno to EAFNOSUPPORT when sydbox
	does not have IPv6 support and a IPv6 address is specified as argument.

	acl_append_sockmatch incorrectly returned error in this case. Make
	acl_append_sockmatch return 0 and set errno to EAFNOSUPPORT in case of
	failure.

	magic_errno function is renamed to magic_check_call which now checks
	whether errno is set to EAFNOSUPPORT and returns MAGIC_RET_NOT_SUPPORTED
	in this case. To return error is up to the caller.

2013-07-26  Ali Polatel  <alip@exherbo.org>

	autotools: add sys-queue.h to noinst_HEADERS.

	man: add ptrace-ntpl.txt.

	acl-queue: fix abstract check in acl_sockmatch_saun()

2013-07-25  Ali Polatel  <alip@exherbo.org>

	box: ACL queue based on TAILQ from <sys/queue.h>
	Replace singly linked lists with tail queues so that we can implement
	"first match wins" priority for whitelists and blacklists.

	- add "sys-queue.h" which is OpenBSD's version of <sys/queue.h>
	- acl-queue.c: new file to wrap TAILQ with pathmatch & sockmatch
	- magic-acl.c: new file to replace old slist based append/remove
	- magic-strlist.c, magic-socklist.c, magic-if_match.c: remove old
	- slist.h: remove unused file
	- box: make box_check_access() use ACLQ
	- box: remove unused box_match_*() functions
	- test: add t2002-aclq-path.sh which simply tests ACLQ
	- man: document that the first matching pattern wins

2013-07-25  Ali Polatel  <alip@exherbo.org>

	trace: use OPTION_EXIT for non-waitable zombies.
	Quoting from ptrace-nptl.txt:
	"If a threaded program's main thread exists with ptread_exit, then it
	enters a non-waitable zombie state. It will still produce an immediate
	PTRACE_O_TRACEEXIT event, but the WIFEXITED event will be delayed
	until the entire process exits. This state exists so that shells
	don't think the process is done until all of the threads have exited."

	Thus, using PTRACE_O_TRACEEXIT is a more reliable way for tracking child
	exits than using WIFEXITED/WIFSIGNALED.

	Modify event_exit for PTRACE_EVENT_EXIT, do _not_ remove process at this stage.
	On WIFEXITED/WIFSIGNALED call remove_proc() to remove the process.

2013-07-16  Ali Polatel  <alip@exherbo.org>

	autotools: add release rules.

	autotools: add missing files to EXTRA_DIST.

2013-07-15  Ali Polatel  <alip@exherbo.org>

	remove cruft.

	autotools: --enable-installed-tests to install tests.

	pinktrace: fix doxygen warnings.

2013-07-14  Ali Polatel  <alip@exherbo.org>

	Exit trace loop if got ECHILD, not if process count == 0.
	Comment gives a testcase which wasn't handled correctly by the old code.

	powerpc: enhance 32/64bit detection.

2013-07-05  Ali Polatel  <alip@exherbo.org>

	autotools: use `subdir-objects'

2013-07-05  Ali Polatel  <alip@exherbo.org>

	config: simple configuration file naming scheme.
	The filename extension of a configuration file *must* start with ".syd-"
	followed by the magic command API version. For sydbox-1 the magic
	command API version starts from number 1 (which is the loneliest number
	that you'll ever know). The current magic command API version is 1.

	For profiles both -c @profile and -c @profile.syd-1 is supported. The
	former defaults to the current profile.

2013-06-27  Ali Polatel  <alip@exherbo.org>

	add sample profile for Skype4.

	sys_execve: plug yet another memory leak.

	sys_rename: fix invalid read.

	sys_bind: plug memory leak.

	waitpid: fix for ignored processes.
	When a process is ignored we still need to set sydbox->pidwait in case
	it calls fork() family system calls so that we won't hit the well-known
	race condition between PTRACE_EVENT_FORK and child stop.

	sock: update sysname for decoded socket subcalls.

	waitpid: assume __WALL is always available.

2013-06-26  Marc-Antoine Perennou  <Marc-Antoine@Perennou.com>

	realpath-test: also test realpath_mode when testing realpath.

	realpath: silence gcc warning.

	pinktrace: silence gcc warning.

	util: silence gcc warnings.

2013-06-26  Ali Polatel  <alip@exherbo.org>

	box: treat special /proc files specially.
	Some symbolic links under /proc are special and unless treated correctly
	will cause errors with realpath_mode() due to the fact that the process
	IDs of the tracer (sydbox) and tracee are different.

	/proc/mounts	-> /proc/self/mounts	=> /proc/$pid/mounts
	/proc/net	-> /proc/self/net	=> /proc/$pid/net
	/proc/self	-> (special directory)	=> /proc/$pid

2013-06-26  Ali Polatel  <alip@exherbo.org>

	sock: fix sockmap, add a bee into the hive for bind(port=0)

	uthash: update to version v1.9.8.p3.

	sandbox: tweak sys_access, sys_open read/write check stack.

	realpath: plug memory leak.

	sysfilter: include <sys/mman.h> unconditionally.
	Otherwise compilation fails in sys_fallback_mmap.

2013-06-24  Ali Polatel  <alip@exherbo.org>

	box: don't use execve(2) sandboxing for sys_access.
	sys_access checks execve(2) {black,white}lists for X_OK flag which is wrong.
	Use read sandboxing for (F_OK|R_OK|X_OK)

2013-06-24  Quentin Glidic  <sardemff7+git@sardemff7.net>

	autotools: Use AC_DEFINE_UNQUOTED.

2013-06-24  Ali Polatel  <alip@exherbo.org>

	new functionality core/restrict/file_control.
	This feature makes it possible to restrict potentially dangerous open(2)
	flags and fcntl(2) commands.

2013-06-24  Ali Polatel  <alip@exherbo.org>

	new functionality core/restrict/shared_memory_writable.
	This functionality presents a restriction against TOCTOU attacks by
	forbidding mmap2() system calls with prot|flags combination
	PROT_WRITE|MAP_SHARED.

	magic: new category MAGIC_KEY_CORE_RESTRICT
	magic: new setting MAGIC_KEY_CORE_RESTRICT_SHARED_MEMORY_WRITABLE
	magic: new functions magic_{set,query}_restrict_shm_wr
	magic-restrict.c: new file
	sydbox_t: new member restrict_shared_memory_writable
	systable: new simple seccomp based "filter" member for sysentry_t
	systable: new member "ptrace_fallback" for sysentry_t (are ".enter", ".exit" fallbacks?)
	syscall-filter.c: new file
	filter: new function filter_mmap (seccomp based simple filter)
	filter: new function sys_fallback_mmap (ptrace() fallback of the seccomp filter)
	syscall: new function apply_simple_filter() to apply seccomp rules in .filter member functions
	syscall: call apply_simple_filter in sysinit_seccomp()
	syscall: do not add sysentry_t's with filter non-NULL to systable with systable_add()
	man: document core/restrict/shared_memory_writable (default: false)

2013-06-24  Ali Polatel  <alip@exherbo.org>

	pink: new function syd_read_argument_int.
	pink.c: new function syd_read_argument_int (casts long to int)
	path_prefix: use syd_read_argument_int

	autotools: fix --enable-seccomp.

	pathmatch: match functions return "bool"

2013-06-23  Ali Polatel  <alip@exherbo.org>

	sockmatch: fix port parsing for sockmatch_parse_ip.
	sockmatch_parse_ip abort()s when given a valid IP address but an invalid
	port (or port range)

	sockmatch_parse_ip: check for strrchr NULL return

2013-06-23  Ali Polatel  <alip@exherbo.org>

	pathmatch: optimise patchmatch_expand.
	patchmatch_expand: use !strpbrk(s, "*?") to determine literal string

	box: allow sendto() to connected sockets (where sockaddr==NULL)
	sydbox does not sandbox connected sockets.

2013-06-23  Ali Polatel  <alip@exherbo.org>

	box: fix sandbox stack, add caching for reused data.
	System calls like access(), open() are checked for multiple sandboxing
	types like read, write, exec. Reusing data between these types and
	keeping constant data unmodified between checks is required. This commit
	addresses both of these problems.

	init_sysinfo_read: do *not* memset sysinfo_t to zero (which means reset all)
	sysinfo_t: remove "ret_mode" member, add "ret_statbuf" (all stat data is needed)
	sysinfo_t: add members "cache_abspath", "cache_statbuf" (to reuse data)
	init_sysinfo_read: rename to sysinfo_read_access() (more appropriate now)
	sysinfo_exec_access: new function (like read but for exec)
	sysinfo_read_access: add inline function attribute
	sysinfo_exec_access: add inline function attribute
	check_access, check_open: keep constant data, cache statbuf and abspath
	box_check_path, box_check_ftype: use cached data if available
	sys_rename, sys_renameat: use "ret_statbuf" instead of "ret_mode"

2013-06-19  Ali Polatel  <alip@exherbo.org>

	tests: skip tests using missing features.
	Add a prereq for features like seccomp, seize so that tests which make
	use of them do not fail.

	configure.ac: New define PTRACE_SUPPORTS_SEIZE
	configure.ac: Replace WANT_SECCOMP with SYDBOX_HAVE_SECCOMP (1 or 0, never empty)
	src/*.[ch]: s/def WANT_SECCOMP/ SYDBOX_HAVE_SECCOMP/
	tests/test-lib.sh.in: Set prereqs PTRACE_SEIZE and PTRACE_SECCOMP
	tests/test-lib-sydbox.sh: Update test_expect_success_foreach_option()

2013-06-17  Ali Polatel  <alip@exherbo.org>

	man: document default values.

2013-06-17  Ali Polatel  <alip@exherbo.org>

	syscalls: (read) sandbox listxattr(2) and llistxattr(2)
	Sandbox system calls listxattr(2) and llistxattr(2); deny these system
	calls with -ENOTSUP when read sandboxing is on.

	- refactor syscall-file.c
	- add sys_listxattr() and sys_llistxattr()
	- update manual page

2013-06-13  William Orr  <will@worrbase.com>

	Fixed bug where chdir'ing to dirs whose absolute path was longer than PATH_MAX would panic
	In cases where a call to chdir() when passed a relative dir would be
	successful, sydbox could panic as the call to readlink() in proc_cwd() would
	fail with ENAMETOOLONG. This fixes that bug by using a modified getcwd() and
	chdir() to properly update current->cwd

	Modified by alip:
	- Move chdir_long() and getcwd_long() to toolong.[ch]
	- Note in Makefile that these two functions are imported from zsh
	- New configuration variable core/trace/use_toolong_hack which
	  determines whether sydbox should use this too long path hack to
	  determine current working directory of a traced process.

2013-06-10  William Orr  <will@worrbase.com>

	Fixed logging magic paths in manpage.

2013-06-06  Ali Polatel  <alip@exherbo.org>

	realpath: fix RPATH_NOFOLLOW & symlinks.

	realpath: refactor.
	Add function stat_mode() to move stat() logic out of realpath_mode()

2013-06-05  Ali Polatel  <alip@exherbo.org>

	realpath: plug memory leak during symlink resolve.
	* Add functions basename_copy() and readlink_copy() which copies
	  basename and resolved link information into previously allocated
	  buffers.
	* Use basename_copy() and readlink_copy() instead of the respective
	  _alloc() alternatives in realpath_moded()

	autotools: add -Wshadow to WANTED_CFLAGS.

2013-06-05  Ali Polatel  <alip@exherbo.org>

	pink.c: NUL terminate partial reads correctly.
	There are two methods of memory reading:
	1. Via ptrace() (one sizeof(long) at a time)
	2. Via process_vm_readv() (requires CROSS_MEMORY_ATTACH=y kernel option)

	In both cases we have to terminate the partial read string properly with
	a NUL-byte. Prior to this commit the first method would read one byte
	less due to incorrect string termination.

2013-06-05  Ali Polatel  <alip@exherbo.org>

	pinktrace: add test for subsequent reads.
	Add read testcase 'TEST_read_vm_data_nul_long' which tests whether
	reading tracee's address space works for subsequent reads. First fork a
	new child, call syscall(PINK_SYSCALL_INVALID, ...) with a string longer
	than sizeof(long) then check whether it's read correctly.

	sydbox.1: correct typo.

	fix test_path_has_mtime() broken by 4a2a173.
	s/statmtime/stat_mtime/

	proc: fix readlink_alloc() return value check.
	proc_cwd() and proc_fd() hasn't been updated after the changes
	introduced by 8bb25c3 for readlink_alloc() which now returns number of
	bytes placed in the buffer on successful return.

2013-06-04  Ali Polatel  <alip@exherbo.org>

	tests: rename helper functions.
	statmtime -> stat_mtime
	statinode -> stat_inode (moved to test-lib-sydbox.sh)

2013-06-04  Ali Polatel  <alip@exherbo.org>

	simplify, liberate pathname canonicalization.
	We used to import canonicalize_filename_mode() from gnulib which is
	GPL-3 now (which is not compatible with BSD-3). In addition, this
	function covers use cases which aren't of any importance to sydbox
	thereby adding useless effort to maintenance.

	- Import strlcat() and strlcpy() implementations from FreeBSD
	  (unmodified)
	- Import realpath() from FreeBSD;
	  Change the function name to realpath_mode() to handle different use
	  cases like "last file may be missing" or "do not resolve symbolic
	  links".
	- Update tests

2013-05-26  Ali Polatel  <alip@exherbo.org>

	Add tests for sys_utimensat()
	Among other tests this includes a test for the recent fix in
	12965d574111f6c2350192ff6e8dcdc1d24f98d0

	fix path_prefix() to correctly read $fd.
	cast the ptrace()-read file descriptor to int (from long) in
	path_prefix() so that `AT_FDCWD' and other negative integer constants
	are read correctly.

2013-05-26  Ali Polatel  <alip@exherbo.org>

	fix box_check_path() for bad file descriptors.
	box_check_path() may get both a bad file descriptor and NULL as path
	argument. A simple way to trigger this comes from one of coreutils'
	obscure tests:

	% strace -f -q -e utimensat -- sh -c 'touch -c - >&- 2> /dev/null'
	[pid 22003] utimensat(1, NULL, NULL, 0) = -1 EBADF (Bad file descriptor)
	[pid 22003] +++ exited with 0 +++
	--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22003,
	si_status=0, si_utime=0, si_stime=0} ---
	+++ exited with 0 +++

	Here utimensat() both gets a bad file descriptor (1, hence the EBADF
	errno) and NULL as path argument. Correctly deny such requests with
	EBADF.

2013-05-26  Ali Polatel  <alip@exherbo.org>

	t3004-fs-fchownat.sh: add TODO for AT_SYMLINK_NOFOLLOW.

	t3001-fs-fchmodat: typo.

2013-04-02  Ali Polatel  <alip@exherbo.org>

	sys_{connect,sendto}: avoid code duplication.

2013-03-30  Ali Polatel  <alip@exherbo.org>

	pinktrace: fix retval of read_socket_argument.

2013-03-12  Ali Polatel  <alip@exherbo.org>

	proc: use %u for process IDs.

	proc: optimize proc_cwd() slightly.

2013-03-11  Ali Polatel  <alip@exherbo.org>

	set $SYDBOX_ACTIVE environment variable.

	use a hashtable rather than a slist for process lookup.

	support magic stat on x86_64 for i386 ABI.

	pinktrace: fix multiple ABIs on x86_64.

	pinktrace: ditch useless pink_process abstraction.

	non-imported files are under the terms of BSD-3.

	use BSD licensed uthash as hashtable implementation.
	from: git://github.com/troydhanson/uthash.git
	commit: c76077031ae5f99878c85b7b5e1c264235b9d2b7

	log: add missing include.

	style.

2013-03-11  Ali Polatel  <alip@exherbo.org>

	fix race conditions during parent<->child association.
	We need parent<->child association to inherit sandboxing data and establishing
	this association is complicated in that there is no guarantee whether we will
	receive PTRACE_EVENT_{FORK,VFORK,CLONE} - after which we can figure out the
	child process ID using trace_geteventmsg() - or SIGSTOP of the new-born child
	first.  Suspending the child until we receive one of the aforementioned ptrace
	events is racy because the parent may be killed with SIGKILL beforehand,
	leaving us with a child which is suspended forever...

	Not suspending the child and waiting for the ptrace event gets problematic
	because when we resume the new-born child in question, the ptrace event may
	come too late (the child may have already entered a system call by then and we
	need the sandboxing data to check for access).

	These problems are caused due to the way sydbox wait()'s for events from
	all processes simultaneously. To prevent races, add a `pidwait' variable
	to sydbox_t and change this to the forking process ID on the entry of
	fork(), vfork() and clone() system calls. This ensures we are going to
	receive the aforementioned ptrace events before child creation.

	However, there is a certain chance that the tracee in question may be
	killed by SIGKILL before she returns from fork() but after the child is
	created. In this rare case inheritance is not possible so use
	the global (unmodified) sandboxing data.

2013-03-11  Ali Polatel  <alip@exherbo.org>

	pinktrace: new function pink_read_vm_data_full()

2013-03-11  Ali Polatel  <alip@exherbo.org>

	pinktrace: Merge all nsyscalls* enums into single enum.
	Likewise merge nerrnos*, nsignals*, and nioctlents* into single enums.

	See strace commit e6f55240a1d599adb160ced4bdad36d8f1fd7b92

2013-03-10  Ali Polatel  <alip@exherbo.org>

	kingbee.py: s/threading/multiprocessing/

2013-03-08  Kim Højgaard-Hansen  <kimrhh@exherbo.org>

	build fix - only one syscall abi on i386.

	fix include guard, I386 not X86.

2013-03-08  Ali Polatel  <alip@exherbo.org>

	small seize fixes.

2013-03-05  Ali Polatel  <alip@exherbo.org>

	oh libtool, words can't explain my hate towards you.

	fix /proc//status fail.

	pinktrace: build pipe.c.

	correctly determine thread group ID of prematurely born children.
	This should fix the inheritance of sandboxing data.

	kingbee.py: improve, add more tests.

	sysenter: log names of all system calls.

	don't log partial reads in read_string()

2013-03-03  Ali Polatel  <alip@exherbo.org>

	pinktrace: fix installation.

	box: fix socket violation report.

2013-03-01  Ali Polatel  <alip@exherbo.org>

	typo of crucial importance, noticed by woutershep.

	new poem by moben.

	if_match: fix {resum,kill}ing processes.

2013-03-01  Ali Polatel  <alip@exherbo.org>

	add guard around inherit_sandbox()
	Add process flag SYD_DONE_INHERIT
	inherit_sandbox() checks/sets SYD_DONE_INHERIT before/after inheritance

	This avoids a memory leak caused by sydbox inheriting sandboxing data
	more than once.

2013-03-01  Ali Polatel  <alip@exherbo.org>

	kingbee.py: add valgrind and threading support.

2013-02-27  Ali Polatel  <alip@exherbo.org>

	new poem by keruspe.

	pinktrace: read_retval()'s error argument may be NULL.

	plug memory leaks reported by valgrind.

	tweak flag names, remove unused FOLLOWFORK.

	tweak sigusr()

	update sysexit handling broken by 58fa0b4.

	update regset only on seccomp and syscall events.

2013-02-27  Ali Polatel  <alip@exherbo.org>

	seccomp: do syscall checking in EVENT_SECCOMP.
	Before:
	SECCOMP -> SYSENTRY -> BOX_CHECK -> DENY? -> (no) RESUME
						|
						|-> (yes) SYSEXIT -> RESTORE

	After:
	SECCOMP -> BOX_CHECK -> DENY? -> (no) RESUME
				    |
				    |-> (yes) SYSENTRY -> SYSEXIT -> RESTORE

	Thus we stop the tracee one less time on successful syscall paths.
	With this commit, the overhead of allowed system calls is reduced
	noticably:

	>>> Test: stat /dev/null 100000 times
	Before:
		1: bare: 0.235686 sec
		2: sydbox [seize:0, seccomp:0]: 2.961659 sec
		3: sydbox [seize:0, seccomp:1]: 3.979262 sec (*)
		4: sydbox [seize:1, seccomp:0]: 2.930647 sec
		5: sydbox [seize:1, seccomp:1]: 4.012038 sec (*)
	After:
		1: bare: 0.230615 sec
		2: sydbox [seize:0, seccomp:0]: 2.941883 sec
		3: sydbox [seize:0, seccomp:1]: 1.836790 sec (*)
		4: sydbox [seize:1, seccomp:0]: 2.937578 sec
		5: sydbox [seize:1, seccomp:1]: 1.836859 sec (*)

2013-02-27  Ali Polatel  <alip@exherbo.org>

	add a simple benchmarking script.

	style.

	seccomp: fix utter failure wrt INSYSCALL.

2013-02-26  Ali Polatel  <alip@exherbo.org>

	pinktrace: implement write_argument on IA64 (untested)

	sydbox: fix compilation issues on ARM.

	pinktrace: more ARM fixes.

	pinktrace: make pink_ptrace() return -errno on failure.

2013-02-25  Ali Polatel  <alip@exherbo.org>

	pinktrace: ARM fixes (WIP, tests still fail)

	only call proc_stat() for ppid when we don't get EVENT_FORK before child birth

2013-02-24  Ali Polatel  <alip@exherbo.org>

	ignore processes instead of remove until genuine exit()

	add guard for ignored processes in ignore_proc()

	pinktrace: add API to lookup/name of errnos and signals.

	tests: check all supported tracing options.

	pinktrace: refactor, use PTRACE_{GET,SET}REGSET.

2013-02-23  Ali Polatel  <alip@exherbo.org>

	autotools: correctly detect HAVE_INTERRUPT.

	ditch pinktrace-easy, refactor sydbox.

	pinktrace: make ARM a one personality arch.

	pinktrace: in pink_trace_kill() skip tgkill(2) for tgid <= 0.
	not all manual pages tell the truth!

2013-02-17  Ali Polatel  <alip@exherbo.org>

	pinktrace: new function pink_trace_getsiginfo()
	This function wraps the ptrace request PTRACE_GETSIGINFO.

2013-02-16  Ali Polatel  <alip@exherbo.org>

	pinktrace: support PTRACE_{SEIZE,INTERRUPT,LISTEN}
	These ptrace requests have been available since Linux-3.4.

	The PTRACE_SEIZE_DEVEL flag which has been available for some time was
	used to declare that these requests are not ready for production use.
	This flag has been removed from Linux kernel with commit
	ee00560c7dac1dbbf048446a8489550d0a5765b7.

	Hence we use a simple approach and do not set
	PINK_HAVE_{SEIZE,INTERRUPT,LISTEN} in configure.ac in case
	PTRACE_SEIZE_DEVEL is defined in <linux/ptrace.h>.

	> New functions
	pink_trace_seize()
	pink_trace_interrupt()
	pink_trace_listen()

	> New events
	PINK_EVENT_STOP

	> New defines
	PINK_HAVE_SEIZE
	PINK_HAVE_INTERRUPT
	PINK_HAVE_LISTEN
	PINK_HAVE_EVENT_STOP

2013-02-15  Ali Polatel  <alip@exherbo.org>

	sys_bind: fix error path.

2013-02-14  Ali Polatel  <alip@exherbo.org>

	sydbox: show verbose build info with --version.

	tests: make --valgrind work.

2013-02-12  Ali Polatel  <alip@exherbo.org>

	pinktrace: use correct types.

	pinktrace: fix vm_read* for multiple wordsizes.

	box: fix error path in check_socket.

2013-02-10  Ali Polatel  <alip@exherbo.org>

	tests/basic: use &&, fix raise_fail test.

	log: restore suffix in die_errno(), more context.

	config: get rid of JSON.

2013-02-09  Ali Polatel  <alip@exherbo.org>

	JSON_parser: update to d225b80.

2013-02-07  Ali Polatel  <alip@exherbo.org>

	pinktrace: correctly increment remote address in pink_vm_cread_nul()

	pkg-config: install .pc files.

2013-02-05  Ali Polatel  <alip@exherbo.org>

	tests: update test-lib-functions.sh.

	tests: remove rm calls in clean environment.

	tests: get rid of more $test_count.

	tests: move custom functions to test-lib-sydbox.sh.

	tests: rename unique filename functions.

	tests: Always append '&&' to test functions.

	tests: use the new uniq filename functions.

	tests: Add unique filename functions, add chmod tests.

	box: refactor box_check_path, add tests for rmdir(2)

2013-02-03  Ali Polatel  <alip@exherbo.org>

	unlinkat: correctly handle -EISDIR error and AT_REMOVEDIR flag.

	rmdir: do _not_ follow symlinks, handle -ENOTEMPTY.
	rmdir(2) does not follow symbolic links.
	rmdir(2) sets errno to ENOTEMPTY for non-empty directories.

	box: more logging, style.

	correctly the check return value of pink_read_vm_data*()

	pinktrace: new pink_vm_* functions for split functionality.
	Split pink_read_vm_* and pink_write_vm_* functions into two functions,
	one of which does cross memory attach and the other uses ptrace().

	compile with -pedantic, fix warnings.

2013-02-02  Ali Polatel  <alip@exherbo.org>

	easy: reindent, no functional changes.

	autotools: fix out-of-tree build.

2013-02-02  Ali Polatel  <alip@exherbo.org>

	rework pinktrace, enable doxygen and pinktrace install.
	functions return 0 on success, negated errno on failure
	enable doxygen
	install pinktrace and pinktrace-easy
	install pinktrace-check for testing after installation

	not done:
	add (currently unused) pinktrace/pipe.[ch], a simple API around pipe(2)

2013-02-02  Ali Polatel  <alip@exherbo.org>

	pinktrace: fix void pointer arithmetic in pink_read_vm_data_nul.

2013-01-31  Ali Polatel  <alip@exherbo.org>

	autotools: use LOG_COMPILER instead of TESTS_ENVIRONMENT.

2013-01-24  Ali Polatel  <alip@exherbo.org>

	tests: add more chmod(2) tests.

2013-01-17  Ali Polatel  <alip@exherbo.org>

	gitignore: Ignore *.log and *.trs.
	These are autogenerated by automake-1.13 with parallel-tests

2013-01-17  Ali Polatel  <alip@exherbo.org>

	autotools: fix TESTS_ENVIRONMENT for parallel-tests.
	With automake-1.13 the feature parallel-tests is default which uncovers
	a bug in the test-suite's TESTS_ENVIRONMENT script.

	tests/Makefile.am: s/SYDBOX_CHECK_OPTS/SYDBOX_CHECK_OPTIONS/
	tests/Makefile.am: Add --verbose to SYDBOX_CHECK_OPTIONS
	tests/test-runner.sh: simply append SYDBOX_CHECK_OPTIONS after "$@"

2013-01-17  Ali Polatel  <alip@exherbo.org>

	tests: fix tests broken by previous commit.
	Commit 7b8291199b8b0a0fa9220885fa61ac8777d02789 has broken tests because
	the file names of a few tests were changed and Makefile.am was not
	updated.

	Update Makefile.am to reflect the name changes.

2013-01-12  Ali Polatel  <alip@exherbo.org>

	rename: add more tests covering ENOTDIR, ENOTEMPTY.

2013-01-12  Ali Polatel  <alip@exherbo.org>

	sys_rename: fix directory handling.
	Quoting rename(2):
	"oldpath can specify a directory. In this case, newpath must either not
	exist, or it must specify an empty directory."

	file.c: New function empty_dir()
	sys-check.h: new syd_mode_t flag SYD_IFBAREDIR for empty directories
	sys-check.h: new sys_info_t member "bool *isdir"
	sys-rename.c: check whether oldpath is a directory by setting info.isdir
	sys-rename.c: set SYD_IFBAREDIR for info.syd_mode in case oldpath is
	              a directory
	sydbox-box.c: stat() is required if info.isdir is not NULL for
	              box_check_path()
	sydbox-box.c: in box_check_path() fail with -ENOTEMPTY if empty_dir()
	              returns non-zero for the newpath

	Not done:
	Start adding rename() tests.
	Create t3023-fs-renameat.sh for renameat() tests.

2013-01-11  Ali Polatel  <alip@exherbo.org>

	proc: drop useless comment.

	log: abstract log_abort_func()

2012-12-02  Ali Polatel  <alip@exherbo.org>

	new poem by fauxmight.
	the mighty fauxmight!
	your verses of badness have enlightened my night!
	i fed all the goats of under the glorious light!
	may you be forever young aight?

2012-11-25  Ali Polatel  <alip@exherbo.org>

	new poem from moben.

2012-11-02  Ali Polatel  <alip@exherbo.org>

	new poem from ivanm.

	sockmatch: parse IPv6 addresses correctly.

	new poem from eternaleye.

	new poem from woutershep.

	undef _FORTIFY_SOURCE for emily.

	rework tests, add more basic tests.

	Do not incorrectly return from sys_access() and sys_faccessat()

	canonicalize: style.

	canonicalize: Update from gnulib.
	Update to gnulib commit:573dad2ce496fa87dac2e79f37bae62e0be1d2c6
	Return -EINVAL in case path is NULL

	tests: add README.

	tests: fix canonicalize test.

	tests: tweak valgrind script.

	tests: fix wildmatch test.

	fix warnings generated by sparse.

	fix IPv6 support.

	autotools: use $(MAKE)

	sys-mknod: use SYD_IFNONE to handle EEXIST.

	box: use lstat() for SYD_IFNONE.

2012-11-01  Ali Polatel  <alip@exherbo.org>

	new poem from keruspe.

	new poem from judu.

2012-10-28  Ali Polatel  <alip@exherbo.org>

	new poem from Philantrop.

2012-10-23  Ali Polatel  <alip@exherbo.org>

	new poem by nicoo.

	new poem by kloeri.

2012-10-18  Ali Polatel  <alip@exherbo.org>

	sockmatch: tweak unix-abstract addr matching.

2012-10-17  Ali Polatel  <alip@exherbo.org>

	pinktrace: make sure to read socket arg with correct size.

2012-10-16  Ali Polatel  <alip@exherbo.org>

	pinktrace: simplify pink_read_socket_address()

	sydbox: fix includes to get PAGE_SIZE.

	new poem by keruspe.

	autotools: unify upload target.

	data: import poems.

	sys_bind(): Use pink_read_socket_argument()
	Using pink_read_argument() is wrong because it does *not* decode
	socketcall() thus it causes failures on architectures with this system
	call.

	pinktrace: fix pink_read_socket_argument()
	For decode_socketcall == false, this function is equivalent to
	pink_read_argument()
	For decode_socketcall == true, this function decodes the second argument
	of the socketcall(2) system call.

2012-10-15  Ali Polatel  <alip@exherbo.org>

	autotools: #define SYDBOX_HAVE_IPV6 as needed.

2012-10-14  Ali Polatel  <alip@exherbo.org>

	man: formatting.

	man: fix upload-html target.

2012-10-13  Ali Polatel  <alip@exherbo.org>

	pinktrace: fallback to ptrace() memory read/write.
	In case the Linux kernel has been configured without CROSS_MEMORY_ATTACH
	option the system calls process_vm_readv and process_vm_writev return
	-ENOSYS. Fallback to the old and inefficient ptrace(2) based memory
	read/write in such cases.

2012-10-06  Ali Polatel  <alip@exherbo.org>

	autotools: fix check for process_vm_{readv,writev}

	sydbox: update usage()

	rework magic commands, add special cmd/exec magic.
	Add append/remove operation to string arrays
	Add command operation which executes a special function
	Add cmd/exec special function to execute a program outside sandbox
	Add sydfmt program to format cmd/exec magic
	Make it possible to add virtual system calls

	sydbox: change short option of version to `-v'

2012-10-04  Ali Polatel  <alip@exherbo.org>

	detach from processes properly.

	fix [-Wswitch] compile warning.

2012-09-29  Ali Polatel  <alip@exherbo.org>

	man: fix seccomp magic command documentation.
	Thanks to nakamuray who spotted the error.

	man: update, add more invocation examples.

	startup: simplify execve() handling.

	sys_open: handle O_DIRECTORY and O_NOFOLLOW.
	O_DIRECTORY returns -ENOTDIR for non-directories
	O_NOFOLLOW returns -ELOOP for symbolic links

	man: document -E command line options.

	box: whitelist successful bind socket addresses globally.

2012-09-28  Ali Polatel  <alip@exherbo.org>

	tests: finish writing mkdir tests.

	tests: Use $test_count to create unique filenames.

	slist: rename macros, style.

	box: use path_is_absolute, style.

	log: drop unused variable.

2012-09-27  Ali Polatel  <alip@exherbo.org>

	don't sandbox recvfrom()

	pinktrace: fix read_socket_address, add tests.

	box: more context for unknown sockfamily.

	tests: fix.

	log: include pinktrace/pink.h instead of compiler.h.
	<pinktrace/compiler.h> is not meant to be included directly.

2012-09-27  Ali Polatel  <alip@exherbo.org>

	box_check_path: Handle bad fd for absolute paths.
	Using a bad file descriptor for absolute paths is OK for `at' suffixed
	functions. For example, openat(-1, "/dev/null", O_WRONLY); returns
	success.

	Handle this case by checking for -EBADF return of path_prefix() and
	delaying system call denial until after path_decode() when we can figure
	out whether the path is an absolute path.

2012-09-26  Ali Polatel  <alip@exherbo.org>

	data: Add logo by replica.

2012-09-25  Ali Polatel  <alip@exherbo.org>

	path_prefix: return correct error code.

	deny: more context.

	sys-check: style.

	pathdecode: style.

	sys-getsockname: correct index for sockaddr.

	sockmatch: correctly initialize ipv6 netmask.

	Relicense to GPL3+, style.

2012-08-21  Ali Polatel  <alip@exherbo.org>

	Remove leftover declarations.

2012-08-20  Ali Polatel  <alip@exherbo.org>

	Refactor path decoding.

	Make die() and assert() not leave children behind.

	Remove cruft.

	Refactor path matching.

	magic: fix removal of network address entries.

	Rework socket matching.

2012-08-19  Ali Polatel  <alip@exherbo.org>

	Make a note that the JSON_parser is imported.

	pinktrace/syscall: more const, style.

	log: style.

2012-08-18  Ali Polatel  <alip@exherbo.org>

	magic: type check before allowing set operation.

	log: initialize early.

	magic: fix typo.

	tests: more chmod() tests.

2012-08-17  Ali Polatel  <alip@exherbo.org>

	log: flush output buffer.

2012-08-17  Ali Polatel  <alip@exherbo.org>

	canonicalize_filename_mode: fix stat error path (take 2)
	In stat error path, call lstat() for the last member of the path for
	CAN_EXISTING|CAN_NOLINKS so that we can catch dangling symbolic links in
	this can_mode.

	Drop file_mode and no_resolve members of sys_info_t
	Add can_mode and fail_if_exist members to sys_info_t

	Update sys_foo() functions to reflect the changes

2012-08-16  Ali Polatel  <alip@exherbo.org>

	style.

	tests: add another test for circular symbolic links.

	canonicalize_filename_mode: fix stat error path.
	In stat error path, treat ELOOP like ENOENT for CAN_ALL_BUT_LAST
	This fixes unlink() and similar system calls for circular symbolic links

	canonicalize_filename_mode: fix readlink_alloc() error checking.

	box_resolve_path_helper: log errno as well.

	tests: Start testing pathname canonicalization.

	autotools: don't require {v,}dprintf.

	autotools: make imported files easier to spot.

	tests: fix typo in help output.

	log: various fixes.
	Fix log_init()
	Fix log_msg_va() to use va_list properly
	Use FILE in log.c instead of file descriptors and dprintf()
	Make LOG_LEVEL_WARNING user-configurable
	Update paludis profile for new log levels

2012-08-15  Ali Polatel  <alip@exherbo.org>

	path_decode: decrease log severity.

	path_prefix: fix uninitialized variable.

	pink/socket: fix pink_read_socket_subcall() macro.

	pink/socket: correct pink_socket_subcall_name()

	fix --disable-seccomp broken by 1c6cb72.

	tests: test openat()

	wildmatch: log early for the correct log string.

	s/wildmatch_sydbox/wildmatch_ext/

	Tweak manual page.

	Polish magic interface.
	No functional changes

	Make deny() accept errno as argument.

	Rework syscall checks, fix sys_unlink()

2012-08-14  Ali Polatel  <alip@exherbo.org>

	tests: re-enable mkdir() tests.

	tests: reorder, re-enable creat() tests.

	tests: re-enable rest of the tests.

	tests: re-enable open() tests.

	tweak paludis profile.

	style.

	improve sig_user with /proc/$pid/stat dump.

	fix sydbox->ctx NULL check in abort_all()

	box: fix socket access violation filter.

	hashtable: fix includes and update from rsync-3.0.9.

	skip initial wait_execve properly, fixes seccomp.

	Simpler, more powerful logging.

	pink/easy: Don't clear suspend flag in process_new.

2012-08-12  Ali Polatel  <alip@exherbo.org>

	Ignore seccomp magic if seccomp support is disabled.

	Enable seccomp for paludis profile.

	add SIGUSR1 and SIGUSR2 handlers.
	These signals provide process dumps on stderr.

	abort every tracee after a fatal signal.

	pink_read_string returns -1 on error.
	Fix. sydbox-1 incorrectly assumed it returns a boolean.

	style.

	even more debug logging.

	box: deny with real errno on path lookup errors.

	canonicalize: check for multiple bits.

	more debug logging.

	sys_info_t: add null_ok variable.
	Some at suffixed functions (like utimensat, futimesat) operate on
	directory file descriptor when the file name argument is NULL.
	Handle this condition.

	path_decode: fix handling of EFAULT.

	wildmatch_expand: fix /*** expansion.

	wildmatch_expand: fix erroneous memory allocation.

	magic: add MAGIC_ERROR_NOT_SUPPORTED.

2012-08-11  Ali Polatel  <alip@exherbo.org>

	don't install pinktrace-check.

	fix build with --disable-seccomp.

	rename x86 to i386 for consistency.

	seccomp: add support for multiple syscall ABIs.

2012-08-10  Ali Polatel  <alip@exherbo.org>

	log: message -> notice.

	proper interrupt handling, kill attach.

	define log levels.

	initial seccomp support, more polishing.

2012-08-09  Ali Polatel  <alip@exherbo.org>

	autotools: check for linux/ptrace.h.

	Initial preparation in seccomp-based filtering.
	pinktrace-easy: add seccomp callback for PINK_EVENT_SECCOMP
	pinktrace-easy: pink_easy_loop() accepts step_method argument

	pinktrace: add seccomp option and event.
	pinktrace/trace.h: Add PINK_TRACE_OPTION_SECCOMP
	pinktrace/event.h: Add PINK_TRACE_EVENT_SECCOMP

	include rewritten pinktrace.

	start refactoring tests.

2012-08-01  Ali Polatel  <alip@exherbo.org>

	start writing tests for blacklisting.

2012-07-31  Ali Polatel  <alip@exherbo.org>

	magic: new commands to customize pattern matching.
	core/match/case_sensitive to change behaviour of case sensitivity
	core/match/no_wildcard to change behaviour of literal strings as
	patterns

	Set useful environment variables for children.

	Update canonicalize_filename_mode from coreutils-8.17.

	Fix per process directory whitelisting.

	box: tweak logging.

	wildmatch: Replace ext hack with wildmatch_expand.

2012-07-30  Ali Polatel  <alip@exherbo.org>

	magic: core/log -> log.

	magic: fix core configuration access restriction.

	magic: core/sandbox/* values may be queried.

	Accept long options for compatibility with sydbox-0.

	Refactor tests.

2012-07-29  Ali Polatel  <alip@exherbo.org>

	plug two memory leaks.

	test link.

	test unlink.

	test utimes.

2012-07-28  Ali Polatel  <alip@exherbo.org>

	man: Document SIGNALS, update BUGS.

	Fix process spawn at startup.

	Do not dump information on suspended threads.

	Refactor callback_startup, more logging.

	core/log/level is an integer not a string.

	Recognize /dev/sydbox/${version_major} as magic.

	Update code for the recent pinktrace API rework (take 2)

2012-07-27  Ali Polatel  <alip@exherbo.org>

	style, tweak macros.

	Update code for the recent pinktrace API rework.

2012-07-24  Ali Polatel  <alip@exherbo.org>

	man: update copyright.

2012-06-14  Ali Polatel  <alip@exherbo.org>

	pandora is going to be sydbox-1 \o/

2012-06-13  Ali Polatel  <alip@exherbo.org>

	split decision and lock magic.

	split socklist magic.

	split strlist magic.

	split integer magic.

	split boolean magic.

	split exec_{kill,resume}_if_match magic.

	start using split log, sandbox magic.

	tweak manual page.

	update test-lib.sh, fix tests.

	Use pink_easy_process_vm_{read,write}v.

	initialize pinktrace-easy.

	make violation_exit_code special case clear.

2012-06-12  Ali Polatel  <alip@exherbo.org>

	Add comment about skipping initial execve(2)

	man: wording.

	fixes for latest pinktrace.

	s/PINKTRACE_LINUX/PINK_OS_LINUX/

	start splitting pandora-magic.c.

	foo.

	use sandbox_mode_to_string.

	fix recvfrom() for socketcall.

	s/addrfamily/strtable/

	autoupdate.

2011-05-05  Ali Polatel  <alip@exherbo.org>

	correct paludis config.

	don't barf if an IPV6 addr is supplied when no IPV6 support was compiled in

	add security and bugs section to manual page.

	start adding invocation examples.

	sandbox recvfrom.

	implement basic read sandboxing.

	sys_access: handle X_OK using exec sandboxing.

	add blacklist section to configuration file.

	sandbox access and faccessat.

	improve sys_open a bit.

	fix tests, broken by previous commit.

2011-05-04  Ali Polatel  <alip@exherbo.org>

	sandboxing with states, implement blacklisting.

	more macro work.

	extend wildmatch for dir/***

	improve documentation, suggested by kimrhh.

	more documentation, add an example.

	write more documentation.

	test utime.

2011-05-03  Ali Polatel  <alip@exherbo.org>

	require pinktrace-0.1.1.

	really install paludis profile.

	Install paludis profile.

2011-05-02  Ali Polatel  <alip@exherbo.org>

	fix various bugs wrt config parsing.

2011-04-29  Ali Polatel  <alip@exherbo.org>

	update JSON parser.

	simplify.

	document more magic.

	more macro foo.

	fix valgrind errors.

2011-04-28  Ali Polatel  <alip@exherbo.org>

	useless include.

	useless whitespace.

	fix comment.

	smarter boolean parsing magic.

	use isdigit.

2011-04-27  Ali Polatel  <alip@exherbo.org>

	whitelist successful bind calls by default.

	add magic to allow/deny unsupported socket families.

	parse ports using service names as well.

	fix JSON parsing for integer values.

	wiser error message.

2011-04-26  Ali Polatel  <alip@exherbo.org>

	fix logging of panic() and violation()

	add comment explaining why we change ptrace's EIO.

	use startswith.

2011-04-23  Ali Polatel  <alip@exherbo.org>

	Add SIGUSR handler and macro foo.

2011-04-17  Ali Polatel  <alip@exherbo.org>

	remove unrelated comment.

	log process name reading /proc/$pid/comm.

	make core/log/file magic work during runtime.

	Add /run/nscd/socket to connect whitelist.

	define _GNU_SOURCE.

2011-04-16  Ali Polatel  <alip@exherbo.org>

	kill/resume processes properly.

	Revert "manual: Add KNOWN BUGS section"
	This reverts commit fa04c7cda01e38df44077fe1ea957f26360eaed6.

	detach properly.

2011-04-01  Ali Polatel  <alip@exherbo.org>

	create the log file with correct permissions.

2011-03-31  Ali Polatel  <alip@exherbo.org>

	manual: Add KNOWN BUGS section.

	fix sys_open.

	write more documentation.

	add close wrapper for EINTR.

	treat pid_t as unsigned long for safety.

	fix a couple of errors reported by valgrind.

	Use sys/queue.h instead of the custom slist.c.

	move TRACE_OPTIONS out of pandora-defs.h.

	use PINK_GCC_ATTR.

	allocate less memory.

	s/allow/whitelist/

	Update manual page.

	fix tests.

	tweak syscall handlers, fix symlink handling.

	tweak boolean assignments.

	new enums magic_type and magic_key.

	s/allow/whitelist, fix config parsing for array appends.

	smarter magic array operations.

	more robust configuration.

	default is default.

	preparation for sys/queue.h usage.

2011-03-30  Ali Polatel  <alip@exherbo.org>

	Update for pinktrace's recent tweak of properties.

	pinktrace's process tree is now process list.

2011-02-08  Ali Polatel  <alip@exherbo.org>

	sandbox system call futimesat, update manual page.

	fix resolving of unix socket paths.

	kill the stupid XFREE macro.

	refactor, fix a few bugs.

2011-02-03  Ali Polatel  <alip@exherbo.org>

	fix autofail.

	initial newline for signal handler.

	required functions are required.

2011-02-02  Ali Polatel  <alip@exherbo.org>

	tweak box_check_path a bit more.

	Refactor box_check_path a bit.

2011-02-01  Ali Polatel  <alip@exherbo.org>

	tweak sysexit reasons.

	tweak sys_execve.

2011-01-29  Ali Polatel  <alip@exherbo.org>

	more comments.

	correct comment about unused types.

	make kill() configurable.

2011-01-28  Ali Polatel  <alip@exherbo.org>

	write more documentation.

	Environment variables in config are *not* expanded.

	tweak reporting and synopsis.

	use %lu as format for process ID.

	Add initial README.

	tweak manual page.

2011-01-27  Ali Polatel  <alip@exherbo.org>

	add initial manual page.

2011-01-21  Ali Polatel  <alip@exherbo.org>

	fix a couple of compiler warnings.

2011-01-08  Ali Polatel  <alip@exherbo.org>

	fix error path in callback_exec.

	fix for AT_FDCWD.

2011-01-07  Ali Polatel  <alip@exherbo.org>

	simplify attach.

	remove cruft.

2011-01-05  Ali Polatel  <alip@exherbo.org>

	use xasprintf.

	tweak logging, use {v,}dprintf()

	tweak allowing /proc/$pid.

	remove attach tests.

2011-01-04  Ali Polatel  <alip@exherbo.org>

	update configure.ac.

2011-01-02  Ali Polatel  <alip@exherbo.org>

	attach to all threads reading /proc/$pid/task.

2011-01-01  Ali Polatel  <alip@exherbo.org>

	tweak logging.

2010-12-30  Ali Polatel  <alip@exherbo.org>

	tweak magic table.

	initial magic queries.

	use filters.

	lock magic commands on execve.

2010-12-29  Ali Polatel  <alip@exherbo.org>

	implement bindzero.

	set prereq ATTACH for attaching tests.

	use a hashtable for syscall table.

	tweak test-lib.sh.

	expand network aliases.

2010-12-28  Ali Polatel  <alip@exherbo.org>

	a little more logging.

	fix magic core/abort/decision.

	tweak tests for better debugging.

	add tests for sys_umount2, tweak others.

	remove basename_alloc and dirname_alloc.

	strrchr may return NULL.

	sandbox utimensat()

	sandbox *attr functions.

2010-12-27  Ali Polatel  <alip@exherbo.org>

	add tests for sys_umount.

	respect UMOUNT_NOFOLLOW for sys_umount2.

	add tests for sys_truncate.

	fix sys_rmdir and add tests.
	rmdir(2) does *not* resolve symbolic links.

	tweak tests a bit.

	add tests for sys_mknod.

	tweak sys_mkdir tests.

	more tests for sys_mkdir.

	start adding mkdir tests.

	fix sys_lchown and add tests.

2010-12-26  Ali Polatel  <alip@exherbo.org>

	don't do network sandboxing if core.sandbox.sock is false.

	fix a few errors reported by valgrind.

	fix inheritance of socket addresses.

	poor man's network sandboxing.
	WIP, bindzero et all aren't handled yet.

2010-12-23  Ali Polatel  <alip@exherbo.org>

	more logging, fix a few sidebugs.

	handle SIGSEGV as well.

	segfaulting is bad mmkay?

	properly handle proc_cwd fail for initial child.

	fix proc_cwd for non-existant directories.
	If the working directory of a process is removed after the process is
	started, /proc/$pid/cwd is a dangling symbolic link to
	"/path/to/current/working/directory (deleted)".

	add basic signal handling.

	nicer error messages.

	update sample config.

	refactor the code and implement {resume,kill}_if_match.

	fix chmod tests, add more tests for creat.

2010-12-22  Ali Polatel  <alip@exherbo.org>

	fix magic_key_lookup.

	track 'eldestness' per-process.

	this is pandora, not sydbox.

	update for the latest pinktrace changes.

	saner logging with timestamps.

	tweak test-lib.sh.

	fix valgrind errors.

	improve configuration a bit, add a sample config.

	make log file configurable via magic.

	make loglevel configurable via magic, remove fnmatch crap.

	poor man's execve sandboxing.

	rework the system call callbacks.

	test sanity of the wildmatcher.

	Use wildmatch.c from rsync, intead of stupid shell.c.

	Add skeleton tests.

	add more tests.

	Fix EEXIST safe violation.

	preserve errno for deny_syscall()

2010-12-21  Ali Polatel  <alip@exherbo.org>

	Add some config options for tests and use them.

	more work on tests.

	Add -E option for putenv()

	add tests for sandbox creat(2)

	run tests under trash.

	Rework the test suite.

	fix sandbox open(2)
	Handle (O_CREAT | O_EXCL) combination.
	Handle (O_RDONLY | O_CREAT) which may creat the file.
	Add more tests, covering all flag combinations we care about.

	Add hooks for more system calls.

	Add hooks for a few more system calls.

	initial panic handling.

	initial chdir handler.

2010-12-20  Ali Polatel  <alip@exherbo.org>

	more work.

	Add sparse-check target to Makefile.

	test sandbox open(2)

	start writing attaching tests.

	rework the whole config & magic interface.

	implement access violation reporting.

	tweak proc_cwd.

	rename: proc_getcwd -> proc_cwd.

	tweak magic commands.
	stat("/dev/sydbox...") may return:
	0       magic command processed successfully.
	-EPERM  magic command failed due to the magic lock.
	-EINVAL magic command wasn't specified correctly.

	add chown program test.

	implement /dev/sydbox/{disallow,rmfilter}

	don't leak decoded strings.

	fix inheritance of configuration.

	fix /proc/self handling.

	initial import.



