[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] Let AF_UNIX connections through the sandbox

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor/master] Let AF_UNIX connections through the sandbox
From: nickm@xxxxxxxxxxxxxx
Date: Mon, 23 Feb 2015 17:59:33 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 23 Feb 2015 12:59:41 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit 21ac0cd2afb2275bfe89237c3aeb545fb7de537e
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Mon Feb 23 12:33:58 2015 -0500

    Let AF_UNIX connections through the sandbox
    
    Fixes bug 15003; bugfix on 0.2.6.3-alpha.
---
 changes/bug15003     |    3 +++
 src/common/sandbox.c |    5 +++++
 2 files changed, 8 insertions(+)

diff --git a/changes/bug15003 b/changes/bug15003
new file mode 100644
index 0000000..2dcce74
--- /dev/null
+++ b/changes/bug15003
@@ -0,0 +1,3 @@
+  o Major bugfixes (linux seccomp2 sandbox):
+    - Allow AF_UNIX hidden services to be used with the seccomp2 sandbox.
+      Fixes bug 15003; bugfix on 0.2.6.3-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 57847e1..fe97af3 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -543,6 +543,11 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   }
 
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
+      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
+      SCMP_CMP(2, SCMP_CMP_EQ, 0));
+
+  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
       SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
       SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
       SCMP_CMP(2, SCMP_CMP_EQ, 0));

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor/master] Merge remote-tracking branch 'public/bug14988_025'
Next by Author: [tor-commits] [tor/master] Quiet "caching debian-tor for debian-tor" notice
Previous by thread: [tor-commits] [tor/master] Merge remote-tracking branch 'public/bug14988_025'
Next by thread: [tor-commits] [tor/master] Quiet "caching debian-tor for debian-tor" notice
Index(es):
- Author
- Thread