[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap

commit 313cbe6e24618c4c5875c8e3aab4cd563c97791f
Author: Cristian Toader <cristian.matei.toader@xxxxxxxxx>
Date:   Wed Jul 31 11:35:25 2013 +0300

    sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap
---
 src/common/sandbox.c |  115 ++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 107 insertions(+), 8 deletions(-)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 6de95da..fe2f457 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -34,6 +34,8 @@
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/epoll.h>
+#include <sys/prctl.h>
+#include <linux/futex.h>
 #include <bits/signum.h>
 
 #include <seccomp.h>
@@ -55,13 +57,10 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(epoll_create),
     SCMP_SYS(epoll_wait),
     SCMP_SYS(fcntl),
-
-    SCMP_SYS(flock),
     SCMP_SYS(fstat),
 #ifdef __NR_fstat64
     SCMP_SYS(fstat64),
 #endif
-    SCMP_SYS(futex),
     SCMP_SYS(getdents64),
     SCMP_SYS(getegid),
 #ifdef __NR_getegid32
@@ -88,14 +87,10 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(mkdir),
     SCMP_SYS(mlockall),
     SCMP_SYS(mmap),
-    SCMP_SYS(mprotect),
-    SCMP_SYS(mremap),
     SCMP_SYS(munmap),
     SCMP_SYS(poll),
-    SCMP_SYS(prctl),
     SCMP_SYS(read),
     SCMP_SYS(rename),
-    SCMP_SYS(rt_sigprocmask),
     SCMP_SYS(rt_sigreturn),
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
@@ -344,8 +339,107 @@ sb_epoll_ctl(scmp_filter_ctx ctx)
   return 0;
 }
 
+/**
+ * If multiple filters need to be added, seccomp needs to be whitelisted in
+ * this list.
+ */
+static int
+sb_prctl(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1,
+      SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_mprotect(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
+      SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_rt_sigprocmask(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1,
+      SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_flock(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1,
+      SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_futex(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
+      SCMP_CMP(1, SCMP_CMP_EQ,
+          FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_mremap(scmp_filter_ctx ctx)
+{
+  int rc = 0;
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), 1,
+      SCMP_CMP(1, SCMP_CMP_EQ, MREMAP_MAYMOVE));
+  if (rc)
+    return rc;
+
+  return 0;
+}
+
 static sandbox_filter_func_t filter_func[] = {
     sb_rt_sigaction,
+    sb_rt_sigprocmask,
     sb_execve,
     sb_time,
     sb_accept4,
@@ -354,7 +448,12 @@ static sandbox_filter_func_t filter_func[] = {
     sb_openat,
     sb_clock_gettime,
     sb_fcntl64,
-    sb_epoll_ctl
+    sb_epoll_ctl,
+    sb_prctl,
+    sb_mprotect,
+    sb_flock,
+    sb_futex,
+    sb_mremap
 };
 
 const char*



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits