[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] Fix some initial sandbox issues.
commit ae9d6d73f50f6205f0651a627d3bf7b0d99273f1
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Fri Mar 28 01:52:08 2014 -0400
Fix some initial sandbox issues.
Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
---
src/common/sandbox.c | 6 ++++++
src/or/main.c | 9 +++++++++
2 files changed, 15 insertions(+)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 0548f3e..299c6f2 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -124,6 +124,7 @@ static int filter_nopar_gen[] = {
SCMP_SYS(rename),
SCMP_SYS(rt_sigreturn),
SCMP_SYS(set_robust_list),
+ SCMP_SYS(_sysctl),
#ifdef __NR_sigreturn
SCMP_SYS(sigreturn),
#endif
@@ -249,6 +250,11 @@ sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (rc) {
return rc;
}
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 1,
+ SCMP_CMP(3, SCMP_CMP_EQ, SOCK_CLOEXEC|SOCK_NONBLOCK));
+ if (rc) {
+ return rc;
+ }
return 0;
}
diff --git a/src/or/main.c b/src/or/main.c
index 0264064..1614954 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2732,8 +2732,11 @@ sandbox_init_filter(void)
get_datadir_fname("cached-certs"), 1,
get_datadir_fname("cached-certs.tmp"), 1,
get_datadir_fname("cached-consensus"), 1,
+ get_datadir_fname("cached-consensus.tmp"), 1,
get_datadir_fname("unverified-consensus"), 1,
get_datadir_fname("unverified-consensus.tmp"), 1,
+ get_datadir_fname("unverified-microdesc-consensus"), 1,
+ get_datadir_fname("unverified-microdesc-consensus.tmp"), 1,
get_datadir_fname("cached-microdesc-consensus"), 1,
get_datadir_fname("cached-microdesc-consensus.tmp"), 1,
get_datadir_fname("cached-microdescs"), 1,
@@ -2747,9 +2750,15 @@ sandbox_init_filter(void)
get_datadir_fname("cached-descriptors.new.tmp"), 1,
get_datadir_fname("cached-descriptors.tmp.tmp"), 1,
get_datadir_fname("cached-extrainfo"), 1,
+ get_datadir_fname("cached-extrainfo.new"), 1,
+ get_datadir_fname("cached-extrainfo.tmp"), 1,
+ get_datadir_fname("cached-extrainfo.new.tmp"), 1,
+ get_datadir_fname("cached-extrainfo.tmp.tmp"), 1,
get_datadir_fname("state.tmp"), 1,
get_datadir_fname("unparseable-desc.tmp"), 1,
get_datadir_fname("unparseable-desc"), 1,
+ get_datadir_fname("v3-status-votes"), 1,
+ get_datadir_fname("v3-status-votes.tmp"), 1,
"/dev/srandom", 0,
"/dev/urandom", 0,
"/dev/random", 0,
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits