[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] Revert "Change the sandbox behavior on all failed opens() to EACCES"

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor/master] Revert "Change the sandbox behavior on all failed opens() to EACCES"
From: nickm@xxxxxxxxxxxxxx
Date: Thu, 1 Feb 2018 13:40:44 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 01 Feb 2018 08:40:53 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit ea8e9f17f52877cc795f1792acb81d7fdaff6baf
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Thu Feb 1 08:39:38 2018 -0500

    Revert "Change the sandbox behavior on all failed opens() to EACCES"
    
    This reverts commit 9a06282546418b2e9d21559d4853bcf124b953f4.
    
    It appears that I misunderstood how the seccomp2 filter rules
    interact.  It appears that `SCMP_ACT_ERRNO()` always takes
    precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that
    earlier rules would override later ones.  But this change caused bug
    25115 (not in any released Tor).
---
 changes/bug16106     | 6 ------
 src/common/sandbox.c | 8 ++++++--
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/changes/bug16106 b/changes/bug16106
deleted file mode 100644
index 9142a37e3..000000000
--- a/changes/bug16106
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (linux seccomp2 sandbox):
-    - Cause a wider variety of unpermitted open() calls to fail with the
-      EACCES error when the sandbox is running. This won't enable any
-      previously non-working functionality, but it should turn several cases
-      from crashes into sandbox warnings. Fixes bug 16106; bugfix on
-      0.2.5.1-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 043b8bf14..37f582048 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -481,14 +481,18 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     }
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
+                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
         "error %d", rc);
     return rc;
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
+                SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
             "libseccomp error %d", rc);

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor/maint-0.2.9] test: Remove a redundant round from test_dos_bucket_refill
Next by Author: [tor-commits] [tor/master] Add an address-set backend using a bloom filter.
Previous by thread: [tor-commits] [tor/master] Merge remote-tracking branch 'dgoulet/bug24469_033_01'
Next by thread: [tor-commits] [tor/master] Remove nodelist_recompute_all_hsdir_indices() as unused.
Index(es):
- Author
- Thread