[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] updated filters to work with orport
commit 89b39db003922f5b05f9e4e2fc7658b225a2f70a
Author: Cristian Toader <cristian.matei.toader@xxxxxxxxx>
Date: Fri Aug 9 19:07:20 2013 +0300
updated filters to work with orport
---
src/common/crypto.c | 3 ++-
src/common/sandbox.c | 16 +++++++++++++++-
src/or/cpuworker.c | 2 --
src/or/main.c | 19 ++++++++++++++++++-
4 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/src/common/crypto.c b/src/common/crypto.c
index e60172b..71d5166 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -56,6 +56,7 @@
#include "../common/util.h"
#include "container.h"
#include "compat.h"
+#include "sandbox.h"
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
#error "We require OpenSSL >= 0.9.8"
@@ -2349,7 +2350,7 @@ crypto_strongest_rand(uint8_t *out, size_t out_len)
return 0;
#else
for (i = 0; filenames[i]; ++i) {
- fd = open(filenames[i], O_RDONLY, 0);
+ fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
if (fd<0) continue;
log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
n = read_all(fd, (char*)out, out_len, 0);
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 1f15674..2ba1432 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -104,6 +104,8 @@ static int filter_nopar_gen[] = {
SCMP_SYS(exit_group),
SCMP_SYS(exit),
+ SCMP_SYS(madvise),
+
// Not needed..
// SCMP_SYS(set_thread_area),
// SCMP_SYS(set_tid_address),
@@ -195,6 +197,13 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
+ SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
+ if (rc) {
+ return rc;
+ }
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
if (rc) {
@@ -431,6 +440,11 @@ sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
+ if (rc)
+ return rc;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
if (rc)
return rc;
@@ -675,7 +689,7 @@ add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
static int
add_noparam_filter(scmp_filter_ctx ctx)
{
- int i, filter_size, rc = 0;
+ int i, rc = 0;
// add general filters
for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c
index 245f67e..61f9faa 100644
--- a/src/or/cpuworker.c
+++ b/src/or/cpuworker.c
@@ -571,8 +571,6 @@ spawn_enough_cpuworkers(void)
if (num_cpuworkers_needed > MAX_CPUWORKERS)
num_cpuworkers_needed = MAX_CPUWORKERS;
- getchar();
-
while (num_cpuworkers < num_cpuworkers_needed) {
if (spawn_cpuworker() < 0) {
log_warn(LD_GENERAL,"Cpuworker spawn failed. Will try again later.");
diff --git a/src/or/main.c b/src/or/main.c
index 5b6b778..36acde4 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2665,9 +2665,16 @@ sandbox_init_filter()
get_datadir_fname("cached-microdescs.new.tmp"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("unverified-microdesc-consensus"));
- sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname("cached-descriptors"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("cached-descriptors.new"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname("cached-descriptors.tmp"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname("cached-descriptors.new.tmp"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname("cached-descriptors.tmp.tmp"));
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-extrainfo"));
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("state.tmp"));
sandbox_cfg_allow_open_filename(&cfg,
@@ -2683,6 +2690,8 @@ sandbox_init_filter()
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname2("keys", "secret_onion_key_ntor"));
sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"));
+ sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname2("keys", "secret_id_key.old"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname2("keys", "secret_onion_key.old"));
@@ -2692,8 +2701,16 @@ sandbox_init_filter()
get_datadir_fname2("keys", "secret_onion_key.tmp"));
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("fingerprint"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname("cached-consensus.tmp"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname("cached-consensus"));
sandbox_cfg_allow_open_filename(&cfg, "/etc/resolv.conf");
+ sandbox_cfg_allow_open_filename(&cfg, "/dev/srandom");
+ sandbox_cfg_allow_open_filename(&cfg, "/dev/urandom");
+ sandbox_cfg_allow_open_filename(&cfg, "/dev/random");
+
}
sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
- Prev by Author:
[tor-commits] [tor/master] sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap
- Next by Author:
[tor-commits] [tor/master] fixes suggested by nickm
- Previous by thread:
[tor-commits] [tor/master] sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap
- Next by thread:
[tor-commits] [tor/master] fixes suggested by nickm
- Index(es):