diff options
| author | Cristian Toader <cristian.matei.toader@gmail.com> | 2013-07-31 11:35:25 +0300 |
|---|---|---|
| committer | Cristian Toader <cristian.matei.toader@gmail.com> | 2013-07-31 11:35:25 +0300 |
| commit | 313cbe6e24618c4c5875c8e3aab4cd563c97791f (patch) | |
| tree | 66ff90612a6772484ad2bff6dc2e9f97048fcbb5 | |
| parent | f0840ed4c9f17f199d73b8b9788b08af0265026d (diff) | |
| download | tor-313cbe6e24618c4c5875c8e3aab4cd563c97791f.tar tor-313cbe6e24618c4c5875c8e3aab4cd563c97791f.tar.gz | |
sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap
| -rw-r--r-- | src/common/sandbox.c | 115 |
1 files changed, 107 insertions, 8 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 6de95da4d..fe2f457b0 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -34,6 +34,8 @@ #include <sys/syscall.h> #include <sys/types.h> #include <sys/epoll.h> +#include <sys/prctl.h> +#include <linux/futex.h> #include <bits/signum.h> #include <seccomp.h> @@ -55,13 +57,10 @@ static int filter_nopar_gen[] = { SCMP_SYS(epoll_create), SCMP_SYS(epoll_wait), SCMP_SYS(fcntl), - - SCMP_SYS(flock), SCMP_SYS(fstat), #ifdef __NR_fstat64 SCMP_SYS(fstat64), #endif - SCMP_SYS(futex), SCMP_SYS(getdents64), SCMP_SYS(getegid), #ifdef __NR_getegid32 @@ -88,14 +87,10 @@ static int filter_nopar_gen[] = { SCMP_SYS(mkdir), SCMP_SYS(mlockall), SCMP_SYS(mmap), - SCMP_SYS(mprotect), - SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(poll), - SCMP_SYS(prctl), SCMP_SYS(read), SCMP_SYS(rename), - SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigreturn), #ifdef __NR_sigreturn SCMP_SYS(sigreturn), @@ -344,8 +339,107 @@ sb_epoll_ctl(scmp_filter_ctx ctx) return 0; } +/** + * If multiple filters need to be added, seccomp needs to be whitelisted in + * this list. + */ +static int +sb_prctl(scmp_filter_ctx ctx) +{ + int rc = 0; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1, + SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE)); + if (rc) + return rc; + + return 0; +} + +/** + * does not NEED tobe here.. only occurs before filter + */ +static int +sb_mprotect(scmp_filter_ctx ctx) +{ + int rc = 0; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ)); + if (rc) + return rc; + + return 0; +} + +/** + * does not NEED tobe here.. only occurs before filter + */ +static int +sb_rt_sigprocmask(scmp_filter_ctx ctx) +{ + int rc = 0; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1, + SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK)); + if (rc) + return rc; + + return 0; +} + +/** + * does not NEED tobe here.. only occurs before filter + */ +static int +sb_flock(scmp_filter_ctx ctx) +{ + int rc = 0; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1, + SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB)); + if (rc) + return rc; + + return 0; +} + +/** + * does not NEED tobe here.. only occurs before filter + */ +static int +sb_futex(scmp_filter_ctx ctx) +{ + int rc = 0; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + SCMP_CMP(1, SCMP_CMP_EQ, + FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME)); + if (rc) + return rc; + + return 0; +} + +/** + * does not NEED tobe here.. only occurs before filter + */ +static int +sb_mremap(scmp_filter_ctx ctx) +{ + int rc = 0; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), 1, + SCMP_CMP(1, SCMP_CMP_EQ, MREMAP_MAYMOVE)); + if (rc) + return rc; + + return 0; +} + static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, + sb_rt_sigprocmask, sb_execve, sb_time, sb_accept4, @@ -354,7 +448,12 @@ static sandbox_filter_func_t filter_func[] = { sb_openat, sb_clock_gettime, sb_fcntl64, - sb_epoll_ctl + sb_epoll_ctl, + sb_prctl, + sb_mprotect, + sb_flock, + sb_futex, + sb_mremap }; const char* |