diff options
| author | Cristian Toader <cristian.matei.toader@gmail.com> | 2013-08-05 14:17:46 +0300 |
|---|---|---|
| committer | Cristian Toader <cristian.matei.toader@gmail.com> | 2013-08-05 14:17:46 +0300 |
| commit | d897690fc7f6f6b5b3d37da2e3e2b05f38222f06 (patch) | |
| tree | eda2526d67c333e08b6ecff5e040df725d96eefe | |
| parent | dde3ed385bc9de8bffa52b9b5e525fb7a0aae88b (diff) | |
| download | tor-d897690fc7f6f6b5b3d37da2e3e2b05f38222f06.tar tor-d897690fc7f6f6b5b3d37da2e3e2b05f38222f06.tar.gz | |
fixes suggested by nickm
| -rw-r--r-- | src/common/sandbox.c | 32 | ||||
| -rw-r--r-- | src/common/util.h | 2 | ||||
| -rw-r--r-- | src/or/main.c | 1 |
3 files changed, 30 insertions, 5 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index d330cab98..e35f51f05 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -17,8 +17,7 @@ #include "torlog.h" #include "orconfig.h" #include "torint.h" - -#define LENGHT(x) (sizeof(x)) / sizeof(x[0]) +#include "util.h" #if defined(HAVE_SECCOMP_H) && defined(__linux__) #define USE_LIBSECCOMP @@ -45,7 +44,7 @@ #include <time.h> #include <poll.h> -sandbox_cfg_t *filter_dynamic = NULL; +static sandbox_cfg_t *filter_dynamic = NULL; /** Variable used for storing all syscall numbers that will be allowed with the * stage 1 general Tor sandbox. @@ -136,7 +135,7 @@ sb_rt_sigaction(scmp_filter_ctx ctx) #endif }; - for (i = 0; i < LENGHT(param); i++) { + for (i = 0; i < ARRAY_LENGTH(param); i++) { rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 1, SCMP_CMP(0, SCMP_CMP_EQ, param[i])); if (rc) @@ -323,6 +322,7 @@ sb_fcntl64(scmp_filter_ctx ctx) } #endif +// allows everything but will keep for now.. static int sb_epoll_ctl(scmp_filter_ctx ctx) { @@ -338,6 +338,11 @@ sb_epoll_ctl(scmp_filter_ctx ctx) if (rc) return rc; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1, + SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL)); + if (rc) + return rc; + return 0; } @@ -561,13 +566,30 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) return 0; } +int +sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com) +{ + sandbox_cfg_t *elem = NULL; + + elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t)); + elem->syscall = SCMP_SYS(openat); + elem->pindex = 1; + elem->ptype = PARAM_PTR; + elem->param = (intptr_t) prot_strdup((char*) com);; + elem->prot = 1; + elem->next = filter_dynamic; + filter_dynamic = elem; + + return 0; +} + static int add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) { int i, rc = 0; // function pointer - for (i = 0; i < LENGHT(filter_func); i++) { + for (i = 0; i < ARRAY_LENGTH(filter_func); i++) { if ((filter_func[i])(ctx)) { log_err(LD_BUG,"(Sandbox) failed to add syscall, received libseccomp " "error %d", rc); diff --git a/src/common/util.h b/src/common/util.h index 5596378bc..fc4ca291b 100644 --- a/src/common/util.h +++ b/src/common/util.h @@ -533,5 +533,7 @@ int format_helper_exit_status(unsigned char child_state, const char *libor_get_digests(void); +#define ARRAY_LENGTH(x) (sizeof(x)) / sizeof(x[0]) + #endif diff --git a/src/or/main.c b/src/or/main.c index ab7b6ec1c..ab3b8405e 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2644,6 +2644,7 @@ sandbox_init_filter() { sandbox_cfg_t *cfg = sandbox_cfg_new(); + // TODO: mem leak sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status")); |