diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-03-28 01:52:08 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-04-16 22:03:07 -0400 |
| commit | ae9d6d73f50f6205f0651a627d3bf7b0d99273f1 (patch) | |
| tree | 8fa1c9cf15359e7b151152a38a50e7073383a57d /src/common/sandbox.c | |
| parent | 211b8cc31846e2d2ba75f19ab9f319f18cb70cfb (diff) | |
| download | tor-ae9d6d73f50f6205f0651a627d3bf7b0d99273f1.tar tor-ae9d6d73f50f6205f0651a627d3bf7b0d99273f1.tar.gz | |
Fix some initial sandbox issues.
Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
Diffstat (limited to 'src/common/sandbox.c')
| -rw-r--r-- | src/common/sandbox.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 0548f3edd..299c6f20b 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -124,6 +124,7 @@ static int filter_nopar_gen[] = { SCMP_SYS(rename), SCMP_SYS(rt_sigreturn), SCMP_SYS(set_robust_list), + SCMP_SYS(_sysctl), #ifdef __NR_sigreturn SCMP_SYS(sigreturn), #endif @@ -249,6 +250,11 @@ sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) { return rc; } + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 1, + SCMP_CMP(3, SCMP_CMP_EQ, SOCK_CLOEXEC|SOCK_NONBLOCK)); + if (rc) { + return rc; + } return 0; } |