diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-04-16 21:50:49 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-04-16 22:03:18 -0400 |
| commit | f70cf9982ae3b0e57ca62612988478906707567f (patch) | |
| tree | 57e230ffa40fd75fad076df6a13ad162ae23f55b /src/common/sandbox.c | |
| parent | c80a6bd9d5cc341f822255050a24760d11cbd94a (diff) | |
| download | tor-f70cf9982ae3b0e57ca62612988478906707567f.tar tor-f70cf9982ae3b0e57ca62612988478906707567f.tar.gz | |
Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse
OpenSSL needs this, or RAND_poll() will kill the process.
Also, refuse with EACCESS, not errno==-1 (!).
Diffstat (limited to 'src/common/sandbox.c')
| -rw-r--r-- | src/common/sandbox.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 072275174..7067a72c7 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -363,8 +363,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } } - rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(-1), SCMP_SYS(open), - SCMP_CMP_MASKED(1, O_CLOEXEC, O_RDONLY)); + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), + SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " "error %d", rc); |