diff options
author | Cristian Toader <cristian.matei.toader@gmail.com> | 2013-07-26 19:53:05 +0300 |
---|---|---|
committer | Cristian Toader <cristian.matei.toader@gmail.com> | 2013-07-26 19:53:05 +0300 |
commit | 8f9d3da19447f138bc451937b20537810926ff30 (patch) | |
tree | 4d4fb0c73988f76d77e8e755a71ecef3fe05609d /src | |
parent | 626a2b23de006154b6cb3fa334a97dc547d56a98 (diff) | |
download | tor-8f9d3da19447f138bc451937b20537810926ff30.tar tor-8f9d3da19447f138bc451937b20537810926ff30.tar.gz |
Investigated access4 syscall problem, small changes to filter.
Diffstat (limited to 'src')
-rw-r--r-- | src/common/sandbox.c | 20 | ||||
-rw-r--r-- | src/or/main.c | 2 |
2 files changed, 11 insertions, 11 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index ce6b63c17..4a3faa47c 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -48,10 +48,16 @@ static sandbox_static_cfg_t filter_static[] = { {SCMP_SYS(rt_sigaction), PARAM_NUM, 0, (intptr_t)(SIGXFSZ), 0}, #endif {SCMP_SYS(rt_sigaction), PARAM_NUM, 0, (intptr_t)(SIGCHLD), 0}, + {SCMP_SYS(time), PARAM_NUM, 0, 0, 0}, }; /** Variable used for storing all syscall numbers that will be allowed with the * stage 1 general Tor sandbox. + * + * todo: + * read, write, close - rely on fd + * + * */ static int filter_nopar_gen[] = { SCMP_SYS(access), @@ -124,7 +130,6 @@ static int filter_nopar_gen[] = { #ifdef __NR_stat64 SCMP_SYS(stat64), #endif - SCMP_SYS(time), SCMP_SYS(uname), SCMP_SYS(write), SCMP_SYS(exit_group), @@ -137,27 +142,20 @@ static int filter_nopar_gen[] = { SCMP_SYS(getsockname), SCMP_SYS(getsockopt), SCMP_SYS(listen), -#if __NR_recv >= 0 - /* This is a kludge; It's necessary on 64-bit with libseccomp 1.0.0; I - * don't know if other 64-bit or other versions require it. */ SCMP_SYS(recv), -#endif SCMP_SYS(recvmsg), -#if __NR_send >= 0 - SCMP_SYS(send), -#endif SCMP_SYS(sendto), + SCMP_SYS(send), SCMP_SYS(setsockopt), SCMP_SYS(socket), SCMP_SYS(socketpair), - // TODO: remove when accept4 is fixed #ifdef __NR_socketcall - SCMP_SYS(socketcall), +// SCMP_SYS(socketcall), #endif SCMP_SYS(recvfrom), - SCMP_SYS(unlink) + SCMP_SYS(unlink), }; char* diff --git a/src/or/main.c b/src/or/main.c index 978c17127..269d3fd9b 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2661,6 +2661,8 @@ sandbox_init_filter() sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs.new")); sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname("cached-microdescs.new.tmp")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-microdesc-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors")); |