diff options
| -rw-r--r-- | src/common/sandbox.c | 20 | ||||
| -rw-r--r-- | src/or/main.c | 2 |
2 files changed, 11 insertions, 11 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index ce6b63c17..4a3faa47c 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -48,10 +48,16 @@ static sandbox_static_cfg_t filter_static[] = { {SCMP_SYS(rt_sigaction), PARAM_NUM, 0, (intptr_t)(SIGXFSZ), 0}, #endif {SCMP_SYS(rt_sigaction), PARAM_NUM, 0, (intptr_t)(SIGCHLD), 0}, + {SCMP_SYS(time), PARAM_NUM, 0, 0, 0}, }; /** Variable used for storing all syscall numbers that will be allowed with the * stage 1 general Tor sandbox. + * + * todo: + * read, write, close - rely on fd + * + * */ static int filter_nopar_gen[] = { SCMP_SYS(access), @@ -124,7 +130,6 @@ static int filter_nopar_gen[] = { #ifdef __NR_stat64 SCMP_SYS(stat64), #endif - SCMP_SYS(time), SCMP_SYS(uname), SCMP_SYS(write), SCMP_SYS(exit_group), @@ -137,27 +142,20 @@ static int filter_nopar_gen[] = { SCMP_SYS(getsockname), SCMP_SYS(getsockopt), SCMP_SYS(listen), -#if __NR_recv >= 0 - /* This is a kludge; It's necessary on 64-bit with libseccomp 1.0.0; I - * don't know if other 64-bit or other versions require it. */ SCMP_SYS(recv), -#endif SCMP_SYS(recvmsg), -#if __NR_send >= 0 - SCMP_SYS(send), -#endif SCMP_SYS(sendto), + SCMP_SYS(send), SCMP_SYS(setsockopt), SCMP_SYS(socket), SCMP_SYS(socketpair), - // TODO: remove when accept4 is fixed #ifdef __NR_socketcall - SCMP_SYS(socketcall), +// SCMP_SYS(socketcall), #endif SCMP_SYS(recvfrom), - SCMP_SYS(unlink) + SCMP_SYS(unlink), }; char* diff --git a/src/or/main.c b/src/or/main.c index 978c17127..269d3fd9b 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2661,6 +2661,8 @@ sandbox_init_filter() sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs.new")); sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname("cached-microdescs.new.tmp")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-microdesc-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors")); |