aboutsummaryrefslogtreecommitdiff
path: root/src/common/sandbox.c
Commit message (Collapse)AuthorAge
* Don't allow change to ConnLimit while sandbox is activeNick Mathewson2014-04-16
|
* Use SCMP_CMP_MASKED_EQ to allow flags, not force themNick Mathewson2014-04-16
| | | | | | | | | Older versions of Libevent are happy to open SOCK_DGRAM sockets non-cloexec and non-nonblocking, and then set those flags afterwards. It's nice to be able to allow a flag to be on or off in the sandbox without having to enumerate all its values. Also, permit PF_INET6 sockets. (D'oh!)
* Get Libevent's PRNG functioning under the linux sandboxNick Mathewson2014-04-16
| | | | | | | | | | | | | | Libevent uses an arc4random implementation (I know, I know) to generate DNS transaction IDs and capitalization. But it liked to initialize it either with opening /dev/urandom (which won't work under the sandbox if it doesn't use the right pointer), or with sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we were permitting sysctl unconditionally. That's not such a great idea. Instead, we try to initialize the libevent PRNG _before_ installing the sandbox, and make sysctl always fail with EPERM under the sandbox.
* Introduce arg-counting macros to wrap seccomp_rule_add()Nick Mathewson2014-04-16
| | | | | | | | | | | | | | The compiler doesn't warn about this code: rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD), SCMP_CMP(1, SCMP_CMP_EQ, param->value), SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...)); but note that the arg_cnt argument above is only 1. This means that only the first filter (argument 0 == AT_FDCWD) is actually checked! This patch also fixes the above error in the openat() filter. Earlier I fixed corresponding errors in filters for rename() and mprotect().
* Fix sandbox protection for renameNick Mathewson2014-04-16
| | | | (We were only checking the first parameter of each rename call.)
* Upgrade warning about missing interned string for sandboxNick Mathewson2014-04-16
|
* Have sandbox string protection include multi-valued parmeters.Nick Mathewson2014-04-16
|
* Clean up sandbox structures a bitNick Mathewson2014-04-16
| | | | | | Drop pindex,pindex2 as unused. Admit a type to avoid using a void*
* Add missing rename function for non-linux platformsNick Mathewson2014-04-16
|
* Drop 'fr' parameter from sandbox code.Nick Mathewson2014-04-16
| | | | | | | | | Appearently, the majority of the filenames we pass to sandbox_cfg_allow() functions are "freeable right after". So, consider _all_ of them safe-to-steal, and add a tor_strdup() in the few cases that aren't. (Maybe buggy; revise when I can test.)
* Add 'rename' to the sandboxed syscallsNick Mathewson2014-04-16
| | | | | | (If we don't restrict rename, there's not much point in restricting open, since an attacker could always use rename to make us open whatever they want.)
* Only intern one copy of each magic string for the sandboxNick Mathewson2014-04-16
| | | | | If we intern two copies of a string, later calls to sandbox_intern_string will give the wrong one sometimes.
* Fix some initial sandbox issues.Nick Mathewson2014-04-16
| | | | | Allow files that weren't in the list; Allow the _sysctl syscall; allow accept4 with CLOEXEC and NONBLOCK.
* Log a backtrace when the sandbox finds a failureNick Mathewson2014-04-10
| | | | | | | This involves some duplicate code between backtrace.c and sandbox.c, but I don't see a way around it: calling more functions would mean adding more steps to our call stack, and running clean_backtrace() against the wrong point on the stack.
* Make the sandbox code allow the writev() syscall.Nick Mathewson2014-04-10
| | | | Tor doesn't use it directly, but the glibc backtrace-to-fd code does
* Fix some leaks/missed checks in the unit testsNick Mathewson2014-03-13
| | | | Coverity spotted these.
* Add a sandbox rule to allow IP_TRANSPARENTNick Mathewson2014-02-02
|
* whitespace fixesNick Mathewson2014-01-17
|
* Fix some seccomp2 issuesNick Mathewson2014-01-06
| | | | | Fix for #10563. This is a compatibility issue with libseccomp-2.1. I guess you could call it a bugfix on 0.2.5.1?
* Merge branch 'backtrace_squashed'Nick Mathewson2013-11-18
|\ | | | | | | | | | | | | | | | | | | Conflicts: src/common/sandbox.c src/common/sandbox.h src/common/util.c src/or/main.c src/test/include.am src/test/test.c
| * Add a sighandler-safe logging mechanismNick Mathewson2013-11-18
| | | | | | | | | | | | | | | | | | We had accidentially grown two fake ones: one for backtrace.c, and one for sandbox.c. Let's do this properly instead. Now, when we configure logs, we keep track of fds that should get told about bad stuff happening from signal handlers. There's another entry point for these that avoids using non-signal-handler-safe functions.
* | Fix a memory leak on getaddrinfo in sandbox. Found by coverityNick Mathewson2013-09-16
| |
* | Clean up malloc issues in sandbox.cNick Mathewson2013-09-16
| | | | | | | | | | | | | | | | tor_malloc returns void *; in C, it is not necessary to cast a void* to another pointer type before assigning it. tor_malloc fails with an error rather than returning NULL; it's not necessary to check its output. (In one case, doing so annoyed Coverity.)
* | Merge remote-tracking branch 'ctoader/gsoc-cap-stage2'Nick Mathewson2013-09-13
|\ \ | |/ |/| | | | | Conflicts: src/common/sandbox.c
| * fixed compilation bug on i386 due to previous fixCristian Toader2013-09-12
| |
| * bug fix: syscalls send and recv not supported for x86_64 with libseccomp 1.0.1Cristian Toader2013-09-12
| |
| * remove debugging codeCristian Toader2013-09-12
| |
| * added extra buffer and limit to mprotect not to exceed the length of that bufferCristian Toader2013-09-12
| |
| * added filter protection for string parameter memoryCristian Toader2013-09-10
| |
| * fixed socket syscall bugCristian Toader2013-09-10
| |
| * Fix check-spacesNick Mathewson2013-09-09
| |
| * Fix compilation on OSXNick Mathewson2013-09-09
| |
| * Do not try to add non-existent syscalls.Nick Mathewson2013-09-09
| |
| * Fix a warning related to SCMP_CMP definition in header.Nick Mathewson2013-09-09
| | | | | | | | | | | | SCMP_CMP(a,b,c) leaves the fourth field of the structure undefined, giving a missing-initializer error. All of our uses are three-argument, so I'm overriding the default.
| * Fix most of the --enable-gcc-warnings warnings in the sandbox codeNick Mathewson2013-09-09
| |
| * Remove a usage of free()Nick Mathewson2013-09-09
| |
| * Basic compilation fixes.Nick Mathewson2013-09-09
| |
| * added missing documentation for sandbox functionsCristian Toader2013-09-06
| |
| * passing hints as a const pointer to sandbox_getaddrinfo(), also one tor_free ↵Cristian Toader2013-09-06
| | | | | | | | macro fails to compile..
| * replaced strdup with tor_strdupCristian Toader2013-09-06
| |
| * replaced malloc/free with tor_malloc/tor_freeCristian Toader2013-09-06
| |
| * switched string lengths from int to size_t in prot_strings()Cristian Toader2013-09-06
| |
| * fixed bug where sandbox_getaddrinfo() would fail when -Sandbox is 0Cristian Toader2013-09-03
| |
| * switched to a more generic way of handling the sandbox configurationCristian Toader2013-09-02
| |
| * added contingency message to test for sandbox_getaddrinfoCristian Toader2013-09-02
| |
| * make check-spaces fixCristian Toader2013-09-02
| |
| * changed how sb getaddrinfo works such that it supports storing multiple resultsCristian Toader2013-09-02
| |
| * make check-spaces fixCristian Toader2013-08-29
| |
| * switched from multiple mmap to oneCristian Toader2013-08-29
| |
| * _array filter functions now rely on final NULL parameterCristian Toader2013-08-29
| |