| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The old cache had problems:
* It needed to be manually preloaded. (It didn't remember any
address you didn't tell it to remember)
* It was AF_INET only.
* It looked at its cache even if the sandbox wasn't turned on.
* It couldn't remember errors.
* It had some memory management problems. (You can't use memcpy
to copy an addrinfo safely; it has pointers in.)
This patch fixes those issues, and moves to a hash table.
Fixes bug 11970; bugfix on 0.2.5.1-alpha.
|
| | |
| |
| |
| |
| | |
Fixes bug in b0c1c700114aa8d4dfc180d85870c5bbe15fcacb; bug
12229. Bugfix not in any released Tor. Patch from "alphawolf".
|
| | |
| |
| |
| | |
fixes bug 12139; bugfix on 0.2.5.1-alpha
|
| | |
| |
| |
| | |
Fix for 12115; bugfix on 0.2.5.1-alpha
|
| | |
| |
| |
| |
| | |
(This is how I found out I was trying to test with a kernel too old
for seccomp. I think.)
|
| |/
|
|
|
| |
This is a minimal set of changes for compilation; I need a more
recent kernel to test this stuff.
|
| |
|
|
|
|
|
|
| |
These are needed under some circumstances if we are running with
expensive-hardening and sandbox at the same time.
fixes 11477, bugfix on 0.2.5.4-alpha (where we introduced
expensive-hardening)
|
| |
|
|
|
|
|
|
|
|
|
| |
None of the things we might exec() can possibly run under the
sanbox, so rather than crash later, we have to refuse to accept the
configuration nice and early.
The longer-term solution is to have an exec() helper, but wow is
that risky.
fixes 12043; bugfix on 0.2.5.1-alpha
|
| | |
|
| |
|
|
|
|
| |
Previously we said "Sandbox is not implemented on this platform" on
Linux boxes without libseccomp. Now we say that you need to build
Tor built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
OpenSSL needs this, or RAND_poll() will kill the process.
Also, refuse with EACCESS, not errno==-1 (!).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Older versions of Libevent are happy to open SOCK_DGRAM sockets
non-cloexec and non-nonblocking, and then set those flags
afterwards. It's nice to be able to allow a flag to be on or off in
the sandbox without having to enumerate all its values.
Also, permit PF_INET6 sockets. (D'oh!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization. But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we
were permitting sysctl unconditionally. That's not such a great
idea.
Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
|
| |
|
|
| |
(We were only checking the first parameter of each rename call.)
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Drop pindex,pindex2 as unused.
Admit a type to avoid using a void*
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.
(Maybe buggy; revise when I can test.)
|
| |
|
|
|
|
| |
(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
|
| |
|
|
|
| |
If we intern two copies of a string, later calls to
sandbox_intern_string will give the wrong one sometimes.
|
| |
|
|
|
| |
Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
|
| |
|
|
|
|
|
| |
This involves some duplicate code between backtrace.c and sandbox.c,
but I don't see a way around it: calling more functions would mean
adding more steps to our call stack, and running clean_backtrace()
against the wrong point on the stack.
|
| |
|
|
| |
Tor doesn't use it directly, but the glibc backtrace-to-fd code does
|
| |
|
|
| |
Coverity spotted these.
|
| | |
|
| | |
|
| |
|
|
|
| |
Fix for #10563. This is a compatibility issue with libseccomp-2.1.
I guess you could call it a bugfix on 0.2.5.1?
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/common/sandbox.c
src/common/sandbox.h
src/common/util.c
src/or/main.c
src/test/include.am
src/test/test.c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We had accidentially grown two fake ones: one for backtrace.c, and one
for sandbox.c. Let's do this properly instead.
Now, when we configure logs, we keep track of fds that should get told
about bad stuff happening from signal handlers. There's another entry
point for these that avoids using non-signal-handler-safe functions.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
tor_malloc returns void *; in C, it is not necessary to cast a
void* to another pointer type before assigning it.
tor_malloc fails with an error rather than returning NULL; it's not
necessary to check its output. (In one case, doing so annoyed Coverity.)
|
| |\ \
| |/
|/|
| |
| | |
Conflicts:
src/common/sandbox.c
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
SCMP_CMP(a,b,c) leaves the fourth field of the structure undefined,
giving a missing-initializer error. All of our uses are
three-argument, so I'm overriding the default.
|