diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-05-28 14:05:46 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-05-28 14:05:46 -0400 |
| commit | 97330ced0c2e0eeae9bb2bc576bb72190237819d (patch) | |
| tree | ffe969ea4c75f5625fc6053c2c4dbe706e04a27c | |
| parent | 8ca3773f686c43328f3c05a35d4d0e61a30b980c (diff) | |
| download | tor-97330ced0c2e0eeae9bb2bc576bb72190237819d.tar.gz tor-97330ced0c2e0eeae9bb2bc576bb72190237819d.zip | |
Fix sandbox use with systemd. bug 16212.
| -rw-r--r-- | changes/bug16212 | 5 | ||||
| -rw-r--r-- | src/common/sandbox.c | 10 |
2 files changed, 15 insertions, 0 deletions
diff --git a/changes/bug16212 b/changes/bug16212 new file mode 100644 index 0000000000..bc1246376d --- /dev/null +++ b/changes/bug16212 @@ -0,0 +1,5 @@ + o Minor bugfixes (sandbox, systemd): + - Allow systemd connections to work with the Linux seccomp2 sandbox + code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. + Patch by Peter Palfrader. + diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 49316c6193..a32bd0d901 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -170,6 +170,7 @@ static int filter_nopar_gen[] = { SCMP_SYS(read), SCMP_SYS(rt_sigreturn), SCMP_SYS(sched_getaffinity), + SCMP_SYS(sendmsg), SCMP_SYS(set_robust_list), #ifdef __NR_sigreturn SCMP_SYS(sigreturn), @@ -547,6 +548,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), SCMP_CMP(2, SCMP_CMP_EQ, 0)); + if (rc) + return rc; + + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), + SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), + SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM), + SCMP_CMP(2, SCMP_CMP_EQ, 0)); + if (rc) + return rc; rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK), |