diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-02-23 12:33:58 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-02-23 12:35:20 -0500 |
| commit | 21ac0cd2afb2275bfe89237c3aeb545fb7de537e (patch) | |
| tree | 7ccb35e915e183b771ae4c904427fb4a77452339 | |
| parent | 7a1a0a4cd7d8ccdc5c9a327762f736a4e8d0d6a9 (diff) | |
| download | tor-21ac0cd2afb2275bfe89237c3aeb545fb7de537e.tar.gz tor-21ac0cd2afb2275bfe89237c3aeb545fb7de537e.zip | |
Let AF_UNIX connections through the sandbox
Fixes bug 15003; bugfix on 0.2.6.3-alpha.
| -rw-r--r-- | changes/bug15003 | 3 | ||||
| -rw-r--r-- | src/common/sandbox.c | 5 |
2 files changed, 8 insertions, 0 deletions
diff --git a/changes/bug15003 b/changes/bug15003 new file mode 100644 index 0000000000..2dcce74dfe --- /dev/null +++ b/changes/bug15003 @@ -0,0 +1,3 @@ + o Major bugfixes (linux seccomp2 sandbox): + - Allow AF_UNIX hidden services to be used with the seccomp2 sandbox. + Fixes bug 15003; bugfix on 0.2.6.3-alpha. diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 57847e1376..fe97af309e 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -543,6 +543,11 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), + SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), + SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), + SCMP_CMP(2, SCMP_CMP_EQ, 0)); + + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK), SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW), SCMP_CMP(2, SCMP_CMP_EQ, 0)); |