Fix sandbox crash during reload of logging configuration

Allow calls to dup() which was introduced in commit a22fbab986. From a security perspective, I don't think this should impact the security of the sandbox significantly. As far as I can tell, there is nothing an adversary can do with a duplicated FD that can't be done with the original.
author: Peter Gerber <pgerber@tocco.ch> 2020-01-05 15:48:54 +0100
committer: Peter Gerber <peter@arbitrary.ch> 2020-01-05 15:24:45 +0000
commit: b9d81282e0dbfdae795b38c26879716d7860bcf9 (patch)
tree: 2aaa7ca7ea6d8b329f2e3b0855f71f982cda7cc9
parent: 72376378714fef727004830157da79be97821a60 (diff)
download: tor-b9d81282e0dbfdae795b38c26879716d7860bcf9.tar.gz
tor-b9d81282e0dbfdae795b38c26879716d7860bcf9.zip
2 files changed, 5 insertions, 0 deletions
diff --git a/changes/bug32877 b/changes/bug32877
new file mode 100644
index 0000000000..96fe1af708
--- /dev/null
+++ b/changes/bug32877
@@ -0,0 +1,4 @@
+o Minor bugfixes (linux seccomp sandbox):
+  - Fix crash when reloading logging configuration while the
+    experimental sandbox is enabled. Fixes bug 29150; bugfix
+    on 0.4.1.7. Patch by Peter Gerber.
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index faaf463f29..7e6354d880 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -143,6 +143,7 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(clock_gettime),
     SCMP_SYS(close),
     SCMP_SYS(clone),
+    SCMP_SYS(dup),
     SCMP_SYS(epoll_create),
     SCMP_SYS(epoll_wait),
 #ifdef __NR_epoll_pwait
author	Peter Gerber <pgerber@tocco.ch>	2020-01-05 15:48:54 +0100
committer	Peter Gerber <peter@arbitrary.ch>	2020-01-05 15:24:45 +0000
commit	b9d81282e0dbfdae795b38c26879716d7860bcf9 (patch)
tree	2aaa7ca7ea6d8b329f2e3b0855f71f982cda7cc9
parent	72376378714fef727004830157da79be97821a60 (diff)
download	tor-b9d81282e0dbfdae795b38c26879716d7860bcf9.tar.gz tor-b9d81282e0dbfdae795b38c26879716d7860bcf9.zip