summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2014-01-06 04:27:58 -0500
committerNick Mathewson <nickm@torproject.org>2014-01-06 04:27:58 -0500
commit682c2252a564be67fd4fa817d535df0ddc1c758a (patch)
tree60a43409a3ea75a37e7a9e1311212ba00d2d9f62
parent90303602773eca8505229c832119dafcbcfe1ab7 (diff)
downloadtor-682c2252a564be67fd4fa817d535df0ddc1c758a.tar.gz
tor-682c2252a564be67fd4fa817d535df0ddc1c758a.zip
Fix some seccomp2 issues
Fix for #10563. This is a compatibility issue with libseccomp-2.1. I guess you could call it a bugfix on 0.2.5.1?
-rw-r--r--changes/seccomp2-fixes3
-rw-r--r--src/common/sandbox.c10
2 files changed, 13 insertions, 0 deletions
diff --git a/changes/seccomp2-fixes b/changes/seccomp2-fixes
new file mode 100644
index 0000000000..600feecd11
--- /dev/null
+++ b/changes/seccomp2-fixes
@@ -0,0 +1,3 @@
+ o Minor bugfixes:
+ - Fix compilation warnings and startup issues when running with
+ libseccomp-2.1.0. Fixes bug 10563.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 7ef577dbec..0b67b18973 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -250,6 +250,7 @@ static int
sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
+ (void)filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
@@ -405,6 +406,14 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
+ SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
+ SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
+ if (rc)
+ return rc;
+
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
+ SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
if (rc)
@@ -504,6 +513,7 @@ static int
sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
+ (void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1,
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));