sandbox: Filter "fchownat" on systems using generic syscalls

On architectures that use Linux's generic syscall interface the legacy "chown" call is not available; on these systems glibc uses "fchownat" instead. Modify the sandbox implementation to match.
author: Simon South <simon@simonsouth.net> 2021-09-06 09:22:46 -0400
committer: Simon South <simon@simonsouth.net> 2022-06-13 09:09:54 -0400
commit: 6a004380c90671f210e8e96239826159ec894a11 (patch)
tree: 5f05ec183cabece0145e90a02c3dde7c1ea31db2
parent: da6b55b6f47efacf20f525c644b349666bbe77aa (diff)
download: tor-6a004380c90671f210e8e96239826159ec894a11.tar.gz
tor-6a004380c90671f210e8e96239826159ec894a11.zip
1 files changed, 25 insertions, 24 deletions
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index f3f5706273..b09fdcb89c 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -654,9 +654,9 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 }
 #endif /* defined(ARCH_USES_GENERIC_SYSCALLS) */
 
-#ifdef __i386__
+#if defined(ARCH_USES_GENERIC_SYSCALLS)
 static int
-sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc;
   sandbox_cfg_t *elem = NULL;
@@ -666,11 +666,12 @@ sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     smp_param_t *param = elem->param;
 
     if (param != NULL && param->prot == 1 && param->syscall
-        == SCMP_SYS(chown32)) {
-      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown32),
-            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
+        == SCMP_SYS(fchownat)) {
+      rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
+          SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+          SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
       if (rc != 0) {
-        log_err(LD_BUG,"(Sandbox) failed to add chown32 syscall, received "
+        log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
             "libseccomp error %d", rc);
         return rc;
       }
@@ -679,9 +680,9 @@ sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
   return 0;
 }
-#else
+#elif defined(__i386__)
 static int
-sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc;
   sandbox_cfg_t *elem = NULL;
@@ -691,11 +692,11 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     smp_param_t *param = elem->param;
 
     if (param != NULL && param->prot == 1 && param->syscall
-        == SCMP_SYS(chown)) {
-      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
+        == SCMP_SYS(chown32)) {
+      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown32),
             SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
       if (rc != 0) {
-        log_err(LD_BUG,"(Sandbox) failed to add chown syscall, received "
+        log_err(LD_BUG,"(Sandbox) failed to add chown32 syscall, received "
             "libseccomp error %d", rc);
         return rc;
       }
@@ -704,10 +705,9 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
   return 0;
 }
-#endif /* defined(__i386__) */
-
+#else
 static int
-sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc;
   sandbox_cfg_t *elem = NULL;
@@ -717,12 +717,11 @@ sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     smp_param_t *param = elem->param;
 
     if (param != NULL && param->prot == 1 && param->syscall
-        == SCMP_SYS(fchownat)) {
-      rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
-          SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
-          SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
+        == SCMP_SYS(chown)) {
+      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown),
+            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
       if (rc != 0) {
-        log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
+        log_err(LD_BUG,"(Sandbox) failed to add chown syscall, received "
             "libseccomp error %d", rc);
         return rc;
       }
@@ -731,6 +730,7 @@ sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
   return 0;
 }
+#endif /* defined(ARCH_USES_GENERIC_SYSCALLS) || defined(__i386__) */
 
 #if defined(__NR_rename)
 /**
@@ -1481,12 +1481,13 @@ static sandbox_filter_func_t filter_func[] = {
 #ifdef __NR_mmap2
     sb_mmap2,
 #endif
-#ifdef __i386__
+#if defined(ARCH_USES_GENERIC_SYSCALLS)
+    sb_fchownat,
+#elif defined(__i386__)
     sb_chown32,
 #else
     sb_chown,
 #endif
-    sb_fchownat,
 #if defined(ARCH_USES_GENERIC_SYSCALLS)
     sb_fchmodat,
 #else
@@ -1772,10 +1773,10 @@ new_element(int syscall, char *value)
   return new_element2(syscall, value, NULL);
 }
 
-#ifdef __i386__
-#define SCMP_chown SCMP_SYS(chown32)
-#elif defined(__aarch64__) && defined(__LP64__)
+#if defined(ARCH_USES_GENERIC_SYSCALLS)
 #define SCMP_chown SCMP_SYS(fchownat)
+#elif defined(__i386__)
+#define SCMP_chown SCMP_SYS(chown32)
 #else
 #define SCMP_chown SCMP_SYS(chown)
 #endif
author	Simon South <simon@simonsouth.net>	2021-09-06 09:22:46 -0400
committer	Simon South <simon@simonsouth.net>	2022-06-13 09:09:54 -0400
commit	6a004380c90671f210e8e96239826159ec894a11 (patch)
tree	5f05ec183cabece0145e90a02c3dde7c1ea31db2
parent	da6b55b6f47efacf20f525c644b349666bbe77aa (diff)
download	tor-6a004380c90671f210e8e96239826159ec894a11.tar.gz tor-6a004380c90671f210e8e96239826159ec894a11.zip