diff options
| author | Daniel Pinto <danielpinto52@gmail.com> | 2020-07-01 23:51:39 +0100 |
|---|---|---|
| committer | Daniel Pinto <danielpinto52@gmail.com> | 2020-07-20 22:30:13 +0100 |
| commit | d28bfb2cd5665c38bd14d6a72848209dcd66faf9 (patch) | |
| tree | ff8a5439840bea058a23ae26236b91926023d7af /src/app/main | |
| parent | c79b4397d3839b77e85ceccc5a948f58c9fe37e6 (diff) | |
| download | tor-d28bfb2cd5665c38bd14d6a72848209dcd66faf9.tar.gz tor-d28bfb2cd5665c38bd14d6a72848209dcd66faf9.zip | |
Fix seccomp sandbox rules for opening directories #40020
Different versions of glibc use either open or openat for the
opendir function. This commit adds logic to use the correct rule
for each glibc version, namely:
- Until 2.14 open is used
- From 2.15 to to 2.21 openat is used
- From 2.22 to 2.26 open is used
- From 2.27 onwards openat is used
Diffstat (limited to 'src/app/main')
| -rw-r--r-- | src/app/main/main.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/app/main/main.c b/src/app/main/main.c index 67f2181cd5..aceba78cfc 100644 --- a/src/app/main/main.c +++ b/src/app/main/main.c @@ -989,6 +989,9 @@ sandbox_init_filter(void) #define OPEN(name) \ sandbox_cfg_allow_open_filename(&cfg, tor_strdup(name)) +#define OPENDIR(dir) \ + sandbox_cfg_allow_opendir_dirname(&cfg, tor_strdup(dir)) + #define OPEN_DATADIR(name) \ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname(name)) @@ -1006,7 +1009,7 @@ sandbox_init_filter(void) } while (0) #define OPEN_KEY_DIRECTORY() \ - sandbox_cfg_allow_open_filename(&cfg, tor_strdup(options->KeyDirectory)) + OPENDIR(options->KeyDirectory) #define OPEN_CACHEDIR(name) \ sandbox_cfg_allow_open_filename(&cfg, get_cachedir_fname(name)) #define OPEN_CACHEDIR_SUFFIX(name, suffix) do { \ @@ -1020,7 +1023,7 @@ sandbox_init_filter(void) OPEN_KEYDIR(name suffix); \ } while (0) - OPEN(options->DataDirectory); + OPENDIR(options->DataDirectory); OPEN_KEY_DIRECTORY(); OPEN_CACHEDIR_SUFFIX("cached-certs", ".tmp"); @@ -1067,7 +1070,11 @@ sandbox_init_filter(void) } SMARTLIST_FOREACH(options->FilesOpenedByIncludes, char *, f, { - OPEN(f); + if (file_status(f) == FN_DIR) { + OPENDIR(f); + } else { + OPEN(f); + } }); #define RENAME_SUFFIX(name, suffix) \ @@ -1180,7 +1187,7 @@ sandbox_init_filter(void) * directory that holds it. */ char *dirname = tor_strdup(port->unix_addr); if (get_parent_directory(dirname) == 0) { - OPEN(dirname); + OPENDIR(dirname); } tor_free(dirname); sandbox_cfg_allow_chmod_filename(&cfg, tor_strdup(port->unix_addr)); |