aboutsummaryrefslogtreecommitdiff
path: root/src/common/sandbox.c
diff options
context:
space:
mode:
authorPeter Palfrader <peter@palfrader.org>2016-07-11 09:37:01 +0200
committerPeter Palfrader <peter@palfrader.org>2016-07-11 09:37:01 +0200
commit36b06be73862d6f3206d0e2a6fe17af06f8b7c88 (patch)
treef5000273d52e31ea1d4f4d0077a4be2de1df958a /src/common/sandbox.c
parenta931d157fd5454f679614e0a210144552ecabadf (diff)
downloadtor-36b06be73862d6f3206d0e2a6fe17af06f8b7c88.tar.gz
tor-36b06be73862d6f3206d0e2a6fe17af06f8b7c88.zip
Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist
If we did not find a non-private IPaddress by iterating over interfaces, we would try to get one via get_interface_address6_via_udp_socket_hack(). This opens a datagram socket with IPPROTO_UDP. Previously all our datagram sockets (via libevent) used IPPROTO_IP, so we did not have that in the sandboxing whitelist. Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist. Fixes bug 19660.
Diffstat (limited to 'src/common/sandbox.c')
-rw-r--r--src/common/sandbox.c30
1 files changed, 15 insertions, 15 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 70c5bbd07c..54c1267c5c 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -585,7 +585,7 @@ static int
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
- int i;
+ int i, j;
(void) filter;
#ifdef __i386__
@@ -602,20 +602,20 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
for (i = 0; i < 2; ++i) {
const int pf = i ? PF_INET : PF_INET6;
-
- rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
- SCMP_CMP(0, SCMP_CMP_EQ, pf),
- SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
- SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
- if (rc)
- return rc;
-
- rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
- SCMP_CMP(0, SCMP_CMP_EQ, pf),
- SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
- SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
- if (rc)
- return rc;
+ for (j=0; j < 3; ++j) {
+ const int type = (j == 0) ? SOCK_STREAM :
+ (j == 1) ? SOCK_DGRAM :
+ SOCK_DGRAM;
+ const int protocol = (j == 0) ? IPPROTO_TCP :
+ (j == 1) ? IPPROTO_IP :
+ IPPROTO_UDP;
+ rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+ SCMP_CMP(0, SCMP_CMP_EQ, pf),
+ SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
+ SCMP_CMP(2, SCMP_CMP_EQ, protocol));
+ if (rc)
+ return rc;
+ }
}
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),