diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-05-20 12:21:31 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-05-20 12:21:31 -0400 |
| commit | 465982012c69e78986d421604d27afd6ecbe70f6 (patch) | |
| tree | 02c03e62472fdcd57a732dbbdeda5e04e183bac5 /src/common | |
| parent | f87071f49efb47a2d52583730c29ba287e620227 (diff) | |
| download | tor-465982012c69e78986d421604d27afd6ecbe70f6.tar.gz tor-465982012c69e78986d421604d27afd6ecbe70f6.zip | |
sandbox: Disallow options which would make us call exec()
None of the things we might exec() can possibly run under the
sanbox, so rather than crash later, we have to refuse to accept the
configuration nice and early.
The longer-term solution is to have an exec() helper, but wow is
that risky.
fixes 12043; bugfix on 0.2.5.1-alpha
Diffstat (limited to 'src/common')
| -rw-r--r-- | src/common/sandbox.c | 8 | ||||
| -rw-r--r-- | src/common/sandbox.h | 2 |
2 files changed, 10 insertions, 0 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 8516c754f3..5c7d8c87bc 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -204,6 +204,7 @@ sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; } +#if 0 /** * Function responsible for setting up the execve syscall for * the seccomp filter sandbox. @@ -232,6 +233,7 @@ sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } +#endif /** * Function responsible for setting up the time syscall for @@ -856,7 +858,9 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, sb_rt_sigprocmask, +#if 0 sb_execve, +#endif sb_time, sb_accept4, #ifdef __NR_mmap2 @@ -1240,6 +1244,7 @@ sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...) return 0; } +#if 0 int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { @@ -1279,6 +1284,7 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...) va_end(ap); return 0; } +#endif int sandbox_getaddrinfo(const char *name, const char *servname, @@ -1659,6 +1665,7 @@ sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...) return 0; } +#if 0 int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { @@ -1672,6 +1679,7 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...) (void)cfg; return 0; } +#endif int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file) diff --git a/src/common/sandbox.h b/src/common/sandbox.h index c40f5e0d1f..b57215285e 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -198,6 +198,7 @@ int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file); */ int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...); +#if 0 /** * Function used to add a execve allowed filename to a supplied configuration. * The (char*) specifies the path to the allowed file; that pointer is stolen. @@ -211,6 +212,7 @@ int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com); * one must be NULL. */ int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...); +#endif /** * Function used to add a stat/stat64 allowed filename to a configuration. |