diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-04-16 14:54:39 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-04-16 22:03:09 -0400 |
| commit | e6785ee16dce675aa770616bcdbd128d5dfb1132 (patch) | |
| tree | 3f5c1b6d827946b36c1aaff010265e9dec432d4f /src/common | |
| parent | 156eefca454e10440d1070f7500e1708589fc64b (diff) | |
| download | tor-e6785ee16dce675aa770616bcdbd128d5dfb1132.tar.gz tor-e6785ee16dce675aa770616bcdbd128d5dfb1132.zip | |
Get Libevent's PRNG functioning under the linux sandbox
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization. But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we
were permitting sysctl unconditionally. That's not such a great
idea.
Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
Diffstat (limited to 'src/common')
| -rw-r--r-- | src/common/compat_libevent.c | 19 | ||||
| -rw-r--r-- | src/common/compat_libevent.h | 2 | ||||
| -rw-r--r-- | src/common/sandbox.c | 19 |
3 files changed, 39 insertions, 1 deletions
diff --git a/src/common/compat_libevent.c b/src/common/compat_libevent.c index 8525b4a721..74b54bb855 100644 --- a/src/common/compat_libevent.c +++ b/src/common/compat_libevent.c @@ -13,6 +13,8 @@ #include "compat.h" #include "compat_libevent.h" +#include "crypto.h" + #include "util.h" #include "torlog.h" @@ -626,6 +628,23 @@ tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev, } #endif +int +tor_init_libevent_rng(void) +{ + int rv = 0; +#ifdef HAVE_EVUTIL_SECURE_RNG_INIT + char buf[256]; + if (evutil_secure_rng_init() < 0) { + rv = -1; + } + /* Older libevent -- manually initialize the RNG */ + crypto_rand(buf, 32); + evutil_secure_rng_add_bytes(buf, 32); + evutil_secure_rng_get_bytes(buf, sizeof(buf)); +#endif + return rv; +} + #if defined(LIBEVENT_VERSION_NUMBER) && LIBEVENT_VERSION_NUMBER >= V(2,1,1) \ && !defined(TOR_UNIT_TESTS) void diff --git a/src/common/compat_libevent.h b/src/common/compat_libevent.h index f0d1828b7b..9ee7b49cfb 100644 --- a/src/common/compat_libevent.h +++ b/src/common/compat_libevent.h @@ -89,6 +89,8 @@ int tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev, struct bufferevent_rate_limit_group *g); #endif +int tor_init_libevent_rng(void); + void tor_gettimeofday_cached(struct timeval *tv); void tor_gettimeofday_cache_clear(void); #ifdef TOR_UNIT_TESTS diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 2a1ddd13d1..40f2003096 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -124,7 +124,6 @@ static int filter_nopar_gen[] = { SCMP_SYS(read), SCMP_SYS(rt_sigreturn), SCMP_SYS(set_robust_list), - SCMP_SYS(_sysctl), #ifdef __NR_sigreturn SCMP_SYS(sigreturn), #endif @@ -373,6 +372,23 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } +static int +sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc; + (void) filter; + (void) ctx; + + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, " + "received libseccomp error %d", rc); + return rc; + } + + return 0; +} + /** * Function responsible for setting up the rename syscall for * the seccomp filter sandbox. @@ -850,6 +866,7 @@ static sandbox_filter_func_t filter_func[] = { #endif sb_open, sb_openat, + sb__sysctl, sb_rename, #ifdef __NR_fcntl64 sb_fcntl64, |