Fix sandbox use with systemd. bug 16212.

author: Nick Mathewson <nickm@torproject.org> 2015-05-28 14:05:46 -0400
committer: Nick Mathewson <nickm@torproject.org> 2015-05-28 14:05:46 -0400
commit: 97330ced0c2e0eeae9bb2bc576bb72190237819d (patch)
tree: ffe969ea4c75f5625fc6053c2c4dbe706e04a27c /src/common
parent: 8ca3773f686c43328f3c05a35d4d0e61a30b980c (diff)
download: tor-97330ced0c2e0eeae9bb2bc576bb72190237819d.tar.gz
tor-97330ced0c2e0eeae9bb2bc576bb72190237819d.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 49316c6193..a32bd0d901 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -170,6 +170,7 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
     SCMP_SYS(sched_getaffinity),
+    SCMP_SYS(sendmsg),
     SCMP_SYS(set_robust_list),
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
@@ -547,6 +548,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
       SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
       SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
       SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+    return rc;
+
+  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
+      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
+      SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+    return rc;
 
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
       SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
author	Nick Mathewson <nickm@torproject.org>	2015-05-28 14:05:46 -0400
committer	Nick Mathewson <nickm@torproject.org>	2015-05-28 14:05:46 -0400
commit	97330ced0c2e0eeae9bb2bc576bb72190237819d (patch)
tree	ffe969ea4c75f5625fc6053c2c4dbe706e04a27c /src/common
parent	8ca3773f686c43328f3c05a35d4d0e61a30b980c (diff)
download	tor-97330ced0c2e0eeae9bb2bc576bb72190237819d.tar.gz tor-97330ced0c2e0eeae9bb2bc576bb72190237819d.zip