diff options
| author | Nick Mathewson <nickm@torproject.org> | 2017-09-15 12:00:50 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2017-09-15 12:00:50 -0400 |
| commit | 0f4f40b70fe6ea16a43940f86db767e1a16a4f6e (patch) | |
| tree | 59ba8fa1332fa127ade5882da3836809bd540fea /src/common | |
| parent | 962b0b849bf0c2fcca387e334985b349a255de0a (diff) | |
| parent | 06500171434dca543e3daf74ce7033a0aef3d199 (diff) | |
| download | tor-0f4f40b70fe6ea16a43940f86db767e1a16a4f6e.tar.gz tor-0f4f40b70fe6ea16a43940f86db767e1a16a4f6e.zip | |
Merge remote-tracking branch 'dgoulet/ticket12541_032_02'
Diffstat (limited to 'src/common')
| -rw-r--r-- | src/common/sandbox.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index a85b1406fa..4d810fd373 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -653,6 +653,25 @@ sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } +#ifdef HAVE_KIST_SUPPORT + +#include <linux/sockios.h> + +static int +sb_ioctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc; + (void) filter; + + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), + SCMP_CMP(1, SCMP_CMP_EQ, SIOCOUTQNSD)); + if (rc) + return rc; + return 0; +} + +#endif /* HAVE_KIST_SUPPORT */ + /** * Function responsible for setting up the setsockopt syscall for * the seccomp filter sandbox. @@ -760,6 +779,15 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; #endif +#ifdef HAVE_KIST_SUPPORT +#include <netinet/tcp.h> + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), + SCMP_CMP(1, SCMP_CMP_EQ, SOL_TCP), + SCMP_CMP(2, SCMP_CMP_EQ, TCP_INFO)); + if (rc) + return rc; +#endif + return 0; } @@ -1060,7 +1088,11 @@ static sandbox_filter_func_t filter_func[] = { sb_socket, sb_setsockopt, sb_getsockopt, - sb_socketpair + sb_socketpair, + +#ifdef HAVE_KIST_SUPPORT + sb_ioctl, +#endif }; const char * |