Revert "Change the sandbox behavior on all failed opens() to EACCES"

This reverts commit 9a06282546418b2e9d21559d4853bcf124b953f4.

It appears that I misunderstood how the seccomp2 filter rules
interact.  It appears that `SCMP_ACT_ERRNO()` always takes
precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that
earlier rules would override later ones.  But this change caused bug
25115 (not in any released Tor).

1 files changed, 6 insertions, 2 deletions

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 043b8bf14f..37f582048c 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -481,14 +481,18 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     }
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
+                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
         "error %d", rc);
     return rc;
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
+                SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
             "libseccomp error %d", rc);