diff options
author | Nick Mathewson <nickm@torproject.org> | 2016-03-22 10:08:50 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2016-03-22 10:08:50 -0400 |
commit | ca8423a703803db860ee39906f8b5d362e0f64f2 (patch) | |
tree | 062a37a27f446b20eaba8713d2c6415e2b1dc752 /src/common | |
parent | 778e8e604d561a47ca6223a570a691b6dc81128e (diff) | |
parent | f930824914a1ebf10f502543dbc8bf598be19c3c (diff) | |
download | tor-ca8423a703803db860ee39906f8b5d362e0f64f2.tar.gz tor-ca8423a703803db860ee39906f8b5d362e0f64f2.zip |
Merge remote-tracking branch 'public/bug18253'
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/sandbox.c | 88 | ||||
-rw-r--r-- | src/common/sandbox.h | 3 |
2 files changed, 90 insertions, 1 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 69d2b4dd26..b07af6bd2a 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2001 Matej Pfajfar. + /* Copyright (c) 2001 Matej Pfajfar. * Copyright (c) 2001-2004, Roger Dingledine. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. * Copyright (c) 2007-2016, The Tor Project, Inc. */ @@ -448,6 +448,56 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } static int +sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc; + sandbox_cfg_t *elem = NULL; + + // for each dynamic parameter filters + for (elem = filter; elem != NULL; elem = elem->next) { + smp_param_t *param = elem->param; + + if (param != NULL && param->prot == 1 && param->syscall + == SCMP_SYS(chmod)) { + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chmod), + SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received " + "libseccomp error %d", rc); + return rc; + } + } + } + + return 0; +} + +static int +sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc; + sandbox_cfg_t *elem = NULL; + + // for each dynamic parameter filters + for (elem = filter; elem != NULL; elem = elem->next) { + smp_param_t *param = elem->param; + + if (param != NULL && param->prot == 1 && param->syscall + == SCMP_SYS(chown)) { + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown), + SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received " + "libseccomp error %d", rc); + return rc; + } + } + } + + return 0; +} + +static int sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc; @@ -980,6 +1030,8 @@ static sandbox_filter_func_t filter_func[] = { #ifdef __NR_mmap2 sb_mmap2, #endif + sb_chown, + sb_chmod, sb_open, sb_openat, sb__sysctl, @@ -1256,6 +1308,40 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file) } int +sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file) +{ + sandbox_cfg_t *elem = NULL; + + elem = new_element(SCMP_SYS(chmod), file); + if (!elem) { + log_err(LD_BUG,"(Sandbox) failed to register parameter!"); + return -1; + } + + elem->next = *cfg; + *cfg = elem; + + return 0; +} + +int +sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file) +{ + sandbox_cfg_t *elem = NULL; + + elem = new_element(SCMP_SYS(chown), file); + if (!elem) { + log_err(LD_BUG,"(Sandbox) failed to register parameter!"); + return -1; + } + + elem->next = *cfg; + *cfg = elem; + + return 0; +} + +int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2) { sandbox_cfg_t *elem = NULL; diff --git a/src/common/sandbox.h b/src/common/sandbox.h index b4cc9f7d18..4918ad047b 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -149,6 +149,9 @@ sandbox_cfg_t * sandbox_cfg_new(void); */ int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file); +int sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file); +int sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file); + /**DOCDOC*/ int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2); |