summaryrefslogtreecommitdiff
path: root/src/lib/sandbox/sandbox.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2021-05-07 12:09:41 -0400
committerNick Mathewson <nickm@torproject.org>2021-05-07 12:12:11 -0400
commitf5acfe67238a331bf8a6e94715163949999f27e7 (patch)
tree1a62e226784d301eb97ac464c3076702ef28174d /src/lib/sandbox/sandbox.c
parent7c86f34340acf7d8cf35501e71b03f2feba1245e (diff)
downloadtor-f5acfe67238a331bf8a6e94715163949999f27e7.tar.gz
tor-f5acfe67238a331bf8a6e94715163949999f27e7.zip
Add a sandbox workaround for Glibc 2.33
This change permits the newfstatat() system call, and fixes issues 40382 (and 40381). This isn't a free change. From the commit: // Libc 2.33 uses this syscall to implement both fstat() and stat(). // // The trouble is that to implement fstat(fd, &st), it calls: // newfstatat(fs, "", &st, AT_EMPTY_PATH) // We can't detect this usage in particular, because "" is a pointer // we don't control. And we can't just look for AT_EMPTY_PATH, since // AT_EMPTY_PATH only has effect when the path string is empty. // // So our only solution seems to be allowing all fstatat calls, which // means that an attacker can stat() anything on the filesystem. That's // not a great solution, but I can't find a better one.
Diffstat (limited to 'src/lib/sandbox/sandbox.c')
-rw-r--r--src/lib/sandbox/sandbox.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index 168dfd943c..fc90dbe062 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -1608,6 +1608,28 @@ add_noparam_filter(scmp_filter_ctx ctx)
}
}
+ if (is_libc_at_least(2, 33)) {
+#ifdef __NR_newfstatat
+ // Libc 2.33 uses this syscall to implement both fstat() and stat().
+ //
+ // The trouble is that to implement fstat(fd, &st), it calls:
+ // newfstatat(fs, "", &st, AT_EMPTY_PATH)
+ // We can't detect this usage in particular, because "" is a pointer
+ // we don't control. And we can't just look for AT_EMPTY_PATH, since
+ // AT_EMPTY_PATH only has effect when the path string is empty.
+ //
+ // So our only solution seems to be allowing all fstatat calls, which
+ // means that an attacker can stat() anything on the filesystem. That's
+ // not a great solution, but I can't find a better one.
+ rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat));
+ if (rc != 0) {
+ log_err(LD_BUG,"(Sandbox) failed to add newfstatat() syscall; "
+ "received libseccomp error %d", rc);
+ return rc;
+ }
+#endif
+ }
+
return 0;
}