diff options
author | Micah Elizabeth Scott <beth@torproject.org> | 2023-03-15 11:52:45 -0700 |
---|---|---|
committer | Micah Elizabeth Scott <beth@torproject.org> | 2023-05-10 07:38:28 -0700 |
commit | 287c78c5a82f0447af01f3558748f048c9f3d2b2 (patch) | |
tree | ae1ae0337f5a6ada00a8b4372e2789f6b29a98aa /src/lib/sandbox | |
parent | 700814a3a117652682ccdf1ea591584b5eca1ff6 (diff) | |
download | tor-287c78c5a82f0447af01f3558748f048c9f3d2b2.tar.gz tor-287c78c5a82f0447af01f3558748f048c9f3d2b2.zip |
sandbox: allow stack mmap with prot_none
This fixes a failure that was showing up on i386 Debian hosts
with sandboxing enabled, now that cpuworker is enabled on clients.
We already had allowances for creating threads and creating stacks
in the sandbox, but prot_none (probably used for a stack guard)
was not allowed so thread creation failed.
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
Diffstat (limited to 'src/lib/sandbox')
-rw-r--r-- | src/lib/sandbox/sandbox.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c index a476e57fbc..3340eda892 100644 --- a/src/lib/sandbox/sandbox.c +++ b/src/lib/sandbox/sandbox.c @@ -437,7 +437,14 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), - SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK)); + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK)); + if (rc) { + return rc; + } + + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), + SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE), + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK)); if (rc) { return rc; } |