Add 'rename' to the sandboxed syscalls

(If we don't restrict rename, there's not much point in restricting open, since an attacker could always use rename to make us open whatever they want.)
author: Nick Mathewson <nickm@torproject.org> 2014-03-28 03:51:50 -0400
committer: Nick Mathewson <nickm@torproject.org> 2014-04-16 22:03:08 -0400
commit: cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64 (patch)
tree: 63c352b5287e9f57ed91b2950d4fec9d5cf1c864 /src/or/statefile.c
parent: 3802e32c7d94c599546069d8246636b0d3a4ad10 (diff)
download: tor-cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64.tar.gz
tor-cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/or/statefile.c b/src/or/statefile.c
index 2251f25e94..da31341712 100644
--- a/src/or/statefile.c
+++ b/src/or/statefile.c
@@ -13,6 +13,7 @@
 #include "hibernate.h"
 #include "rephist.h"
 #include "router.h"
+#include "sandbox.h"
 #include "statefile.h"
 
 /** A list of state-file "abbreviations," for compatibility. */
@@ -285,7 +286,7 @@ or_state_save_broken(char *fname)
     log_warn(LD_BUG, "Unable to parse state in \"%s\". Moving it aside "
              "to \"%s\".  This could be a bug in Tor; please tell "
              "the developers.", fname, fname2);
-    if (rename(fname, fname2) < 0) {
+    if (tor_rename(fname, fname2) < 0) {//XXXX sandbox prohibits
       log_warn(LD_BUG, "Weirdly, I couldn't even move the state aside. The "
                "OS gave an error of %s", strerror(errno));
     }
author	Nick Mathewson <nickm@torproject.org>	2014-03-28 03:51:50 -0400
committer	Nick Mathewson <nickm@torproject.org>	2014-04-16 22:03:08 -0400
commit	cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64 (patch)
tree	63c352b5287e9f57ed91b2950d4fec9d5cf1c864 /src/or/statefile.c
parent	3802e32c7d94c599546069d8246636b0d3a4ad10 (diff)
download	tor-cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64.tar.gz tor-cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64.zip