diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-03-28 03:51:50 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-04-16 22:03:08 -0400 |
| commit | cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64 (patch) | |
| tree | 63c352b5287e9f57ed91b2950d4fec9d5cf1c864 /src/or | |
| parent | 3802e32c7d94c599546069d8246636b0d3a4ad10 (diff) | |
| download | tor-cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64.tar.gz tor-cbfb8e703ed9c7e31848ebf959ac7a4cf27b4a64.zip | |
Add 'rename' to the sandboxed syscalls
(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
Diffstat (limited to 'src/or')
| -rw-r--r-- | src/or/config.c | 2 | ||||
| -rw-r--r-- | src/or/main.c | 39 | ||||
| -rw-r--r-- | src/or/statefile.c | 3 |
3 files changed, 39 insertions, 5 deletions
diff --git a/src/or/config.c b/src/or/config.c index ca99d014fc..89aedccb4c 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -6276,7 +6276,7 @@ write_configuration_file(const char *fname, const or_options_t *options) ++i; } log_notice(LD_CONFIG, "Renaming old configuration file to \"%s\"", fn_tmp); - if (rename(fname, fn_tmp) < 0) { + if (tor_rename(fname, fn_tmp) < 0) {//XXXX sandbox doesn't allow log_warn(LD_FS, "Couldn't rename configuration file \"%s\" to \"%s\": %s", fname, fn_tmp, strerror(errno)); diff --git a/src/or/main.c b/src/or/main.c index 16149544bf..3c248bb800 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2743,7 +2743,6 @@ sandbox_init_filter(void) get_datadir_fname("cached-microdescs.tmp"), 1, get_datadir_fname("cached-microdescs.new"), 1, get_datadir_fname("cached-microdescs.new.tmp"), 1, - get_datadir_fname("unverified-microdesc-consensus"), 1, get_datadir_fname("cached-descriptors"), 1, get_datadir_fname("cached-descriptors.new"), 1, get_datadir_fname("cached-descriptors.tmp"), 1, @@ -2765,6 +2764,34 @@ sandbox_init_filter(void) NULL, 0 ); +#define RENAME_SUFFIX(name, suffix) \ + sandbox_cfg_allow_rename(&cfg, \ + get_datadir_fname(name suffix), \ + get_datadir_fname(name)) + +#define RENAME_SUFFIX2(prefix, name, suffix) \ + sandbox_cfg_allow_rename(&cfg, \ + get_datadir_fname2(prefix, name suffix), \ + get_datadir_fname2(prefix, name)) + + RENAME_SUFFIX("cached-certs", ".tmp"); + RENAME_SUFFIX("cached-consensus", ".tmp"); + RENAME_SUFFIX("unverified-consensus", ".tmp"); + RENAME_SUFFIX("unverified-microdesc-consensus", ".tmp"); + RENAME_SUFFIX("cached-microdesc-consensus", ".tmp"); + RENAME_SUFFIX("cached-microdescs", ".tmp"); + RENAME_SUFFIX("cached-microdescs", ".new"); + RENAME_SUFFIX("cached-microdescs.new", ".tmp"); + RENAME_SUFFIX("cached-descriptors", ".tmp"); + RENAME_SUFFIX("cached-descriptors", ".new"); + RENAME_SUFFIX("cached-descriptors.new", ".tmp"); + RENAME_SUFFIX("cached-extrainfo", ".tmp"); + RENAME_SUFFIX("cached-extrainfo", ".new"); + RENAME_SUFFIX("cached-extrainfo.new", ".tmp"); + RENAME_SUFFIX("state", ".tmp"); + RENAME_SUFFIX("unparseable-desc", ".tmp"); + RENAME_SUFFIX("v3-status-votes", ".tmp"); + sandbox_cfg_allow_stat_filename_array(&cfg, get_datadir_fname(NULL), 1, get_datadir_fname("lock"), 1, @@ -2790,12 +2817,18 @@ sandbox_init_filter(void) get_datadir_fname("fingerprint.tmp"), 1, get_datadir_fname("hashed-fingerprint"), 1, get_datadir_fname("hashed-fingerprint.tmp"), 1, - get_datadir_fname("cached-consensus"), 1, - get_datadir_fname("cached-consensus.tmp"), 1, "/etc/resolv.conf", 0, NULL, 0 ); + RENAME_SUFFIX("fingerprint", ".tmp"); + RENAME_SUFFIX2("keys", "secret_onion_key_ntor", ".tmp"); + RENAME_SUFFIX2("keys", "secret_id_key", ".tmp"); + RENAME_SUFFIX2("keys", "secret_id_key.old", ".tmp"); + RENAME_SUFFIX2("keys", "secret_onion_key", ".tmp"); + RENAME_SUFFIX2("keys", "secret_onion_key.old", ".tmp"); + RENAME_SUFFIX("hashed-fingerprint", ".tmp"); + sandbox_cfg_allow_stat_filename_array(&cfg, get_datadir_fname("keys"), 1, get_datadir_fname("stats/dirreq-stats"), 1, diff --git a/src/or/statefile.c b/src/or/statefile.c index 2251f25e94..da31341712 100644 --- a/src/or/statefile.c +++ b/src/or/statefile.c @@ -13,6 +13,7 @@ #include "hibernate.h" #include "rephist.h" #include "router.h" +#include "sandbox.h" #include "statefile.h" /** A list of state-file "abbreviations," for compatibility. */ @@ -285,7 +286,7 @@ or_state_save_broken(char *fname) log_warn(LD_BUG, "Unable to parse state in \"%s\". Moving it aside " "to \"%s\". This could be a bug in Tor; please tell " "the developers.", fname, fname2); - if (rename(fname, fname2) < 0) { + if (tor_rename(fname, fname2) < 0) {//XXXX sandbox prohibits log_warn(LD_BUG, "Weirdly, I couldn't even move the state aside. The " "OS gave an error of %s", strerror(errno)); } |