diff options
| author | David Goulet <dgoulet@torproject.org> | 2017-09-07 15:22:05 -0400 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2017-09-15 11:40:59 -0400 |
| commit | 6e598bbcd8ee5b0dfec8f6713679988294cb2523 (patch) | |
| tree | 39329b34c130bd2fd5586551e1cb03029238e583 /src | |
| parent | a06f2a05091b784f334f1c1ef0575c28c715f504 (diff) | |
| download | tor-6e598bbcd8ee5b0dfec8f6713679988294cb2523.tar.gz tor-6e598bbcd8ee5b0dfec8f6713679988294cb2523.zip | |
sched: Add sandbox support for KIST
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/common/sandbox.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index a85b1406fa..4d810fd373 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -653,6 +653,25 @@ sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } +#ifdef HAVE_KIST_SUPPORT + +#include <linux/sockios.h> + +static int +sb_ioctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc; + (void) filter; + + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), + SCMP_CMP(1, SCMP_CMP_EQ, SIOCOUTQNSD)); + if (rc) + return rc; + return 0; +} + +#endif /* HAVE_KIST_SUPPORT */ + /** * Function responsible for setting up the setsockopt syscall for * the seccomp filter sandbox. @@ -760,6 +779,15 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; #endif +#ifdef HAVE_KIST_SUPPORT +#include <netinet/tcp.h> + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), + SCMP_CMP(1, SCMP_CMP_EQ, SOL_TCP), + SCMP_CMP(2, SCMP_CMP_EQ, TCP_INFO)); + if (rc) + return rc; +#endif + return 0; } @@ -1060,7 +1088,11 @@ static sandbox_filter_func_t filter_func[] = { sb_socket, sb_setsockopt, sb_getsockopt, - sb_socketpair + sb_socketpair, + +#ifdef HAVE_KIST_SUPPORT + sb_ioctl, +#endif }; const char * |