summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorFrancisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>2014-12-23 10:51:36 -0500
committerNick Mathewson <nickm@torproject.org>2014-12-23 10:51:36 -0500
commitcca6ed80bf6814386e3d1640c1849eb20f18b34f (patch)
tree2afc0a0430de65ff3e1414210d867f9fa9b75f66 /src
parent39e71d8fa54afd906fdcaf2cd496c300362ebb9a (diff)
downloadtor-cca6ed80bf6814386e3d1640c1849eb20f18b34f.tar.gz
tor-cca6ed80bf6814386e3d1640c1849eb20f18b34f.zip
Add the transparent proxy getsockopt to the sandbox
When receiving a trasnsparently proxied request with tor using iptables tor dies because the appropriate getsockopt calls aren't enabled on the sandbox. This patch fixes this by adding the two getsockopt calls used when doing transparent proxying with tor to the sandbox for the getsockopt policy. This patch is released under the same license as the original file as long as the author is credited. Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Diffstat (limited to 'src')
-rw-r--r--src/common/sandbox.c27
1 files changed, 27 insertions, 0 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index ece56df81f..82117cb2ba 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -58,6 +58,17 @@
#include <time.h>
#include <poll.h>
+#ifdef HAVE_LINUX_NETFILTER_IPV4_H
+#include <linux/netfilter_ipv4.h>
+#endif
+#ifdef HAVE_LINUX_IF_H
+#include <linux/if.h>
+#endif
+#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#endif
+
+
#if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
#define USE_BACKTRACE
@@ -634,6 +645,22 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (rc)
return rc;
+#ifdef HAVE_LINUX_NETFILTER_IPV4_H
+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
+ SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
+ SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
+ if (rc)
+ return rc;
+#endif
+
+#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
+ SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
+ SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
+ if (rc)
+ return rc;
+#endif
+
return 0;
}