diff options
| author | Nick Mathewson <nickm@torproject.org> | 2020-07-29 12:35:57 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2020-07-29 12:35:57 -0400 |
| commit | 8c92d44622263d5d57a794a9bd1d8f78eb532a73 (patch) | |
| tree | 04e6541fba4d135cf0b13785a8df6e4639278466 /src | |
| parent | 8e690ce736b3c61a1f007df4a1cd542e97e602c5 (diff) | |
| parent | eab8e7af522d18620450003667579eebaa339896 (diff) | |
| download | tor-8c92d44622263d5d57a794a9bd1d8f78eb532a73.tar.gz tor-8c92d44622263d5d57a794a9bd1d8f78eb532a73.zip | |
Merge remote-tracking branch 'tor-gitlab/mr/68' into maint-0.4.4
Diffstat (limited to 'src')
| -rw-r--r-- | src/app/main/main.c | 8 | ||||
| -rw-r--r-- | src/lib/sandbox/sandbox.c | 10 |
2 files changed, 7 insertions, 11 deletions
diff --git a/src/app/main/main.c b/src/app/main/main.c index 66776fc40b..d7d36bff4e 100644 --- a/src/app/main/main.c +++ b/src/app/main/main.c @@ -841,8 +841,10 @@ sandbox_init_filter(void) OPEN_DATADIR2(name, name2 suffix); \ } while (0) +// KeyDirectory is a directory, but it is only opened in check_private_dir +// which calls open instead of opendir #define OPEN_KEY_DIRECTORY() \ - OPENDIR(options->KeyDirectory) + OPEN(options->KeyDirectory) #define OPEN_CACHEDIR(name) \ sandbox_cfg_allow_open_filename(&cfg, get_cachedir_fname(name)) #define OPEN_CACHEDIR_SUFFIX(name, suffix) do { \ @@ -856,7 +858,9 @@ sandbox_init_filter(void) OPEN_KEYDIR(name suffix); \ } while (0) - OPENDIR(options->DataDirectory); + // DataDirectory is a directory, but it is only opened in check_private_dir + // which calls open instead of opendir + OPEN(options->DataDirectory); OPEN_KEY_DIRECTORY(); OPEN_CACHEDIR_SUFFIX("cached-certs", ".tmp"); diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c index 9a41d76e86..d4f0da8397 100644 --- a/src/lib/sandbox/sandbox.c +++ b/src/lib/sandbox/sandbox.c @@ -671,15 +671,7 @@ sb_opendir(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (param != NULL && param->prot == 1 && param->syscall == PHONY_OPENDIR_SYSCALL) { - if (libc_uses_openat_for_opendir()) { - rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), - SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), - SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value), - SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE| - O_DIRECTORY|O_CLOEXEC)); - } else { - rc = allow_file_open(ctx, 0, param->value); - } + rc = allow_file_open(ctx, libc_uses_openat_for_opendir(), param->value); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received " "libseccomp error %d", rc); |