summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/common/sandbox.c24
-rw-r--r--src/common/sandbox.h6
-rw-r--r--src/or/main.c6
3 files changed, 24 insertions, 12 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 1fa4d613c1..2f5859e779 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -118,8 +118,10 @@ static int filter_nopar_gen[] = {
SCMP_SYS(exit),
SCMP_SYS(madvise),
+#ifdef __NR_stat64
// getaddrinfo uses this..
SCMP_SYS(stat64),
+#endif
// socket syscalls
SCMP_SYS(bind),
@@ -741,10 +743,14 @@ static sandbox_filter_func_t filter_func[] = {
sb_execve,
sb_time,
sb_accept4,
+#ifdef __NR_mmap2
sb_mmap2,
+#endif
sb_open,
sb_openat,
+#ifdef __NR_fcntl64
sb_fcntl64,
+#endif
sb_epoll_ctl,
sb_prctl,
sb_mprotect,
@@ -752,7 +758,9 @@ static sandbox_filter_func_t filter_func[] = {
sb_futex,
sb_mremap,
sb_poll,
+#ifdef __NR_stat64
sb_stat64,
+#endif
sb_socket,
sb_setsockopt,
@@ -879,12 +887,17 @@ new_element(int syscall, int index, intptr_t value)
}
#ifdef __NR_stat64
+#define SCMP_stat SCMP_SYS(stat64)
+#else
+#define SCMP_stat SCMP_SYS(stat)
+#endif
+
int
-sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, int fr)
+sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr)
{
sandbox_cfg_t *elem = NULL;
- elem = new_element(SCMP_SYS(stat64), 0, (intptr_t) tor_strdup(file));
+ elem = new_element(SCMP_stat, 0, (intptr_t) tor_strdup(file));
if (!elem) {
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
return -1;
@@ -898,7 +911,7 @@ sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, int fr)
}
int
-sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, ...)
+sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...)
{
int rc = 0;
char *fn = NULL;
@@ -909,9 +922,9 @@ sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, ...)
while ((fn = va_arg(ap, char*)) != NULL) {
int fr = va_arg(ap, int);
- rc = sandbox_cfg_allow_stat64_filename(cfg, fn, fr);
+ rc = sandbox_cfg_allow_stat_filename(cfg, fn, fr);
if (rc) {
- log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_stat64_filename_array fail");
+ log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_stat_filename_array fail");
goto end;
}
}
@@ -920,7 +933,6 @@ sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, ...)
va_end(ap);
return 0;
}
-#endif
int
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr)
diff --git a/src/common/sandbox.h b/src/common/sandbox.h
index ed9caa1686..e61e0b3338 100644
--- a/src/common/sandbox.h
+++ b/src/common/sandbox.h
@@ -204,12 +204,12 @@ int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com);
int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...);
/**
- * Function used to add a stat64 allowed filename to a supplied configuration.
+ * Function used to add a stat/stat64 allowed filename to a configuration.
* The (char*) specifies the path to the allowed file, fr = 1 tells the
* function that the char* needs to be free-ed, 0 means the pointer does not
* need to be free-ed.
*/
-int sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file,
+int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file,
int fr);
/** Function used to add a series of stat64 allowed filenames to a supplied
@@ -220,7 +220,7 @@ int sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file,
* that the char* needs to be free-ed, 0 means the pointer does not need to
* be free-ed; the final parameter needs to be <NULL, 0>.
*/
-int sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, ...);
+int sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...);
/** Function used to initialise a sandbox configuration.*/
int sandbox_init(sandbox_cfg_t* cfg);
diff --git a/src/or/main.c b/src/or/main.c
index 5ab49365b0..18e8bc44ae 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2650,7 +2650,7 @@ init_addrinfo(void)
}
static sandbox_cfg_t*
-sandbox_init_filter()
+sandbox_init_filter(void)
{
sandbox_cfg_t *cfg = sandbox_cfg_new();
@@ -2685,7 +2685,7 @@ sandbox_init_filter()
NULL, 0
);
- sandbox_cfg_allow_stat64_filename_array(&cfg,
+ sandbox_cfg_allow_stat_filename_array(&cfg,
get_datadir_fname(NULL), 1,
get_datadir_fname("lock"), 1,
get_datadir_fname("state"), 1,
@@ -2714,7 +2714,7 @@ sandbox_init_filter()
NULL, 0
);
- sandbox_cfg_allow_stat64_filename_array(&cfg,
+ sandbox_cfg_allow_stat_filename_array(&cfg,
get_datadir_fname("keys"), 1,
get_datadir_fname("stats/dirreq-stats"), 1,
NULL, 0