diff options
Diffstat (limited to 'src/common/sandbox.c')
| -rw-r--r-- | src/common/sandbox.c | 80 |
1 files changed, 75 insertions, 5 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index f2ead21e0f..0be4c5235c 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -97,16 +97,14 @@ static int filter_nopar_gen[] = { SCMP_SYS(sigreturn), #endif SCMP_SYS(stat), -#ifdef __NR_stat64 - SCMP_SYS(stat64), // TODO -#endif SCMP_SYS(uname), SCMP_SYS(write), SCMP_SYS(exit_group), SCMP_SYS(exit), SCMP_SYS(madvise), - + // getaddrinfo uses this.. + SCMP_SYS(stat64), // Not needed.. // SCMP_SYS(set_thread_area), // SCMP_SYS(set_tid_address), @@ -542,6 +540,31 @@ sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } +#ifdef __NR_stat64 +static int +sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc = 0; + sandbox_cfg_t *elem = NULL; + + // for each dynamic parameter filters + for (elem = filter; elem != NULL; elem = elem->next) { + if (elem->prot == 1 && (elem->syscall == SCMP_SYS(open) || + elem->syscall == SCMP_SYS(stat64))) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64), 1, + SCMP_CMP(0, SCMP_CMP_EQ, elem->param)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " + "error %d", rc); + return rc; + } + } + } + + return 0; +} +#endif + static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, sb_rt_sigprocmask, @@ -559,7 +582,8 @@ static sandbox_filter_func_t filter_func[] = { sb_flock, sb_futex, sb_mremap, - sb_poll + sb_poll, + sb_stat64 }; const char* @@ -616,6 +640,52 @@ prot_strdup(char* str) return res; } +#ifdef __NR_stat64 +int +sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, char fr) +{ + sandbox_cfg_t *elem = NULL; + + elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t)); + elem->syscall = SCMP_SYS(stat64); + elem->pindex = 0; + elem->ptype = PARAM_PTR; + elem->param = (intptr_t) prot_strdup((char*) file); + elem->prot = 1; + + elem->next = *cfg; + *cfg = elem; + + if (fr) tor_free_(file); + + return 0; +} + +int +sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, int num, ...) +{ + int rc = 0, i; + + va_list ap; + va_start(ap, num); + + for (i = 0; i < num; i++) { + char *fn = va_arg(ap, char*); + char fr = (char) va_arg(ap, int); + + rc = sandbox_cfg_allow_stat64_filename(cfg, fn, fr); + if(rc) { + log_err(LD_BUG,"(Sandbox) failed on par %d", i); + goto end; + } + } + + end: + va_end(ap); + return 0; +} +#endif + int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, char fr) { |