diff options
Diffstat (limited to 'src/common')
| -rw-r--r-- | src/common/sandbox.c | 9 | ||||
| -rw-r--r-- | src/common/util.c | 15 | ||||
| -rw-r--r-- | src/common/util.h | 13 |
3 files changed, 27 insertions, 10 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 586d5fa476..b07af6bd2a 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -177,11 +177,20 @@ static int filter_nopar_gen[] = { SCMP_SYS(mmap), #endif SCMP_SYS(munmap), +#ifdef __NR_prlimit + SCMP_SYS(prlimit), +#endif +#ifdef __NR_prlimit64 + SCMP_SYS(prlimit64), +#endif SCMP_SYS(read), SCMP_SYS(rt_sigreturn), SCMP_SYS(sched_getaffinity), SCMP_SYS(sendmsg), SCMP_SYS(set_robust_list), +#ifdef __NR_setrlimit + SCMP_SYS(setrlimit), +#endif #ifdef __NR_sigreturn SCMP_SYS(sigreturn), #endif diff --git a/src/common/util.c b/src/common/util.c index e8be91f459..056817e696 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -2063,7 +2063,6 @@ check_private_dir(const char *dirname, cpd_check_t check, #ifndef _WIN32 int fd; - unsigned unwanted_bits = 0; const struct passwd *pw = NULL; uid_t running_uid; gid_t running_gid; @@ -2075,7 +2074,8 @@ check_private_dir(const char *dirname, cpd_check_t check, * the file between stat() and chmod(), a potential race exists. * * Several suggestions taken from: - * https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html + * https://developer.apple.com/library/mac/documentation/ + * Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html */ /* Open directory. @@ -2157,6 +2157,7 @@ check_private_dir(const char *dirname, cpd_check_t check, if (pw == NULL) { log_warn(LD_CONFIG, "Error setting configured user: %s not found", effective_user); + close(fd); return -1; } running_uid = pw->pw_uid; @@ -2200,12 +2201,17 @@ check_private_dir(const char *dirname, cpd_check_t check, close(fd); return -1; } + unsigned unwanted_bits = 0; if (check & (CPD_GROUP_OK|CPD_GROUP_READ)) { unwanted_bits = 0027; } else { unwanted_bits = 0077; } - if ((st.st_mode & unwanted_bits) != 0) { + unsigned check_bits_filter = ~0; + if (check & CPD_RELAX_DIRMODE_CHECK) { + check_bits_filter = 0022; + } + if ((st.st_mode & unwanted_bits & check_bits_filter) != 0) { unsigned new_mode; if (check & CPD_CHECK_MODE_ONLY) { log_warn(LD_FS, "Permissions on directory %s are too permissive.", @@ -2981,7 +2987,8 @@ expand_filename(const char *filename) tor_assert(filename); #ifdef _WIN32 /* Might consider using GetFullPathName() as described here: - * http://etutorials.org/Programming/secure+programming/Chapter+3.+Input+Validation/3.7+Validating+Filenames+and+Paths/ + * http://etutorials.org/Programming/secure+programming/ + * Chapter+3.+Input+Validation/3.7+Validating+Filenames+and+Paths/ */ return tor_strdup(filename); #else diff --git a/src/common/util.h b/src/common/util.h index 9657003105..ebcf88b32d 100644 --- a/src/common/util.h +++ b/src/common/util.h @@ -357,12 +357,13 @@ file_status_t file_status(const char *filename); /** Possible behaviors for check_private_dir() on encountering a nonexistent * directory; see that function's documentation for details. */ typedef unsigned int cpd_check_t; -#define CPD_NONE 0 -#define CPD_CREATE 1 -#define CPD_CHECK 2 -#define CPD_GROUP_OK 4 -#define CPD_GROUP_READ 8 -#define CPD_CHECK_MODE_ONLY 16 +#define CPD_NONE 0 +#define CPD_CREATE (1u << 0) +#define CPD_CHECK (1u << 1) +#define CPD_GROUP_OK (1u << 2) +#define CPD_GROUP_READ (1u << 3) +#define CPD_CHECK_MODE_ONLY (1u << 4) +#define CPD_RELAX_DIRMODE_CHECK (1u << 5) int check_private_dir(const char *dirname, cpd_check_t check, const char *effective_user); |