summaryrefslogtreecommitdiff
path: root/src/common
diff options
context:
space:
mode:
Diffstat (limited to 'src/common')
-rw-r--r--src/common/sandbox.c48
-rw-r--r--src/common/sandbox.h3
2 files changed, 38 insertions, 13 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index a4afc36fb5..ce6b63c175 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -228,12 +228,6 @@ prot_strdup(char* str)
return res;
}
-sandbox_cfg_t*
-sandbox_cfg_new()
-{
- return NULL;
-}
-
int
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
{
@@ -253,7 +247,7 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
}
static int
-add_param_filter(scmp_filter_ctx ctx)
+add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
{
int i, filter_size, rc = 0;
sandbox_cfg_t *elem;
@@ -265,7 +259,8 @@ add_param_filter(scmp_filter_ctx ctx)
}
// for each dynamic parameter filters
- for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
+ elem = (cfg == NULL) ? filter_dynamic : cfg;
+ for (; elem != NULL; elem = elem->next) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, elem->syscall, 1,
SCMP_CMP(elem->pindex, SCMP_CMP_EQ, elem->param));
if (rc != 0) {
@@ -327,7 +322,7 @@ add_noparam_filter(scmp_filter_ctx ctx)
* Returns 0 on success.
*/
static int
-install_glob_syscall_filter(void)
+install_syscall_filter(sandbox_cfg_t* cfg)
{
int rc = 0;
scmp_filter_ctx ctx;
@@ -340,7 +335,7 @@ install_glob_syscall_filter(void)
}
// add parameter filters
- if ((rc = add_param_filter(ctx))) {
+ if ((rc = add_param_filter(ctx, cfg))) {
log_err(LD_BUG, "(Sandbox) failed to add param filters!");
goto end;
}
@@ -450,12 +445,12 @@ install_sigsys_debugging(void)
* into account various available features for different linux flavours.
*/
static int
-initialise_libseccomp_sandbox(void)
+initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
{
if (install_sigsys_debugging())
return -1;
- if (install_glob_syscall_filter())
+ if (install_syscall_filter(cfg))
return -2;
return 0;
@@ -463,6 +458,33 @@ initialise_libseccomp_sandbox(void)
#endif // USE_LIBSECCOMP
+sandbox_cfg_t*
+sandbox_cfg_new() {
+ return NULL;
+}
+
+int
+sandbox_init(sandbox_cfg_t* cfg)
+{
+#if defined(USE_LIBSECCOMP)
+ return initialise_libseccomp_sandbox(cfg);
+
+#elif defined(_WIN32)
+ log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is "
+ "currently disabled.");
+ return 0;
+
+#elif defined(TARGET_OS_MAC)
+ log_warn(LD_BUG,"Mac OSX sandboxing is not implemented. The feature is "
+ "currently disabled");
+ return 0;
+#else
+ log_warn(LD_BUG,"Sandboxing is not implemented for your platform. The "
+ "feature is currently disabled");
+ return 0;
+#endif
+}
+
/**
* Enables the stage 1 general sandbox. It applies a syscall filter which does
* not restrict any Tor features. The filter is representative for the whole
@@ -473,7 +495,7 @@ tor_global_sandbox(void)
{
#if defined(USE_LIBSECCOMP)
- return initialise_libseccomp_sandbox();
+ return initialise_libseccomp_sandbox(NULL);
#elif defined(_WIN32)
log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is "
diff --git a/src/common/sandbox.h b/src/common/sandbox.h
index 2cb8ab8806..c6d80659e3 100644
--- a/src/common/sandbox.h
+++ b/src/common/sandbox.h
@@ -81,7 +81,10 @@ typedef struct pfd_elem sandbox_cfg_t;
void sandbox_set_debugging_fd(int fd);
int tor_global_sandbox(void);
char* get_prot_param(char *param);
+
+sandbox_cfg_t * sandbox_cfg_new();
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file);
+int sandbox_init(sandbox_cfg_t* cfg);
#endif /* SANDBOX_H_ */