aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/common/sandbox.c50
-rw-r--r--src/or/policies.c10
-rw-r--r--src/test/test_address.c3
-rw-r--r--src/test/test_util_format.c8
4 files changed, 46 insertions, 25 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 838b267ab4..23d97dffa1 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -210,6 +210,10 @@ static int filter_nopar_gen[] = {
SCMP_SYS(getrandom),
#endif
+#ifdef __NR_sysinfo
+ // qsort uses this..
+ SCMP_SYS(sysinfo),
+#endif
/*
* These socket syscalls are not required on x86_64 and not supported with
* some libseccomp versions (eg: 1.0.1)
@@ -583,7 +587,7 @@ static int
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
- int i;
+ int i, j;
(void) filter;
#ifdef __i386__
@@ -600,20 +604,20 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
for (i = 0; i < 2; ++i) {
const int pf = i ? PF_INET : PF_INET6;
-
- rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
- SCMP_CMP(0, SCMP_CMP_EQ, pf),
- SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
- SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
- if (rc)
- return rc;
-
- rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
- SCMP_CMP(0, SCMP_CMP_EQ, pf),
- SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
- SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
- if (rc)
- return rc;
+ for (j=0; j < 3; ++j) {
+ const int type = (j == 0) ? SOCK_STREAM :
+ (j == 1) ? SOCK_DGRAM :
+ SOCK_DGRAM;
+ const int protocol = (j == 0) ? IPPROTO_TCP :
+ (j == 1) ? IPPROTO_IP :
+ IPPROTO_UDP;
+ rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+ SCMP_CMP(0, SCMP_CMP_EQ, pf),
+ SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
+ SCMP_CMP(2, SCMP_CMP_EQ, protocol));
+ if (rc)
+ return rc;
+ }
}
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
@@ -699,6 +703,14 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (rc)
return rc;
+#ifdef HAVE_SYSTEMD
+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
+ SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
+ SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUFFORCE));
+ if (rc)
+ return rc;
+#endif
+
#ifdef IP_TRANSPARENT
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
@@ -732,6 +744,14 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (rc)
return rc;
+#ifdef HAVE_SYSTEMD
+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
+ SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
+ SCMP_CMP(2, SCMP_CMP_EQ, SO_SNDBUF));
+ if (rc)
+ return rc;
+#endif
+
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
diff --git a/src/or/policies.c b/src/or/policies.c
index f625242cea..0b8f3351fb 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -2866,11 +2866,11 @@ getinfo_helper_policies(control_connection_t *conn,
}
policies_parse_exit_policy_reject_private(
- &private_policy_list,
- options->IPv6Exit,
- configured_addresses,
- options->ExitPolicyRejectLocalInterfaces,
- options->ExitPolicyRejectLocalInterfaces);
+ &private_policy_list,
+ options->IPv6Exit,
+ configured_addresses,
+ options->ExitPolicyRejectLocalInterfaces,
+ options->ExitPolicyRejectLocalInterfaces);
*answer = policy_dump_to_string(private_policy_list, 1, 1);
addr_policy_list_free(private_policy_list);
diff --git a/src/test/test_address.c b/src/test/test_address.c
index d621ee5870..82d6bc7a13 100644
--- a/src/test/test_address.c
+++ b/src/test/test_address.c
@@ -823,7 +823,8 @@ test_address_get_if_addrs6_list_no_internal(void *arg)
(void)arg;
- int prev_level = setup_capture_of_logs(LOG_ERR); /* We might drop a log_err */
+ /* We might drop a log_err */
+ int prev_level = setup_capture_of_logs(LOG_ERR);
results = get_interface_address6_list(LOG_ERR, AF_INET6, 0);
tt_int_op(smartlist_len(mock_saved_logs()), OP_LE, 1);
teardown_capture_of_logs(prev_level);
diff --git a/src/test/test_util_format.c b/src/test/test_util_format.c
index f3dcd1184c..63a668238c 100644
--- a/src/test/test_util_format.c
+++ b/src/test/test_util_format.c
@@ -106,10 +106,10 @@ test_util_format_base64_encode(void *ignored)
for (i = 0;i<50;i++) {
src[i] = 0;
}
- src[50] = 255;
- src[51] = 255;
- src[52] = 255;
- src[53] = 255;
+ src[50] = (char)255;
+ src[51] = (char)255;
+ src[52] = (char)255;
+ src[53] = (char)255;
res = base64_encode(dst, 1000, src, 54, BASE64_ENCODE_MULTILINE);
tt_int_op(res, OP_EQ, 74);
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion