aboutsummaryrefslogtreecommitdiff
path: root/src/common/sandbox.c
AgeCommit message (Collapse)Author
2014-09-29Merge remote-tracking branch 'origin/maint-0.2.5'Nick Mathewson
2014-09-29Don't use the getaddrinfo sandbox cache from tor-resolveNick Mathewson
Fixes bug 13295; bugfix on 0.2.5.3-alpha. The alternative here is to call crypto_global_init() from tor-resolve, but let's avoid linking openssl into tor-resolve for as long as we can.
2014-09-02Another clang analyzer complaint wrt HT_GENERATENick Mathewson
We're calling mallocfn() and reallocfn() in the HT_GENERATE macro with the result of a product. But that makes any sane analyzer worry about overflow. This patch keeps HT_GENERATE having its old semantics, since we aren't the only project using ht.h. Instead, define a HT_GENERATE2 that takes a reallocarrayfn.
2014-08-25Fix another memory leak case in sandbox.c:prot_strings()Nick Mathewson
This is related to the rest of 523587a5cf62119baa01822e2e783925726a790b
2014-08-24Remove the non-implemented versions of the sandbox _array() functionsNick Mathewson
2014-08-24Whitespace fixesNick Mathewson
2014-08-21fix memory leak on failure in sandbox.c:prot_strings()Nick Mathewson
[CID 1205014]
2014-08-21Store sandbox params as char *, since that's what they are.Nick Mathewson
This allows coverity to infer that we aren't leaking them. [Fixes a lot of CIDs]
2014-06-11Fix a 32-big conversion warning in 11970 fixNick Mathewson
2014-06-11Merge remote-tracking branch 'public/bug11970'Nick Mathewson
2014-06-11Yield a real error in the bug case of sandbox_getaddrinfo()Nick Mathewson
2014-06-08Spell getrlimit correctly.Nick Mathewson
Fixes bug in b0c1c700114aa8d4dfc180d85870c5bbe15fcacb; bug 12229. Bugfix not in any released Tor. Patch from "alphawolf".
2014-05-29sandbox: allow enough setsockopt to make ConstrainedSockets workNick Mathewson
fixes bug 12139; bugfix on 0.2.5.1-alpha
2014-05-27sandbox: permit listen(2)Nick Mathewson
Fix for 12115; bugfix on 0.2.5.1-alpha
2014-05-27Log the errno value if seccomp_load() fails.Nick Mathewson
(This is how I found out I was trying to test with a kernel too old for seccomp. I think.)
2014-05-27Make sandbox.c compile on armNick Mathewson
This is a minimal set of changes for compilation; I need a more recent kernel to test this stuff.
2014-05-22sandbox: revamp sandbox_getaddrinfo cacheingNick Mathewson
The old cache had problems: * It needed to be manually preloaded. (It didn't remember any address you didn't tell it to remember) * It was AF_INET only. * It looked at its cache even if the sandbox wasn't turned on. * It couldn't remember errors. * It had some memory management problems. (You can't use memcpy to copy an addrinfo safely; it has pointers in.) This patch fixes those issues, and moves to a hash table. Fixes bug 11970; bugfix on 0.2.5.1-alpha.
2014-05-20sandbox: permit gettid, sched_getaffinityNick Mathewson
These are needed under some circumstances if we are running with expensive-hardening and sandbox at the same time. fixes 11477, bugfix on 0.2.5.4-alpha (where we introduced expensive-hardening)
2014-05-20sandbox: Disallow options which would make us call exec()Nick Mathewson
None of the things we might exec() can possibly run under the sanbox, so rather than crash later, we have to refuse to accept the configuration nice and early. The longer-term solution is to have an exec() helper, but wow is that risky. fixes 12043; bugfix on 0.2.5.1-alpha
2014-04-25resolve a typo: sanboxing->sandboxing.Nick Mathewson
2014-04-18Improved message when running sandbox on Linux without libseccompNick Mathewson
Previously we said "Sandbox is not implemented on this platform" on Linux boxes without libseccomp. Now we say that you need to build Tor built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
2014-04-17Remove spurious libevent include in sandbox.cNick Mathewson
2014-04-16Log the name of the failing syscall on failureNick Mathewson
2014-04-16Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuseNick Mathewson
OpenSSL needs this, or RAND_poll() will kill the process. Also, refuse with EACCESS, not errno==-1 (!).
2014-04-16Don't allow change to ConnLimit while sandbox is activeNick Mathewson
2014-04-16Use SCMP_CMP_MASKED_EQ to allow flags, not force themNick Mathewson
Older versions of Libevent are happy to open SOCK_DGRAM sockets non-cloexec and non-nonblocking, and then set those flags afterwards. It's nice to be able to allow a flag to be on or off in the sandbox without having to enumerate all its values. Also, permit PF_INET6 sockets. (D'oh!)
2014-04-16Get Libevent's PRNG functioning under the linux sandboxNick Mathewson
Libevent uses an arc4random implementation (I know, I know) to generate DNS transaction IDs and capitalization. But it liked to initialize it either with opening /dev/urandom (which won't work under the sandbox if it doesn't use the right pointer), or with sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we were permitting sysctl unconditionally. That's not such a great idea. Instead, we try to initialize the libevent PRNG _before_ installing the sandbox, and make sysctl always fail with EPERM under the sandbox.
2014-04-16Introduce arg-counting macros to wrap seccomp_rule_add()Nick Mathewson
The compiler doesn't warn about this code: rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD), SCMP_CMP(1, SCMP_CMP_EQ, param->value), SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...)); but note that the arg_cnt argument above is only 1. This means that only the first filter (argument 0 == AT_FDCWD) is actually checked! This patch also fixes the above error in the openat() filter. Earlier I fixed corresponding errors in filters for rename() and mprotect().
2014-04-16Fix sandbox protection for renameNick Mathewson
(We were only checking the first parameter of each rename call.)
2014-04-16Upgrade warning about missing interned string for sandboxNick Mathewson
2014-04-16Have sandbox string protection include multi-valued parmeters.Nick Mathewson
2014-04-16Clean up sandbox structures a bitNick Mathewson
Drop pindex,pindex2 as unused. Admit a type to avoid using a void*
2014-04-16Add missing rename function for non-linux platformsNick Mathewson
2014-04-16Drop 'fr' parameter from sandbox code.Nick Mathewson
Appearently, the majority of the filenames we pass to sandbox_cfg_allow() functions are "freeable right after". So, consider _all_ of them safe-to-steal, and add a tor_strdup() in the few cases that aren't. (Maybe buggy; revise when I can test.)
2014-04-16Add 'rename' to the sandboxed syscallsNick Mathewson
(If we don't restrict rename, there's not much point in restricting open, since an attacker could always use rename to make us open whatever they want.)
2014-04-16Only intern one copy of each magic string for the sandboxNick Mathewson
If we intern two copies of a string, later calls to sandbox_intern_string will give the wrong one sometimes.
2014-04-16Fix some initial sandbox issues.Nick Mathewson
Allow files that weren't in the list; Allow the _sysctl syscall; allow accept4 with CLOEXEC and NONBLOCK.
2014-04-10Log a backtrace when the sandbox finds a failureNick Mathewson
This involves some duplicate code between backtrace.c and sandbox.c, but I don't see a way around it: calling more functions would mean adding more steps to our call stack, and running clean_backtrace() against the wrong point on the stack.
2014-04-10Make the sandbox code allow the writev() syscall.Nick Mathewson
Tor doesn't use it directly, but the glibc backtrace-to-fd code does
2014-03-13Fix some leaks/missed checks in the unit testsNick Mathewson
Coverity spotted these.
2014-02-02Add a sandbox rule to allow IP_TRANSPARENTNick Mathewson
2014-01-17whitespace fixesNick Mathewson
2014-01-06Fix some seccomp2 issuesNick Mathewson
Fix for #10563. This is a compatibility issue with libseccomp-2.1. I guess you could call it a bugfix on 0.2.5.1?
2013-11-18Merge branch 'backtrace_squashed'Nick Mathewson
Conflicts: src/common/sandbox.c src/common/sandbox.h src/common/util.c src/or/main.c src/test/include.am src/test/test.c
2013-11-18Add a sighandler-safe logging mechanismNick Mathewson
We had accidentially grown two fake ones: one for backtrace.c, and one for sandbox.c. Let's do this properly instead. Now, when we configure logs, we keep track of fds that should get told about bad stuff happening from signal handlers. There's another entry point for these that avoids using non-signal-handler-safe functions.
2013-09-16Fix a memory leak on getaddrinfo in sandbox. Found by coverityNick Mathewson
2013-09-16Clean up malloc issues in sandbox.cNick Mathewson
tor_malloc returns void *; in C, it is not necessary to cast a void* to another pointer type before assigning it. tor_malloc fails with an error rather than returning NULL; it's not necessary to check its output. (In one case, doing so annoyed Coverity.)
2013-09-13Merge remote-tracking branch 'ctoader/gsoc-cap-stage2'Nick Mathewson
Conflicts: src/common/sandbox.c
2013-09-12fixed compilation bug on i386 due to previous fixCristian Toader
2013-09-12bug fix: syscalls send and recv not supported for x86_64 with libseccomp 1.0.1Cristian Toader