| Age | Commit message (Collapse) | Author |
|---|
|
Previously we said "Sandbox is not implemented on this platform" on
Linux boxes without libseccomp. Now we say that you need to build
Tor built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
|
|
|
|
|
|
OpenSSL needs this, or RAND_poll() will kill the process.
Also, refuse with EACCESS, not errno==-1 (!).
|
|
|
|
Older versions of Libevent are happy to open SOCK_DGRAM sockets
non-cloexec and non-nonblocking, and then set those flags
afterwards. It's nice to be able to allow a flag to be on or off in
the sandbox without having to enumerate all its values.
Also, permit PF_INET6 sockets. (D'oh!)
|
|
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization. But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we
were permitting sysctl unconditionally. That's not such a great
idea.
Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
|
|
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
|
|
(We were only checking the first parameter of each rename call.)
|
|
|
|
|
|
Drop pindex,pindex2 as unused.
Admit a type to avoid using a void*
|
|
|
|
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.
(Maybe buggy; revise when I can test.)
|
|
(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
|
|
If we intern two copies of a string, later calls to
sandbox_intern_string will give the wrong one sometimes.
|
|
Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
|
|
This involves some duplicate code between backtrace.c and sandbox.c,
but I don't see a way around it: calling more functions would mean
adding more steps to our call stack, and running clean_backtrace()
against the wrong point on the stack.
|
|
Tor doesn't use it directly, but the glibc backtrace-to-fd code does
|
|
Coverity spotted these.
|
|
|
|
|
|
Fix for #10563. This is a compatibility issue with libseccomp-2.1.
I guess you could call it a bugfix on 0.2.5.1?
|
|
Conflicts:
src/common/sandbox.c
src/common/sandbox.h
src/common/util.c
src/or/main.c
src/test/include.am
src/test/test.c
|
|
We had accidentially grown two fake ones: one for backtrace.c, and one
for sandbox.c. Let's do this properly instead.
Now, when we configure logs, we keep track of fds that should get told
about bad stuff happening from signal handlers. There's another entry
point for these that avoids using non-signal-handler-safe functions.
|
|
|
|
tor_malloc returns void *; in C, it is not necessary to cast a
void* to another pointer type before assigning it.
tor_malloc fails with an error rather than returning NULL; it's not
necessary to check its output. (In one case, doing so annoyed Coverity.)
|
|
Conflicts:
src/common/sandbox.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SCMP_CMP(a,b,c) leaves the fourth field of the structure undefined,
giving a missing-initializer error. All of our uses are
three-argument, so I'm overriding the default.
|
|
|
|
|
|
|
|
|
|
macro fails to compile..
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
