| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
On FreeBSD backtrace(3) uses size_t instead of int (as glibc does). This
causes integer precision loss errors when we used int to store its
results.
The issue is fixed by using size_t to store the results of backtrace(3).
The manual page of glibc does not mention that backtrace(3) returns
negative values. Therefore, no unsigned integer wrapping occurs when its
result is stored in an unsigned data type.
|
|
Implements feature #13696.
|
|
Patch from jamestk; fix on 0.2.5.1-alpha. Fixes 17347.
|
|
Patch from jamestk; fix on 0.2.5.1-alpha. Fixes 17347.
|
|
Allow pipe() and pipe2() syscalls; we need these when eventfd2()
support is missing. Fixes bug 16363; bugfix on 0.2.6.3-alpha. Patch
from "teor".
|
|
This includes correctly allowing renaming secret_id_key and allowing the
eventfd2 and futex syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha.
|
|
|
|
|
|
fixes bug 15088. patch from sanic.
|
|
Fixes bug 15003; bugfix on 0.2.6.3-alpha.
|
|
__libc_message() tries to open /dev/tty with O_RDWR, but the sandbox
catches that and calls it a crash. Instead, I'm making the sandbox
setenv LIBC_FATAL_STDERR_, so that glibc uses stderr instead.
Fix for 14759, bugfix on 0.2.5.1-alpha
|
|
|
|
Resolves bug 14050
|
|
|
|
When receiving a trasnsparently proxied request with tor using iptables tor
dies because the appropriate getsockopt calls aren't enabled on the sandbox.
This patch fixes this by adding the two getsockopt calls used when doing
transparent proxying with tor to the sandbox for the getsockopt policy.
This patch is released under the same license as the original file as
long as the author is credited.
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
|
|
Because in 95 years, we or our successors will surely care about
enforcing the BSD license terms on this code. Right?
|
|
|
|
Fixes bug 13295; bugfix on 0.2.5.3-alpha.
The alternative here is to call crypto_global_init() from tor-resolve,
but let's avoid linking openssl into tor-resolve for as long as we
can.
|
|
We're calling mallocfn() and reallocfn() in the HT_GENERATE macro
with the result of a product. But that makes any sane analyzer
worry about overflow.
This patch keeps HT_GENERATE having its old semantics, since we
aren't the only project using ht.h. Instead, define a HT_GENERATE2
that takes a reallocarrayfn.
|
|
This is related to the rest of 523587a5cf62119baa01822e2e783925726a790b
|
|
|
|
|
|
[CID 1205014]
|
|
This allows coverity to infer that we aren't leaking them.
[Fixes a lot of CIDs]
|
|
|
|
|
|
|
|
Fixes bug in b0c1c700114aa8d4dfc180d85870c5bbe15fcacb; bug
12229. Bugfix not in any released Tor. Patch from "alphawolf".
|
|
fixes bug 12139; bugfix on 0.2.5.1-alpha
|
|
Fix for 12115; bugfix on 0.2.5.1-alpha
|
|
(This is how I found out I was trying to test with a kernel too old
for seccomp. I think.)
|
|
This is a minimal set of changes for compilation; I need a more
recent kernel to test this stuff.
|
|
The old cache had problems:
* It needed to be manually preloaded. (It didn't remember any
address you didn't tell it to remember)
* It was AF_INET only.
* It looked at its cache even if the sandbox wasn't turned on.
* It couldn't remember errors.
* It had some memory management problems. (You can't use memcpy
to copy an addrinfo safely; it has pointers in.)
This patch fixes those issues, and moves to a hash table.
Fixes bug 11970; bugfix on 0.2.5.1-alpha.
|
|
These are needed under some circumstances if we are running with
expensive-hardening and sandbox at the same time.
fixes 11477, bugfix on 0.2.5.4-alpha (where we introduced
expensive-hardening)
|
|
None of the things we might exec() can possibly run under the
sanbox, so rather than crash later, we have to refuse to accept the
configuration nice and early.
The longer-term solution is to have an exec() helper, but wow is
that risky.
fixes 12043; bugfix on 0.2.5.1-alpha
|
|
|
|
Previously we said "Sandbox is not implemented on this platform" on
Linux boxes without libseccomp. Now we say that you need to build
Tor built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
|
|
|
|
|
|
OpenSSL needs this, or RAND_poll() will kill the process.
Also, refuse with EACCESS, not errno==-1 (!).
|
|
|
|
Older versions of Libevent are happy to open SOCK_DGRAM sockets
non-cloexec and non-nonblocking, and then set those flags
afterwards. It's nice to be able to allow a flag to be on or off in
the sandbox without having to enumerate all its values.
Also, permit PF_INET6 sockets. (D'oh!)
|
|
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization. But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we
were permitting sysctl unconditionally. That's not such a great
idea.
Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
|
|
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
|
|
(We were only checking the first parameter of each rename call.)
|
|
|
|
|
