summaryrefslogtreecommitdiff
path: root/src/common/sandbox.h
AgeCommit message (Collapse)Author
2018-06-27Move sandbox code into a new library.Nick Mathewson
2018-06-27Move network code to libtor-net.Nick Mathewson
There are some additional changes to come: those points are marked by XXXX.
2018-06-21Rectify include paths (automated)Nick Mathewson
2018-06-20Run rectify_include_paths.pyNick Mathewson
2018-06-20Update copyrights to 2018.Nick Mathewson
2017-09-15Run our #else/#endif annotator on our source code.Nick Mathewson
2017-08-09Remove the #if 0ed code that was supposed to let the sandbox allow execNick Mathewson
2017-03-15Run the copyright update script.Nick Mathewson
2016-06-17Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONScypherpunks
The Autoconf macro AC_USE_SYSTEM_EXTENSIONS defines preprocessor macros which turn on extensions to C and POSIX. The macro also makes it easier for developers to use the extensions without needing (or forgetting) to define them manually. The macro can be safely used because it was introduced in Autoconf 2.60 and Tor requires Autoconf 2.63 and above.
2016-03-26Do not treat "DOCDOC" as doxygen.Nick Mathewson
2016-03-14Make unix sockets work with the linux seccomp2 sandbox againNick Mathewson
I didn't want to grant blanket permissions for chmod() and chown(), so here's what I had to do: * Grant open() on all parent directories of a unix socket * Write code to allow chmod() and chown() on a given file only. * Grant chmod() and chown() on the unix socket.
2016-02-27Update the copyright year.Nick Mathewson
2015-10-15Fix compilation of sandbox.[ch] under musl-libcNick Mathewson
Patch from jamestk; fix on 0.2.5.1-alpha. Fixes 17347.
2015-01-02Bump copyright dates to 2015, in case someday this matters.Nick Mathewson
2014-12-30Fix a memory leak in tor-resolveNick Mathewson
Resolves bug 14050
2014-10-28Add another year to our copyright dates.Nick Mathewson
Because in 95 years, we or our successors will surely care about enforcing the BSD license terms on this code. Right?
2014-09-29Merge remote-tracking branch 'origin/maint-0.2.5'Nick Mathewson
2014-09-29Don't use the getaddrinfo sandbox cache from tor-resolveNick Mathewson
Fixes bug 13295; bugfix on 0.2.5.3-alpha. The alternative here is to call crypto_global_init() from tor-resolve, but let's avoid linking openssl into tor-resolve for as long as we can.
2014-08-24Terser ways to sandbox-allow related filenamesNick Mathewson
Using the *_array() functions here confused coverity, and was actually a bit longer than we needed. Now we just use macros for the repeated bits, so that we can mention a file and a suffix-appended version in one line.
2014-08-21Store sandbox params as char *, since that's what they are.Nick Mathewson
This allows coverity to infer that we aren't leaking them. [Fixes a lot of CIDs]
2014-06-11Merge remote-tracking branch 'public/bug11970'Nick Mathewson
2014-05-27Make sandbox.c compile on armNick Mathewson
This is a minimal set of changes for compilation; I need a more recent kernel to test this stuff.
2014-05-22sandbox: revamp sandbox_getaddrinfo cacheingNick Mathewson
The old cache had problems: * It needed to be manually preloaded. (It didn't remember any address you didn't tell it to remember) * It was AF_INET only. * It looked at its cache even if the sandbox wasn't turned on. * It couldn't remember errors. * It had some memory management problems. (You can't use memcpy to copy an addrinfo safely; it has pointers in.) This patch fixes those issues, and moves to a hash table. Fixes bug 11970; bugfix on 0.2.5.1-alpha.
2014-05-20sandbox: Disallow options which would make us call exec()Nick Mathewson
None of the things we might exec() can possibly run under the sanbox, so rather than crash later, we have to refuse to accept the configuration nice and early. The longer-term solution is to have an exec() helper, but wow is that risky. fixes 12043; bugfix on 0.2.5.1-alpha
2014-04-16Don't allow change to ConnLimit while sandbox is activeNick Mathewson
2014-04-16Clean up sandbox structures a bitNick Mathewson
Drop pindex,pindex2 as unused. Admit a type to avoid using a void*
2014-04-16Drop 'fr' parameter from sandbox code.Nick Mathewson
Appearently, the majority of the filenames we pass to sandbox_cfg_allow() functions are "freeable right after". So, consider _all_ of them safe-to-steal, and add a tor_strdup() in the few cases that aren't. (Maybe buggy; revise when I can test.)
2014-04-16Add 'rename' to the sandboxed syscallsNick Mathewson
(If we don't restrict rename, there's not much point in restricting open, since an attacker could always use rename to make us open whatever they want.)
2013-11-18Merge branch 'backtrace_squashed'Nick Mathewson
Conflicts: src/common/sandbox.c src/common/sandbox.h src/common/util.c src/or/main.c src/test/include.am src/test/test.c
2013-11-18Add a sighandler-safe logging mechanismNick Mathewson
We had accidentially grown two fake ones: one for backtrace.c, and one for sandbox.c. Let's do this properly instead. Now, when we configure logs, we keep track of fds that should get told about bad stuff happening from signal handlers. There's another entry point for these that avoids using non-signal-handler-safe functions.
2013-09-11Fix osx compilation again, hopefully better this time.Nick Mathewson
2013-09-10fixed compilation error on i386 linux by moving sandbox_cfg_t definitionCristian Toader
2013-09-09Fix check-spacesNick Mathewson
2013-09-09Fix compilation on OSXNick Mathewson
2013-09-09Fix most of the --enable-gcc-warnings warnings in the sandbox codeNick Mathewson
2013-09-09Basic compilation fixes.Nick Mathewson
2013-09-06passing hints as a const pointer to sandbox_getaddrinfo(), also one tor_free ↵Cristian Toader
macro fails to compile..
2013-09-03fixed bug where sandbox_getaddrinfo() would fail when -Sandbox is 0Cristian Toader
2013-09-02switched to a more generic way of handling the sandbox configurationCristian Toader
2013-09-02changed how sb getaddrinfo works such that it supports storing multiple resultsCristian Toader
2013-08-29documentation update for _array functionsCristian Toader
2013-08-29_array filter functions now rely on final NULL parameterCristian Toader
2013-08-29replaced boolean char with intCristian Toader
2013-08-29small fixes in documentation and sandbox_getaddrinfo()Cristian Toader
2013-08-28Added doxygen struct doc and replaced func() with funct(void)Cristian Toader
2013-08-28removed PARAM_LENCristian Toader
2013-08-19fix for getaddrinfo open syscallCristian Toader
2013-08-15added comments for sandbox.hCristian Toader
2013-08-12attempt to add stat64 filename filters; failed due to getaddrinfo..Cristian Toader
2013-08-10fixed memory leak, added array filter supportCristian Toader