| Age | Commit message (Collapse) | Author |
|---|
|
Fix for 12064 part 1
|
|
|
|
|
|
Fixes bug 12032; bugfix on 0.2.5.1-alpha
|
|
Also, don't tolerate changing DirPortFrontPage.
Fixes bug 12028; bugfix on 0.2.5.1-alpha.
|
|
This prevents a crash when rotating logs with dirreq-stats enabled
fixes 12035; bugfix on 0.2.5.1-alpha.
|
|
|
|
Fix for 12041; bugfix on 0.2.5.1-alpha.
|
|
We'll use these to deal with being unable to access the user DB
after we install the sandbox, to fix bug 11946.
|
|
|
|
On OpenBSD 5.4, time_t is a 32-bit integer. These instances contain
implicit treatment of long and time_t as comparable types, so explicitly
cast to time_t.
|
|
This was crashing on --verify-config in the debian startup script, if you
had sandboxing enabled. Fixes 11609; fix on 0.2.5.1-alpha.
|
|
Conflicts:
src/or/main.c
|
|
|
|
|
|
|
|
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization. But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we
were permitting sysctl unconditionally. That's not such a great
idea.
Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
|
|
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.
(Maybe buggy; revise when I can test.)
|
|
|
|
(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
|
|
Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
|
|
A new set of unit test cases are provided, as well as introducing
an alternative paradigm and macros to support it. Primarily, each test
case is given its own namespace, in order to isolate tests from each
other. We do this by in the usual fashion, by appending module and
submodule names to our symbols. New macros assist by reducing friction
for this and other tasks, like overriding a function in the global
namespace with one in the current namespace, or declaring integer
variables to assist tracking how many times a mock has been called.
A set of tests for a small-scale module has been included in this
commit, in order to highlight how the paradigm can be used. This
suite gives 100% coverage to status.c in test execution.
|
|
Resolves ticket 5286.
|
|
When we successfully create a usable circuit after it previously
timed out for a certain amount of time, we should make sure that
our public IP address hasn't changed and update our descriptor.
|
|
|
|
|
|
Most of these are simple. The only nontrivial part is that our
pattern for using ENUM_BF was confusing doxygen by making declarations
that didn't look like declarations.
|
|
Conflicts:
src/or/router.c
src/test/test_dir.c
|
|
Implements #10884.
|
|
Back in 5e762e6a5c0e6729bb7dbb586af2690c087d9ba8, non-exit servers
stopped launching DNS requests for users. So there's no need for them
to see if their DNS answers are hijacked.
Patch from Matt Pagan. I think this is a 965 fix.
|
|
|
|
|
|
It's increasingly apparent that we want to make sure we initialize our
PRNG nice and early, or else OpenSSL will do it for us. (OpenSSL
doesn't do _too_ bad a job, but it's nice to do it ourselves.)
We'll also need this for making sure we initialize the siphash key
before we do any hashes.
|
|
The remaining vestige is that we continue to publish the V2dir flag,
and that, for the controller, we continue to emit v2 directory
formats when requested.
|
|
|
|
Fix for 10485. Fix on 0.2.4.17-alpha.
|
|
Conflicts:
src/common/sandbox.c
src/common/sandbox.h
src/common/util.c
src/or/main.c
src/test/include.am
src/test/test.c
|
|
We had accidentially grown two fake ones: one for backtrace.c, and one
for sandbox.c. Let's do this properly instead.
Now, when we configure logs, we keep track of fds that should get told
about bad stuff happening from signal handlers. There's another entry
point for these that avoids using non-signal-handler-safe functions.
|
|
On platforms with the backtrace/backtrace_symbols_fd interface, Tor
can now dump stack traces on assertion failure. By default, I log
them to DataDir/stack_dump and to stderr.
|
|
Conflicts:
doc/tor.1.txt
src/or/config.c
src/or/connection.h
src/or/control.c
src/or/control.h
src/or/or.h
src/or/relay.c
src/or/relay.h
src/test/test.c
|
|
Fixes other case of #9578
|
|
Conflicts:
src/or/config.c
src/or/main.c
|
|
|
|
|
|
And have these various commandline options imply "hush", not "quiet",
since we like to see warnings.
|
|
These were previously allowed only in the initial position:
--help, -h , --version, --digests, --list-torrc-options
|
|
Fix for bug 9578.
|
|
Conflicts:
src/common/sandbox.c
|
|
|
|
|
