[tor-commits] [tor/master] added openat parameter filter
nickm at torproject.org
nickm at torproject.org
Fri Sep 13 16:31:55 UTC 2013
commit 8022def6f05bf40e1c6e0fd15d77ed0ecf5c3406
Author: Cristian Toader <cristian.matei.toader at gmail.com>
Date: Mon Jul 29 16:30:39 2013 +0300
added openat parameter filter
---
src/common/sandbox.c | 19 ++++++++++++++-----
src/common/sandbox.h | 4 +++-
src/common/util.c | 4 +++-
src/or/main.c | 2 ++
4 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 2e8467d..efadeca 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -117,7 +117,6 @@ static int filter_nopar_gen[] = {
SCMP_SYS(mprotect),
SCMP_SYS(mremap),
SCMP_SYS(munmap),
- SCMP_SYS(openat),
SCMP_SYS(poll),
SCMP_SYS(prctl),
SCMP_SYS(read),
@@ -158,7 +157,7 @@ static int filter_nopar_gen[] = {
};
const char*
-sandbox_intern_string(char *param)
+sandbox_intern_string(const char *param)
{
int i, filter_size;
sandbox_cfg_t *elem;
@@ -228,15 +227,25 @@ prot_strdup(char* str)
int
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
{
- sandbox_cfg_t *elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
+ sandbox_cfg_t *elem = NULL;
+ intptr_t prot_str = (intptr_t) prot_strdup((char*) file);
+ elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
elem->syscall = SCMP_SYS(open);
elem->pindex = 0;
elem->ptype = PARAM_PTR;
- elem->param = (intptr_t) prot_strdup((char*) file);
+ elem->param = prot_str;
elem->prot = 1;
+ elem->next = filter_dynamic;
+ filter_dynamic = elem;
- // fifo
+ // also allow openat
+ elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
+ elem->syscall = SCMP_SYS(openat);
+ elem->pindex = 1;
+ elem->ptype = PARAM_PTR;
+ elem->param = prot_str;
+ elem->prot = 1;
elem->next = filter_dynamic;
filter_dynamic = elem;
diff --git a/src/common/sandbox.h b/src/common/sandbox.h
index 9acf8c4..104d832 100644
--- a/src/common/sandbox.h
+++ b/src/common/sandbox.h
@@ -29,7 +29,9 @@
*/
#ifdef __linux__
+#ifndef __USE_GNU
#define __USE_GNU
+#endif
#include <sys/ucontext.h>
#define MAX_PARAM_LEN 64
@@ -80,7 +82,7 @@ typedef struct pfd_elem sandbox_cfg_t;
void sandbox_set_debugging_fd(int fd);
int tor_global_sandbox(void);
-const char* sandbox_intern_string(char *param);
+const char* sandbox_intern_string(const char *param);
sandbox_cfg_t * sandbox_cfg_new();
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file);
diff --git a/src/common/util.c b/src/common/util.c
index 651554e..75462b6 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -24,6 +24,7 @@
#include "torint.h"
#include "container.h"
#include "address.h"
+#include "../common/sandbox.h"
#ifdef _WIN32
#include <io.h>
@@ -3042,6 +3043,7 @@ smartlist_t *
tor_listdir(const char *dirname)
{
smartlist_t *result;
+ const char *prot_dname = sandbox_intern_string(dirname);
#ifdef _WIN32
char *pattern=NULL;
TCHAR tpattern[MAX_PATH] = {0};
@@ -3085,7 +3087,7 @@ tor_listdir(const char *dirname)
#else
DIR *d;
struct dirent *de;
- if (!(d = opendir(dirname)))
+ if (!(d = opendir(prot_dname)))
return NULL;
result = smartlist_new();
diff --git a/src/or/main.c b/src/or/main.c
index 269d3fd..d50f239 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2645,6 +2645,8 @@ sandbox_init_filter()
sandbox_cfg_t *cfg = sandbox_cfg_new();
sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname("cached-status"));
+ sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("cached-certs"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("cached-consensus"));
More information about the tor-commits
mailing list