[tor-commits] [tor/master] partial libevent open fix
nickm at torproject.org
nickm at torproject.org
Fri Sep 13 16:31:55 UTC 2013
commit e2a7b484f47b242eb8399751cb0fbe73e14ef0b8
Author: Cristian Toader <cristian.matei.toader at gmail.com>
Date: Wed Aug 14 23:03:38 2013 +0300
partial libevent open fix
---
src/common/sandbox.c | 18 ++++++------------
src/or/main.c | 14 +++++++++-----
2 files changed, 15 insertions(+), 17 deletions(-)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 0be4c52..6ff4296 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -9,6 +9,8 @@
* \brief Code to enable sandboxing.
**/
+#define _LARGEFILE64_SOURCE
+
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -32,10 +34,12 @@
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/types.h>
+#include <sys/stat.h>
#include <sys/epoll.h>
#include <sys/prctl.h>
#include <linux/futex.h>
#include <bits/signum.h>
+#include <event2/event.h>
#include <stdarg.h>
#include <seccomp.h>
@@ -53,6 +57,7 @@ static sandbox_cfg_t *filter_dynamic = NULL;
static int filter_nopar_gen[] = {
SCMP_SYS(access),
SCMP_SYS(brk),
+ SCMP_SYS(clock_gettime),
SCMP_SYS(close),
SCMP_SYS(clone),
SCMP_SYS(epoll_create),
@@ -105,9 +110,6 @@ static int filter_nopar_gen[] = {
SCMP_SYS(madvise),
// getaddrinfo uses this..
SCMP_SYS(stat64),
- // Not needed..
-// SCMP_SYS(set_thread_area),
-// SCMP_SYS(set_tid_address),
// socket syscalls
SCMP_SYS(bind),
@@ -263,7 +265,7 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
// todo remove when libevent fix
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
- SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY));
+ SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_LARGEFILE|O_CLOEXEC));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
"error %d", rc);
@@ -305,13 +307,6 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0;
}
-static int
-sb_clock_gettime(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
-{
- return seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 1,
- SCMP_CMP(0, SCMP_CMP_EQ, CLOCK_MONOTONIC));
-}
-
// TODO: param not working
static int
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
@@ -574,7 +569,6 @@ static sandbox_filter_func_t filter_func[] = {
sb_mmap2,
sb_open,
sb_openat,
- sb_clock_gettime,
sb_fcntl64,
sb_epoll_ctl,
sb_prctl,
diff --git a/src/or/main.c b/src/or/main.c
index a2fbe5f..9d0719c 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2647,7 +2647,7 @@ sandbox_init_filter()
sandbox_cfg_allow_openat_filename(&cfg,
get_datadir_fname("cached-status"), 1);
- sandbox_cfg_allow_open_filename_array(&cfg, 22,
+ sandbox_cfg_allow_open_filename_array(&cfg, 23,
get_datadir_fname("cached-certs"), 1,
get_datadir_fname("cached-certs.tmp"), 1,
get_datadir_fname("cached-consensus"), 1,
@@ -2669,7 +2669,8 @@ sandbox_init_filter()
get_datadir_fname("unparseable-desc.tmp"), 1,
get_datadir_fname("unparseable-desc"), 1,
"/dev/srandom", 0,
- "/dev/urandom", 0
+ "/dev/urandom", 0,
+ "/dev/random", 0
);
sandbox_cfg_allow_stat64_filename_array(&cfg, 5,
@@ -2682,7 +2683,7 @@ sandbox_init_filter()
// orport
if (server_mode(get_options())) {
- sandbox_cfg_allow_open_filename_array(&cfg, 13,
+ sandbox_cfg_allow_open_filename_array(&cfg, 12,
get_datadir_fname2("keys", "secret_id_key"), 1,
get_datadir_fname2("keys", "secret_onion_key"), 1,
get_datadir_fname2("keys", "secret_onion_key_ntor"), 1,
@@ -2694,8 +2695,7 @@ sandbox_init_filter()
get_datadir_fname("fingerprint"), 1,
get_datadir_fname("cached-consensus"), 1,
get_datadir_fname("cached-consensus.tmp"), 1,
- "/etc/resolv.conf", 0,
- "/dev/random", 0
+ "/etc/resolv.conf", 0
);
sandbox_cfg_allow_stat64_filename_array(&cfg, 2,
@@ -2783,6 +2783,10 @@ tor_main(int argc, char *argv[])
log_err(LD_BUG,"Failed to create syscall sandbox filter");
return -1;
}
+
+ // registering libevent rng
+ evutil_secure_rng_set_urandom_device_file(
+ (char*) sandbox_intern_string("/dev/random"));
}
switch (get_options()->command) {
More information about the tor-commits
mailing list