[tor-commits] [tor/master] Let AF_UNIX connections through the sandbox
nickm at torproject.org
nickm at torproject.org
Mon Feb 23 17:59:33 UTC 2015
commit 21ac0cd2afb2275bfe89237c3aeb545fb7de537e
Author: Nick Mathewson <nickm at torproject.org>
Date: Mon Feb 23 12:33:58 2015 -0500
Let AF_UNIX connections through the sandbox
Fixes bug 15003; bugfix on 0.2.6.3-alpha.
---
changes/bug15003 | 3 +++
src/common/sandbox.c | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/changes/bug15003 b/changes/bug15003
new file mode 100644
index 0000000..2dcce74
--- /dev/null
+++ b/changes/bug15003
@@ -0,0 +1,3 @@
+ o Major bugfixes (linux seccomp2 sandbox):
+ - Allow AF_UNIX hidden services to be used with the seccomp2 sandbox.
+ Fixes bug 15003; bugfix on 0.2.6.3-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 57847e1..fe97af3 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -543,6 +543,11 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+ SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
+ SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
+ SCMP_CMP(2, SCMP_CMP_EQ, 0));
+
+ rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
SCMP_CMP(2, SCMP_CMP_EQ, 0));
More information about the tor-commits
mailing list