Store sandbox params as char *, since that's what they are.

author Nick Mathewson <nickm@torproject.org>

Thu, 21 Aug 2014 15:20:29 +0000 (11:20 -0400)

committer Nick Mathewson <nickm@torproject.org>

Thu, 21 Aug 2014 15:22:42 +0000 (11:22 -0400)
author Nick Mathewson <nickm@torproject.org>
Thu, 21 Aug 2014 15:20:29 +0000 (11:20 -0400)
committer Nick Mathewson <nickm@torproject.org>
Thu, 21 Aug 2014 15:22:42 +0000 (11:22 -0400)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c

index 05b91be7bedbdf8568a3733a3cfa5419c62467cd..86dc56c5aa0336aebb73cea6bdb16d5c3f369650 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -98,6 +98,8 @@ static sandbox_cfg_t *filter_dynamic = NULL;
  
  #undef SCMP_CMP
  #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
+#define SCMP_CMP_STR(a,b,c) \
+  ((struct scmp_arg_cmp){(a),(b),(intptr_t)(void*)(c),0})
  #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  /* We use a wrapper here because these masked comparisons seem to be pretty
   * verbose. Also, it's important to cast to scmp_datum_t before negating the
@@ -252,7 +254,7 @@ sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
      if (param != NULL && param->prot == 1 && param->syscall
          == SCMP_SYS(execve)) {
        rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
-          SCMP_CMP(0, SCMP_CMP_EQ, param->value));
+               SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
        if (rc != 0) {
          log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
              "libseccomp error %d", rc);
@@ -389,7 +391,7 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
      if (param != NULL && param->prot == 1 && param->syscall
          == SCMP_SYS(open)) {
        rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
-            SCMP_CMP(0, SCMP_CMP_EQ, param->value));
+            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
        if (rc != 0) {
          log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
              "libseccomp error %d", rc);
@@ -444,8 +446,8 @@ sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
          param->syscall == SCMP_SYS(rename)) {
  
        rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
-            SCMP_CMP(0, SCMP_CMP_EQ, param->value),
-            SCMP_CMP(1, SCMP_CMP_EQ, param->value2));
+            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
+            SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
        if (rc != 0) {
          log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
              "libseccomp error %d", rc);
@@ -475,7 +477,7 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
          == SCMP_SYS(openat)) {
        rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
            SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
-          SCMP_CMP(1, SCMP_CMP_EQ, param->value),
+          SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
            SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
                O_CLOEXEC));
        if (rc != 0) {
@@ -884,7 +886,7 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
      if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
          || param->syscall == SCMP_SYS(stat64))) {
        rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
-          SCMP_CMP(0, SCMP_CMP_EQ, param->value));
+          SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
        if (rc != 0) {
          log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
              "libseccomp  error %d", rc);
@@ -967,7 +969,7 @@ static int
  prot_strings_helper(strmap_t *locations,
                      char **pr_mem_next_p,
                      size_t *pr_mem_left_p,
-                    intptr_t *value_p)
+                    char **value_p)
  {
    char *param_val;
    size_t param_size;
@@ -983,7 +985,7 @@ prot_strings_helper(strmap_t *locations,
    if (location) {
      // We already interned this string.
      tor_free(param_val);
-    *value_p = (intptr_t) location;
+    *value_p = location;
      return 0;
    } else if (*pr_mem_left_p >= param_size) {
      // copy to protected
@@ -992,7 +994,7 @@ prot_strings_helper(strmap_t *locations,
  
      // re-point el parameter to protected
      tor_free(param_val);
-    *value_p = (intptr_t) location;
+    *value_p = location;
  
      strmap_set(locations, location, location); /* good real estate advice */
  
@@ -1126,7 +1128,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
   * point.
   */
  static sandbox_cfg_t*
-new_element2(int syscall, intptr_t value, intptr_t value2)
+new_element2(int syscall, char *value, char *value2)
  {
    smp_param_t *param = NULL;
  
@@ -1142,9 +1144,9 @@ new_element2(int syscall, intptr_t value, intptr_t value2)
  }
  
  static sandbox_cfg_t*
-new_element(int syscall, intptr_t value)
+new_element(int syscall, char *value)
  {
-  return new_element2(syscall, value, 0);
+  return new_element2(syscall, value, NULL);
  }
  
  #ifdef __NR_stat64
@@ -1158,7 +1160,7 @@ sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
  {
    sandbox_cfg_t *elem = NULL;
  
-  elem = new_element(SCMP_stat, (intptr_t)(void*) file);
+  elem = new_element(SCMP_stat, file);
    if (!elem) {
      log_err(LD_BUG,"(Sandbox) failed to register parameter!");
      return -1;
@@ -1197,7 +1199,7 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
  {
    sandbox_cfg_t *elem = NULL;
  
-  elem = new_element(SCMP_SYS(open), (intptr_t)(void *) file);
+  elem = new_element(SCMP_SYS(open), file);
    if (!elem) {
      log_err(LD_BUG,"(Sandbox) failed to register parameter!");
      return -1;
@@ -1214,9 +1216,7 @@ sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
  {
    sandbox_cfg_t *elem = NULL;
  
-  elem = new_element2(SCMP_SYS(rename),
-                      (intptr_t)(void *) file1,
-                      (intptr_t)(void *) file2);
+  elem = new_element2(SCMP_SYS(rename), file1, file2);
  
    if (!elem) {
      log_err(LD_BUG,"(Sandbox) failed to register parameter!");
@@ -1256,7 +1256,7 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
  {
    sandbox_cfg_t *elem = NULL;
  
-  elem = new_element(SCMP_SYS(openat), (intptr_t)(void *) file);
+  elem = new_element(SCMP_SYS(openat), file);
    if (!elem) {
      log_err(LD_BUG,"(Sandbox) failed to register parameter!");
      return -1;
@@ -1296,7 +1296,7 @@ sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
  {
    sandbox_cfg_t *elem = NULL;
  
-  elem = new_element(SCMP_SYS(execve), (intptr_t)(void *) com);
+  elem = new_element(SCMP_SYS(execve), com);
    if (!elem) {
      log_err(LD_BUG,"(Sandbox) failed to register parameter!");
      return -1;
diff --git a/src/common/sandbox.h b/src/common/sandbox.h

index 20d5d5080c18f417aaf1a5eefee980271dcd01a2..b4bb2947501082d71bbbcdb67c27d0f9c67e4ccf 100644 (file)
--- a/src/common/sandbox.h
+++ b/src/common/sandbox.h
@@ -66,9 +66,9 @@ typedef struct smp_param {
    int syscall;
  
    /** parameter value. */
-  intptr_t value;
+  char *value;
    /** parameter value, second argument. */
-  intptr_t value2;
+  char *value2;
  
    /**  parameter flag (0 = not protected, 1 = protected). */
    int prot;
author	Nick Mathewson <nickm@torproject.org>
	Thu, 21 Aug 2014 15:20:29 +0000 (11:20 -0400)
committer	Nick Mathewson <nickm@torproject.org>
	Thu, 21 Aug 2014 15:22:42 +0000 (11:22 -0400)
src/common/sandbox.c		patch \| blob \| blame \| history
src/common/sandbox.h		patch \| blob \| blame \| history