From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 14 Mar 2016 17:21:16 +0000 (-0400)
Subject: Permit setrlimit, prlimit, prlimit64 calls.
X-Git-Tag: tor-0.2.8.2-alpha~64^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=725e0c76e3df9d3ea4b861b3ff5279b23def4ef9;p=thirdparty%2Ftor.git

Permit setrlimit, prlimit, prlimit64 calls.

We call setrlimit under some circumstances, and it can call prlimit
and prlimit64 under the hood.

Fixes bug 15221.
---

diff --git a/changes/bug15221 b/changes/bug15221
new file mode 100644
index 0000000000..ed72309857
--- /dev/null
+++ b/changes/bug15221
@@ -0,0 +1,4 @@
+  o Minor bugfixes (sandbox):
+    - Allow the setrlimit syscall, and the prlimit and prlimit64 syscalls,
+      which some libc implementations
+      use under the hood.  Fixes bug 15221.  Bugfix on 0.2.5.1-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 950a92fbb3..bcbb3ce3fa 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -177,11 +177,20 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(mmap),
 #endif
     SCMP_SYS(munmap),
+#ifdef __NR_prlimit
+    SCMP_SYS(prlimit),
+#endif
+#ifdef __NR_prlimit64
+    SCMP_SYS(prlimit64),
+#endif
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
     SCMP_SYS(sched_getaffinity),
     SCMP_SYS(sendmsg),
     SCMP_SYS(set_robust_list),
+#ifdef __NR_setrlimit
+    SCMP_SYS(setrlimit),
+#endif
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
 #endif