From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 28 Mar 2014 05:52:08 +0000 (-0400)
Subject: Fix some initial sandbox issues.
X-Git-Tag: tor-0.2.5.4-alpha~36^2~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae9d6d73f50f6205f0651a627d3bf7b0d99273f1;p=thirdparty%2Ftor.git

Fix some initial sandbox issues.

Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
---

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 0548f3edd4..299c6f20bd 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -124,6 +124,7 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(rename),
     SCMP_SYS(rt_sigreturn),
     SCMP_SYS(set_robust_list),
+    SCMP_SYS(_sysctl),
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
 #endif
@@ -249,6 +250,11 @@ sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   if (rc) {
     return rc;
   }
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 1,
+      SCMP_CMP(3, SCMP_CMP_EQ, SOCK_CLOEXEC|SOCK_NONBLOCK));
+  if (rc) {
+    return rc;
+  }
 
   return 0;
 }
diff --git a/src/or/main.c b/src/or/main.c
index 0264064edc..16149544bf 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2732,8 +2732,11 @@ sandbox_init_filter(void)
       get_datadir_fname("cached-certs"), 1,
       get_datadir_fname("cached-certs.tmp"), 1,
       get_datadir_fname("cached-consensus"), 1,
+      get_datadir_fname("cached-consensus.tmp"), 1,
       get_datadir_fname("unverified-consensus"), 1,
       get_datadir_fname("unverified-consensus.tmp"), 1,
+      get_datadir_fname("unverified-microdesc-consensus"), 1,
+      get_datadir_fname("unverified-microdesc-consensus.tmp"), 1,
       get_datadir_fname("cached-microdesc-consensus"), 1,
       get_datadir_fname("cached-microdesc-consensus.tmp"), 1,
       get_datadir_fname("cached-microdescs"), 1,
@@ -2747,9 +2750,15 @@ sandbox_init_filter(void)
       get_datadir_fname("cached-descriptors.new.tmp"), 1,
       get_datadir_fname("cached-descriptors.tmp.tmp"), 1,
       get_datadir_fname("cached-extrainfo"), 1,
+      get_datadir_fname("cached-extrainfo.new"), 1,
+      get_datadir_fname("cached-extrainfo.tmp"), 1,
+      get_datadir_fname("cached-extrainfo.new.tmp"), 1,
+      get_datadir_fname("cached-extrainfo.tmp.tmp"), 1,
       get_datadir_fname("state.tmp"), 1,
       get_datadir_fname("unparseable-desc.tmp"), 1,
       get_datadir_fname("unparseable-desc"), 1,
+      get_datadir_fname("v3-status-votes"), 1,
+      get_datadir_fname("v3-status-votes.tmp"), 1,
       "/dev/srandom", 0,
       "/dev/urandom", 0,
       "/dev/random", 0,