From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 23 May 2014 00:39:10 +0000 (-0400)
Subject: sandbox: allow reading of hidden service configuration files.
X-Git-Tag: tor-0.2.5.5-alpha~41
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfd0ee514c279bc6c7b7c299e001693a5aeb1f5f;p=thirdparty%2Ftor.git

sandbox: allow reading of hidden service configuration files.

fixes part of 12064
---

diff --git a/changes/bug12064_part2 b/changes/bug12064_part2
new file mode 100644
index 0000000000..4fa86a641c
--- /dev/null
+++ b/changes/bug12064_part2
@@ -0,0 +1,5 @@
+  o Minor bugfixes (seccomp sandbox):
+    - Avoid warnings when running with sandboxing enabled at the same
+      time as cookie authentication, hidden services or directory
+      authority voting.  Fixes part of 12064; bugfix on 0.2.5.1-alpha.
+
diff --git a/src/or/main.c b/src/or/main.c
index ba462dcc49..1c855d5279 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2829,13 +2829,14 @@ sandbox_init_filter(void)
   );
 
   {
-    smartlist_t *logfiles = smartlist_new();
-    tor_log_get_logfile_names(logfiles);
-    SMARTLIST_FOREACH(logfiles, char *, logfile_name, {
+    smartlist_t *files = smartlist_new();
+    tor_log_get_logfile_names(files);
+    rend_services_add_filenames_to_list(files);
+    SMARTLIST_FOREACH(files, char *, file_name, {
       /* steals reference */
-      sandbox_cfg_allow_open_filename(&cfg, logfile_name);
+      sandbox_cfg_allow_open_filename(&cfg, file_name);
     });
-    smartlist_free(logfiles);
+    smartlist_free(files);
   }
 
   {
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 5a81d07856..631e2a0f2e 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -656,6 +656,31 @@ rend_service_load_all_keys(void)
   return 0;
 }
 
+/** Add to <b>lst</b> every filename used by <b>s</b>. */
+static void
+rend_service_add_filenames_to_list(smartlist_t *lst, const rend_service_t *s)
+{
+  tor_assert(lst);
+  tor_assert(s);
+  smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"private_key",
+                         s->directory);
+  smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"hostname",
+                         s->directory);
+  smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"client_keys",
+                         s->directory);
+}
+
+/** Add to <b>lst</b> every filename used by a configured hidden service */
+void
+rend_services_add_filenames_to_list(smartlist_t *lst)
+{
+  if (!rend_service_list)
+    return;
+  SMARTLIST_FOREACH_BEGIN(rend_service_list, rend_service_t *, s) {
+    rend_service_add_filenames_to_list(lst, s);
+  } SMARTLIST_FOREACH_END(s);
+}
+
 /** Load and/or generate private keys for the hidden service <b>s</b>,
  * possibly including keys for client authorization.  Return 0 on success, -1
  * on failure. */
diff --git a/src/or/rendservice.h b/src/or/rendservice.h
index 4a810eb521..e8a953665b 100644
--- a/src/or/rendservice.h
+++ b/src/or/rendservice.h
@@ -71,6 +71,7 @@ struct rend_intro_cell_s {
 int num_rend_services(void);
 int rend_config_services(const or_options_t *options, int validate_only);
 int rend_service_load_all_keys(void);
+void rend_services_add_filenames_to_list(smartlist_t *lst);
 void rend_services_introduce(void);
 void rend_consider_services_upload(time_t now);
 void rend_hsdir_routers_changed(void);