Don't allow change to ConnLimit while sandbox is active

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 5f9d625ef366f905fbcd4d0e2a314ff21c18b451..0722751745313f1c8b5cf30811bdf48587e7cd81 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -1576,6 +1576,11 @@ initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
   return 0;
 }
 
+int
+sandbox_is_active(void)
+{
+  return sandbox_active != 0;
+}
 #endif // USE_LIBSECCOMP
 
 sandbox_cfg_t*
@@ -1672,5 +1677,11 @@ sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
   (void)cfg; (void)file1; (void)file2;
   return 0;
 }
+
+int
+sandbox_is_active(void)
+{
+  return 0;
+}
 #endif
 

diff --git a/src/common/sandbox.h b/src/common/sandbox.h
index c4144dbb2e6ddabb811e9f2eabf3f7035f094754..c40f5e0d1f3878b986fed0cfffca0bd3ba1cbcb6 100644 (file)
--- a/src/common/sandbox.h
+++ b/src/common/sandbox.h
@@ -229,5 +229,8 @@ int sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...);
 /** Function used to initialise a sandbox configuration.*/
 int sandbox_init(sandbox_cfg_t* cfg);
 
+/** Return true iff the sandbox is turned on. */
+int sandbox_is_active(void);
+
 #endif /* SANDBOX_H_ */
 

diff --git a/src/or/config.c b/src/or/config.c
index c2eebf77a65ba3e1ee7295bc02e77f423e0551d9..881da37855ab5d6d77e7766b8b3e75789a638325 100644 (file)
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1,4 +1,4 @@
- /* Copyright (c) 2001 Matej Pfajfar.
+/* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  * Copyright (c) 2007-2013, The Tor Project, Inc. */
@@ -1043,12 +1043,18 @@ options_act_reversible(const or_options_t *old_options, char **msg)
   if (running_tor) {
     int n_ports=0;
     /* We need to set the connection limit before we can open the listeners. */
-    if (set_max_file_descriptors((unsigned)options->ConnLimit,
-                                 &options->ConnLimit_) < 0) {
-      *msg = tor_strdup("Problem with ConnLimit value. See logs for details.");
-      goto rollback;
+    if (! sandbox_is_active()) {
+      if (set_max_file_descriptors((unsigned)options->ConnLimit,
+                                   &options->ConnLimit_) < 0) {
+        *msg = tor_strdup("Problem with ConnLimit value. "
+                          "See logs for details.");
+        goto rollback;
+      }
+      set_conn_limit = 1;
+    } else {
+      tor_assert(old_options);
+      options->ConnLimit_ = old_options->ConnLimit_;
     }
-    set_conn_limit = 1;
 
     /* Set up libevent.  (We need to do this before we can register the
      * listeners as listeners.) */