Make the sandbox work again with chutney.

Previously, we had a problem due to the check_private_dir() rewrite.

Bug not in any released Tor.

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index d747a87563c5e8336e47d21f8779e250ed8aa341..c04ed5fe7c6d2cf0be1059646ccb3a38817500ef 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -427,7 +427,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   }
 
   rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
-                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
+                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
         "error %d", rc);

diff --git a/src/or/main.c b/src/or/main.c
index 11caea5d89da4b2e60a8032e9d9031bdf0cc5998..0b45af9d5d044fa835d3afc48fb09c015b30d100 100644 (file)
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -3300,6 +3300,8 @@ sandbox_init_filter(void)
     OPEN_DATADIR2(name, name2 suffix);                  \
   } while (0)
 
+  OPEN(options->DataDirectory);
+  OPEN_DATADIR("keys");
   OPEN_DATADIR_SUFFIX("cached-certs", ".tmp");
   OPEN_DATADIR_SUFFIX("cached-consensus", ".tmp");
   OPEN_DATADIR_SUFFIX("unverified-consensus", ".tmp");