return 0;
}
- #endif
++#endif /* defined(__NR_mmap2) */
+
+ +#ifdef HAVE_GNU_LIBC_VERSION_H
+ +#ifdef HAVE_GNU_GET_LIBC_VERSION
+ +#define CHECK_LIBC_VERSION
+ +#endif
+ #endif
+
+ +/* Return true if we think we're running with a libc that always uses
+ + * openat on linux. */
+ +static int
+ +libc_uses_openat_for_everything(void)
+ +{
+ +#ifdef CHECK_LIBC_VERSION
+ + const char *version = gnu_get_libc_version();
+ + if (version == NULL)
+ + return 0;
+ +
+ + int major = -1;
+ + int minor = -1;
+ +
+ + tor_sscanf(version, "%d.%d", &major, &minor);
+ + if (major >= 3)
+ + return 1;
+ + else if (major == 2 && minor >= 26)
+ + return 1;
+ + else
+ + return 0;
+ +#else
+ + return 0;
+ +#endif
+ +}
+ +
+ +/** Allow a single file to be opened. If <b>use_openat</b> is true,
+ + * we're using a libc that remaps all the opens into openats. */
+ +static int
+ +allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
+ +{
+ + if (use_openat) {
+ + return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
+ + SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
+ + SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
+ + } else {
+ + return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
+ + SCMP_CMP_STR(0, SCMP_CMP_EQ, file));
+ + }
+ +}
+ +
/**
* Function responsible for setting up the open syscall for
* the seccomp filter sandbox.
return 0;
}
-#endif
++#endif /* defined(__NR_stat64) */
+
++ static int
++ sb_kill(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++ {
++ (void) filter;
++ #ifdef __NR_kill
++ /* Allow killing anything with signal 0 -- it isn't really a kill. */
++ return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill),
++ SCMP_CMP(1, SCMP_CMP_EQ, 0));
++ #else
++ return 0;
+ #endif
++ }
+
/**
* Array of function pointers responsible for filtering different syscalls at
* a parameter level.
sb_socket,
sb_setsockopt,
sb_getsockopt,
- sb_socketpair
+ sb_socketpair,
-
++#ifdef HAVE_KIST_SUPPORT
++ sb_ioctl,
++#endif
++ sb_kill
};
const char *
projects / thirdparty / tor.git / commitdiff
