added experimental support for open syscall path param

author Cristian Toader <cristian.matei.toader@gmail.com>

Tue, 23 Jul 2013 11:01:53 +0000 (14:01 +0300)

committer Cristian Toader <cristian.matei.toader@gmail.com>

Tue, 23 Jul 2013 11:01:53 +0000 (14:01 +0300)
author Cristian Toader <cristian.matei.toader@gmail.com>
Tue, 23 Jul 2013 11:01:53 +0000 (14:01 +0300)
committer Cristian Toader <cristian.matei.toader@gmail.com>
Tue, 23 Jul 2013 11:01:53 +0000 (14:01 +0300)
diff --git a/src/common/compat.c b/src/common/compat.c

index 69eb0643d063ac163e062205126f63f72955fb67..5b153674effe7fcf1ad9164d17035749ac0b6c49 100644 (file)
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -125,6 +125,7 @@ tor_open_cloexec(const char *path, int flags, unsigned mode)
  {
    int fd;
  #ifdef O_CLOEXEC
+  path = get_prot_param(path);
    fd = open(path, flags|O_CLOEXEC, mode);
    if (fd >= 0)
      return fd;
diff --git a/src/common/sandbox.c b/src/common/sandbox.c

index 7c732157c17c53f1832aaadc87f7a330282e33b5..143995d294d86bd2e7232a915e72ea083ec0d0d4 100644 (file)
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -46,7 +46,34 @@ static ParFilter param_filter[] = {
      {SCMP_SYS(rt_sigaction), PARAM_NUM, (intptr_t)(SIGXFSZ), 0},
  #endif
      {SCMP_SYS(rt_sigaction), PARAM_NUM, (intptr_t)(SIGCHLD), 0},
-
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-certs"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-consensus"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/unverified-consensus"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-microdesc-consensus"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-microdesc-consensus.tmp"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-microdescs"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-microdescs.new"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/unverified-microdesc-consensus"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-descriptors"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-descriptors.new"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/cached-extrainfo"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/state.tmp"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/unparseable-desc.tmp"), 0},
+    {SCMP_SYS(open), PARAM_PTR,
+        (intptr_t)("/home/cristi/.tor/unparseable-desc"), 0},
  };
  
  /** Variable used for storing all syscall numbers that will be allowed with the
@@ -106,7 +133,6 @@ static int general_filter[] = {
      SCMP_SYS(mprotect),
      SCMP_SYS(mremap),
      SCMP_SYS(munmap),
-    SCMP_SYS(open),
      SCMP_SYS(openat),
      SCMP_SYS(poll),
      SCMP_SYS(prctl),
@@ -175,13 +201,14 @@ get_prot_param(char *param)
    }
  
    for (i = 0; i < filter_size; i++) {
-    if (param_filter[i].prot && !strncmp(param, (char*) param_filter[i].param,
-        MAX_PARAM_LEN) && param_filter[i].ptype == PARAM_PTR) {
+    if (param_filter[i].prot  && param_filter[i].ptype == PARAM_PTR
+        && !strncmp(param, (char*)(param_filter[i].param), MAX_PARAM_LEN)) {
        return (char*)(param_filter[i].param);
      }
    }
  
-  return NULL;
+  log_warn(LD_BUG, "(Sandbox) Parameter %s not found", param);
+  return param;
  }
  
  static int
@@ -213,7 +240,7 @@ add_param_filter(scmp_filter_ctx ctx)
        }
  
        // copying from non protected to protected + pointer reassign
-      memcpy(map, (char*) param_filter[i].param, param_size);
+      memcpy(map, (char*) (param_filter[i].param), param_size);
        param_filter[i].param = (intptr_t) map;
  
        // protecting from writes
diff --git a/src/common/sandbox.h b/src/common/sandbox.h

index de5699e34244d7edcff617e4c5cb90fbaadbcfbe..b973d9716e095264cdbcb15939a354894439dce8 100644 (file)
--- a/src/common/sandbox.h
+++ b/src/common/sandbox.h
@@ -32,7 +32,7 @@
  #define __USE_GNU
  #include <sys/ucontext.h>
  
-#define MAX_PARAM_LEN 32
+#define MAX_PARAM_LEN 64
  
  #define PARAM_PTR 0
  #define PARAM_NUM 1
diff --git a/src/or/routerlist.c b/src/or/routerlist.c

index a145ba716e30d5a1d6da3e7635be6298cddc0efa..465aaedb139e9c1fe31b454275cc5fd83ccdfd37 100644 (file)
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -37,7 +37,7 @@
  #include "routerlist.h"
  #include "routerparse.h"
  #include "routerset.h"
-
+#include "../common/sandbox.h"
  // #define DEBUG_ROUTERLIST
  
  /****************************************************************************/
author	Cristian Toader <cristian.matei.toader@gmail.com>
	Tue, 23 Jul 2013 11:01:53 +0000 (14:01 +0300)
committer	Cristian Toader <cristian.matei.toader@gmail.com>
	Tue, 23 Jul 2013 11:01:53 +0000 (14:01 +0300)
src/common/compat.c		patch \| blob \| blame \| history
src/common/sandbox.c		patch \| blob \| blame \| history
src/common/sandbox.h		patch \| blob \| blame \| history
src/or/routerlist.c		patch \| blob \| blame \| history