Fix running with the seccomp2 sandbox

We had a regression in 0.2.6.3-alpha when we stopped saying
IPPROTO_TCP to socket().  Fixes bug 14989, bugfix on 0.2.6.3-alpha.

diff --git a/changes/bug14989 b/changes/bug14989
new file mode 100644 (file)
index 0000000..f4432d4
--- /dev/null
+++ b/changes/bug14989
@@ -0,0 +1,4 @@
+  o Major bugfixes (Linux seccomp2 sandbox):
+    - Pass IPPROTO_TCP rather than 0 to socket(), so that the
+      Linux seccomp2 sandbox doesn't fail. Fixes bug 14989;
+      bugfix on 0.2.6.3-alpha.

diff --git a/src/or/connection.c b/src/or/connection.c
index 79ae178a5695ec27cddf1c2ea657f2bbb7120de8..7db0238b3d546b74de9a3bc03da8fcb23a14f62a 100644 (file)
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -1612,7 +1612,6 @@ connection_connect_sockaddr(connection_t *conn,
   tor_socket_t s;
   int inprogress = 0;
   const or_options_t *options = get_options();
-  int protocol_family;
 
   tor_assert(conn);
   tor_assert(sa);
@@ -1624,8 +1623,6 @@ connection_connect_sockaddr(connection_t *conn,
     return -1;
   }
 
-  protocol_family = sa->sa_family;
-
   if (get_options()->DisableNetwork) {
     /* We should never even try to connect anyplace if DisableNetwork is set.
      * Warn if we do, and refuse to make the connection. */
@@ -1637,7 +1634,11 @@ connection_connect_sockaddr(connection_t *conn,
     return -1;
   }
 
-  s = tor_open_socket_nonblocking(protocol_family, SOCK_STREAM, 0);
+  const int protocol_family = sa->sa_family;
+  const int proto = (sa->sa_family == AF_INET6 ||
+                     sa->sa_family == AF_INET) ? IPPROTO_TCP : 0;
+
+  s = tor_open_socket_nonblocking(protocol_family, SOCK_STREAM, proto);
   if (! SOCKET_OK(s)) {
     *socket_error = tor_socket_errno(-1);
     log_warn(LD_NET,"Error creating network socket: %s",