Let recent relays run with the chutney sandbox.

Fixes 16965

diff --git a/changes/bug16965 b/changes/bug16965
new file mode 100644 (file)
index 0000000..841d723
--- /dev/null
+++ b/changes/bug16965
@@ -0,0 +1,4 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Allow routers with ed25519 keys to run correctly under the seccomp2
+      sandbox. Fixes bug 16964; bugfix on 0.2.7.2-alpha.
+

diff --git a/src/or/main.c b/src/or/main.c
index 915b3e23ca7f1db3f7008eae835d2fee13efa50a..5dca9bce1d8bac1d23beb2a8b0b777ec0da1338f 100644 (file)
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -3034,6 +3034,7 @@ sandbox_init_filter(void)
   OPEN_DATADIR_SUFFIX("state", ".tmp");
   OPEN_DATADIR_SUFFIX("unparseable-desc", ".tmp");
   OPEN_DATADIR_SUFFIX("v3-status-votes", ".tmp");
+  OPEN_DATADIR("key-pinning-journal");
   OPEN("/dev/srandom");
   OPEN("/dev/urandom");
   OPEN("/dev/random");
@@ -3157,6 +3158,13 @@ sandbox_init_filter(void)
     OPEN_DATADIR2("keys", "secret_onion_key.old");
     OPEN_DATADIR2("keys", "secret_onion_key_ntor.old");
 
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_master_id_secret_key", ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_master_id_secret_key_encrypted",
+                         ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_master_id_public_key", ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_signing_secret_key", ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_signing_cert", ".tmp");
+
     OPEN_DATADIR2_SUFFIX("stats", "bridge-stats", ".tmp");
     OPEN_DATADIR2_SUFFIX("stats", "dirreq-stats", ".tmp");
 
@@ -3187,6 +3195,12 @@ sandbox_init_filter(void)
     RENAME_SUFFIX("hashed-fingerprint", ".tmp");
     RENAME_SUFFIX("router-stability", ".tmp");
 
+    RENAME_SUFFIX2("keys", "ed25519_master_id_secret_key", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_master_id_secret_key_encrypted", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_master_id_public_key", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_signing_secret_key", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_signing_cert", ".tmp");
+
     sandbox_cfg_allow_rename(&cfg,
              get_datadir_fname2("keys", "secret_onion_key"),
              get_datadir_fname2("keys", "secret_onion_key.old"));