From: Cristian Toader <cristian.matei.toader@gmail.com>
Date: Fri, 26 Jul 2013 16:53:05 +0000 (+0300)
Subject: Investigated access4 syscall problem, small changes to filter.
X-Git-Tag: tor-0.2.5.1-alpha~39^2~68
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f9d3da19447f138bc451937b20537810926ff30;p=thirdparty%2Ftor.git

Investigated access4 syscall problem, small changes to filter.
---

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index ce6b63c175..4a3faa47cd 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -48,10 +48,16 @@ static sandbox_static_cfg_t filter_static[] = {
     {SCMP_SYS(rt_sigaction), PARAM_NUM, 0, (intptr_t)(SIGXFSZ), 0},
 #endif
     {SCMP_SYS(rt_sigaction), PARAM_NUM, 0, (intptr_t)(SIGCHLD), 0},
+    {SCMP_SYS(time), PARAM_NUM, 0, 0, 0},
 };
 
 /** Variable used for storing all syscall numbers that will be allowed with the
  * stage 1 general Tor sandbox.
+ *
+ * todo:
+ *  read, write, close - rely on fd
+ *
+ *
  */
 static int filter_nopar_gen[] = {
     SCMP_SYS(access),
@@ -124,7 +130,6 @@ static int filter_nopar_gen[] = {
 #ifdef __NR_stat64
     SCMP_SYS(stat64),
 #endif
-    SCMP_SYS(time),
     SCMP_SYS(uname),
     SCMP_SYS(write),
     SCMP_SYS(exit_group),
@@ -137,27 +142,20 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(getsockname),
     SCMP_SYS(getsockopt),
     SCMP_SYS(listen),
-#if __NR_recv >= 0
-    /* This is a kludge; It's necessary on 64-bit with libseccomp 1.0.0; I
-     * don't know if other 64-bit or other versions require it. */
     SCMP_SYS(recv),
-#endif
     SCMP_SYS(recvmsg),
-#if __NR_send >= 0
-    SCMP_SYS(send),
-#endif
     SCMP_SYS(sendto),
+    SCMP_SYS(send),
     SCMP_SYS(setsockopt),
     SCMP_SYS(socket),
     SCMP_SYS(socketpair),
 
-    // TODO: remove when accept4 is fixed
 #ifdef __NR_socketcall
-    SCMP_SYS(socketcall),
+//    SCMP_SYS(socketcall),
 #endif
 
     SCMP_SYS(recvfrom),
-    SCMP_SYS(unlink)
+    SCMP_SYS(unlink),
 };
 
 char*
diff --git a/src/or/main.c b/src/or/main.c
index 978c17127c..269d3fd9ba 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2660,6 +2660,8 @@ sandbox_init_filter()
       get_datadir_fname("cached-microdescs.tmp"));
   sandbox_cfg_allow_open_filename(&cfg,
       get_datadir_fname("cached-microdescs.new"));
+  sandbox_cfg_allow_open_filename(&cfg,
+      get_datadir_fname("cached-microdescs.new.tmp"));
   sandbox_cfg_allow_open_filename(&cfg,
       get_datadir_fname("unverified-microdesc-consensus"));
   sandbox_cfg_allow_open_filename(&cfg,