From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 2 Sep 2015 13:59:50 +0000 (-0400)
Subject: Let recent relays run with the chutney sandbox.
X-Git-Tag: tor-0.2.7.3-rc~61
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f6bd8fbb806abaf4015d8b8e08a737bc09ec63f6;p=thirdparty%2Ftor.git

Let recent relays run with the chutney sandbox.

Fixes 16965
---

diff --git a/changes/bug16965 b/changes/bug16965
new file mode 100644
index 0000000000..841d7235b0
--- /dev/null
+++ b/changes/bug16965
@@ -0,0 +1,4 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Allow routers with ed25519 keys to run correctly under the seccomp2
+      sandbox. Fixes bug 16964; bugfix on 0.2.7.2-alpha.
+
diff --git a/src/or/main.c b/src/or/main.c
index 915b3e23ca..5dca9bce1d 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -3034,6 +3034,7 @@ sandbox_init_filter(void)
   OPEN_DATADIR_SUFFIX("state", ".tmp");
   OPEN_DATADIR_SUFFIX("unparseable-desc", ".tmp");
   OPEN_DATADIR_SUFFIX("v3-status-votes", ".tmp");
+  OPEN_DATADIR("key-pinning-journal");
   OPEN("/dev/srandom");
   OPEN("/dev/urandom");
   OPEN("/dev/random");
@@ -3157,6 +3158,13 @@ sandbox_init_filter(void)
     OPEN_DATADIR2("keys", "secret_onion_key.old");
     OPEN_DATADIR2("keys", "secret_onion_key_ntor.old");
 
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_master_id_secret_key", ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_master_id_secret_key_encrypted",
+                         ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_master_id_public_key", ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_signing_secret_key", ".tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "ed25519_signing_cert", ".tmp");
+
     OPEN_DATADIR2_SUFFIX("stats", "bridge-stats", ".tmp");
     OPEN_DATADIR2_SUFFIX("stats", "dirreq-stats", ".tmp");
 
@@ -3187,6 +3195,12 @@ sandbox_init_filter(void)
     RENAME_SUFFIX("hashed-fingerprint", ".tmp");
     RENAME_SUFFIX("router-stability", ".tmp");
 
+    RENAME_SUFFIX2("keys", "ed25519_master_id_secret_key", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_master_id_secret_key_encrypted", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_master_id_public_key", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_signing_secret_key", ".tmp");
+    RENAME_SUFFIX2("keys", "ed25519_signing_cert", ".tmp");
+
     sandbox_cfg_allow_rename(&cfg,
              get_datadir_fname2("keys", "secret_onion_key"),
              get_datadir_fname2("keys", "secret_onion_key.old"));