From 21ac0cd2afb2275bfe89237c3aeb545fb7de537e Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 23 Feb 2015 12:33:58 -0500
Subject: [PATCH] Let AF_UNIX connections through the sandbox

Fixes bug 15003; bugfix on 0.2.6.3-alpha.
---
 changes/bug15003     | 3 +++
 src/common/sandbox.c | 5 +++++
 2 files changed, 8 insertions(+)
 create mode 100644 changes/bug15003

diff --git a/changes/bug15003 b/changes/bug15003
new file mode 100644
index 0000000000..2dcce74dfe
--- /dev/null
+++ b/changes/bug15003
@@ -0,0 +1,3 @@
+  o Major bugfixes (linux seccomp2 sandbox):
+    - Allow AF_UNIX hidden services to be used with the seccomp2 sandbox.
+      Fixes bug 15003; bugfix on 0.2.6.3-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 57847e1376..fe97af309e 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -542,6 +542,11 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
       return rc;
   }
 
+  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
+      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
+      SCMP_CMP(2, SCMP_CMP_EQ, 0));
+
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
       SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
       SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
-- 
2.47.3