mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-24 22:58:50 +01:00
Code Issues Projects Releases Wiki Activity

Permit kill(pid, 0) in the seccomp2 sandbox.

Browse source 
We don't want to allow general signals to be sent, but there's no
problem sending a kill(0) to probe whether a process is there.

Fixes bug 24198; bugfix on 0.2.5.1-alpha when the seccomp2 sandbox
was introduced.
This commit is contained in:
Nick Mathewson 2017-11-16 12:44:47 -05:00
parent 1b9bb2c847
commit 7461cd3067
2 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
changes/bug24198 Normal file
View file

@ -0,0 +1,4 @@
o Minor bugfixes (controller, linux seccomp2 sandbox):
- Avoid a crash when attempting to use the seccomp2 sandbox
together with the OwningControllerProcess feature.
Fixes bug 24198; bugfix on 0.2.5.1-alpha.

16
src/common/sandbox.c
View file

@ -1050,6 +1050,19 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
} }
#endif #endif
static int
sb_kill(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
(void) filter;
#ifdef __NR_kill
/* Allow killing anything with signal 0 -- it isn't really a kill. */
return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(kill),
SCMP_CMP(1, SCMP_CMP_EQ, 0));
#else
return 0;
#endif
}
/** /**
* Array of function pointers responsible for filtering different syscalls at * Array of function pointers responsible for filtering different syscalls at
* a parameter level. * a parameter level.
@ -1088,7 +1101,8 @@ static sandbox_filter_func_t filter_func[] = {
sb_socket, sb_socket,
sb_setsockopt, sb_setsockopt,
sb_getsockopt, sb_getsockopt,
sb_socketpair sb_socketpair,
sb_kill
}; };
const char * const char *