mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-25 23:21:38 +01:00
Code Issues Projects Releases Wiki Activity

Remove the #if 0ed code that was supposed to let the sandbox allow exec

Browse source
This commit is contained in:
Nick Mathewson 2017-08-09 10:36:45 -04:00
parent d2713b4ddc
commit 94352368db
2 changed files with 0 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
src/common/sandbox.c
View file

@ -289,37 +289,6 @@ sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return rc; return rc;
} }
#if 0
/**
* Function responsible for setting up the execve syscall for
* the seccomp filter sandbox.
*/
static int
sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(execve)) {
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
"libseccomp error %d", rc);
return rc;
}
}
}
return 0;
}
#endif
/** /**
* Function responsible for setting up the time syscall for * Function responsible for setting up the time syscall for
* the seccomp filter sandbox. * the seccomp filter sandbox.
@ -1063,9 +1032,6 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
static sandbox_filter_func_t filter_func[] = { static sandbox_filter_func_t filter_func[] = {
sb_rt_sigaction, sb_rt_sigaction,
sb_rt_sigprocmask, sb_rt_sigprocmask,
#if 0
sb_execve,
#endif
sb_time, sb_time,
sb_accept4, sb_accept4,
#ifdef __NR_mmap2 #ifdef __NR_mmap2
@ -1417,26 +1383,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
return 0; return 0;
} }
#if 0
int
sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
{
sandbox_cfg_t *elem = NULL;
elem = new_element(SCMP_SYS(execve), com);
if (!elem) {
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
return -1;
}
elem->next = *cfg;
*cfg = elem;
return 0;
}
#endif
/** Cache entry for getaddrinfo results; used when sandboxing is implemented /** Cache entry for getaddrinfo results; used when sandboxing is implemented
* so that we can consult the cache when the sandbox prevents us from doing * so that we can consult the cache when the sandbox prevents us from doing
* getaddrinfo. * getaddrinfo.
@ -1910,15 +1856,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
return 0; return 0;
} }
#if 0
int
sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
{
(void)cfg; (void)com;
return 0;
}
#endif
int int
sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file) sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
{ {

8
src/common/sandbox.h
View file

@ -156,14 +156,6 @@ int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2);
*/ */
int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file); int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file);
#if 0
/**
* Function used to add a execve allowed filename to a supplied configuration.
* The (char*) specifies the path to the allowed file; that pointer is stolen.
*/
int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com);
#endif
/** /**
* Function used to add a stat/stat64 allowed filename to a configuration. * Function used to add a stat/stat64 allowed filename to a configuration.
* The (char*) specifies the path to the allowed file; that pointer is stolen. * The (char*) specifies the path to the allowed file; that pointer is stolen.