mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 10:12:15 +01:00
Fix some initial sandbox issues.
Allow files that weren't in the list; Allow the _sysctl syscall; allow accept4 with CLOEXEC and NONBLOCK.
This commit is contained in:
parent
211b8cc318
commit
ae9d6d73f5
@ -124,6 +124,7 @@ static int filter_nopar_gen[] = {
|
||||
SCMP_SYS(rename),
|
||||
SCMP_SYS(rt_sigreturn),
|
||||
SCMP_SYS(set_robust_list),
|
||||
SCMP_SYS(_sysctl),
|
||||
#ifdef __NR_sigreturn
|
||||
SCMP_SYS(sigreturn),
|
||||
#endif
|
||||
@ -249,6 +250,11 @@ sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
if (rc) {
|
||||
return rc;
|
||||
}
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 1,
|
||||
SCMP_CMP(3, SCMP_CMP_EQ, SOCK_CLOEXEC|SOCK_NONBLOCK));
|
||||
if (rc) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -2732,8 +2732,11 @@ sandbox_init_filter(void)
|
||||
get_datadir_fname("cached-certs"), 1,
|
||||
get_datadir_fname("cached-certs.tmp"), 1,
|
||||
get_datadir_fname("cached-consensus"), 1,
|
||||
get_datadir_fname("cached-consensus.tmp"), 1,
|
||||
get_datadir_fname("unverified-consensus"), 1,
|
||||
get_datadir_fname("unverified-consensus.tmp"), 1,
|
||||
get_datadir_fname("unverified-microdesc-consensus"), 1,
|
||||
get_datadir_fname("unverified-microdesc-consensus.tmp"), 1,
|
||||
get_datadir_fname("cached-microdesc-consensus"), 1,
|
||||
get_datadir_fname("cached-microdesc-consensus.tmp"), 1,
|
||||
get_datadir_fname("cached-microdescs"), 1,
|
||||
@ -2747,9 +2750,15 @@ sandbox_init_filter(void)
|
||||
get_datadir_fname("cached-descriptors.new.tmp"), 1,
|
||||
get_datadir_fname("cached-descriptors.tmp.tmp"), 1,
|
||||
get_datadir_fname("cached-extrainfo"), 1,
|
||||
get_datadir_fname("cached-extrainfo.new"), 1,
|
||||
get_datadir_fname("cached-extrainfo.tmp"), 1,
|
||||
get_datadir_fname("cached-extrainfo.new.tmp"), 1,
|
||||
get_datadir_fname("cached-extrainfo.tmp.tmp"), 1,
|
||||
get_datadir_fname("state.tmp"), 1,
|
||||
get_datadir_fname("unparseable-desc.tmp"), 1,
|
||||
get_datadir_fname("unparseable-desc"), 1,
|
||||
get_datadir_fname("v3-status-votes"), 1,
|
||||
get_datadir_fname("v3-status-votes.tmp"), 1,
|
||||
"/dev/srandom", 0,
|
||||
"/dev/urandom", 0,
|
||||
"/dev/random", 0,
|
||||
|
Loading…
Reference in New Issue
Block a user