September 2013 - tor-commits - lists.torproject.org

[tor/master] attempt to add stat64 filename filters; failed due to getaddrinfo..
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit 8a85a48b9d0ed2b298bcc26dfeb96fa7e31c05c4 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Mon Aug 12 21:14:43 2013 +0300 attempt to add stat64 filename filters; failed due to getaddrinfo.. --- src/common/sandbox.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++---- src/common/sandbox.h | 7 +++++ src/common/util.c | 4 +-- src/or/config.c | 2 +- src/or/dns.c | 3 +- src/or/main.c | 13 ++++++++ 6 files changed, 100 insertions(+), 9 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index f2ead21..0be4c52 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -97,16 +97,14 @@ static int filter_nopar_gen[] = { SCMP_SYS(sigreturn), #endif SCMP_SYS(stat), -#ifdef __NR_stat64 - SCMP_SYS(stat64), // TODO -#endif SCMP_SYS(uname), SCMP_SYS(write), SCMP_SYS(exit_group), SCMP_SYS(exit), SCMP_SYS(madvise), - + // getaddrinfo uses this.. + SCMP_SYS(stat64), // Not needed.. // SCMP_SYS(set_thread_area), // SCMP_SYS(set_tid_address), @@ -542,6 +540,31 @@ sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } +#ifdef __NR_stat64 +static int +sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc = 0; + sandbox_cfg_t *elem = NULL; + + // for each dynamic parameter filters + for (elem = filter; elem != NULL; elem = elem->next) { + if (elem->prot == 1 && (elem->syscall == SCMP_SYS(open) || + elem->syscall == SCMP_SYS(stat64))) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64), 1, + SCMP_CMP(0, SCMP_CMP_EQ, elem->param)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " + "error %d", rc); + return rc; + } + } + } + + return 0; +} +#endif + static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, sb_rt_sigprocmask, @@ -559,7 +582,8 @@ static sandbox_filter_func_t filter_func[] = { sb_flock, sb_futex, sb_mremap, - sb_poll + sb_poll, + sb_stat64 }; const char* @@ -616,6 +640,52 @@ prot_strdup(char* str) return res; } +#ifdef __NR_stat64 +int +sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, char fr) +{ + sandbox_cfg_t *elem = NULL; + + elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t)); + elem->syscall = SCMP_SYS(stat64); + elem->pindex = 0; + elem->ptype = PARAM_PTR; + elem->param = (intptr_t) prot_strdup((char*) file); + elem->prot = 1; + + elem->next = *cfg; + *cfg = elem; + + if (fr) tor_free_(file); + + return 0; +} + +int +sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, int num, ...) +{ + int rc = 0, i; + + va_list ap; + va_start(ap, num); + + for (i = 0; i < num; i++) { + char *fn = va_arg(ap, char*); + char fr = (char) va_arg(ap, int); + + rc = sandbox_cfg_allow_stat64_filename(cfg, fn, fr); + if(rc) { + log_err(LD_BUG,"(Sandbox) failed on par %d", i); + goto end; + } + } + + end: + va_end(ap); + return 0; +} +#endif + int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, char fr) { diff --git a/src/common/sandbox.h b/src/common/sandbox.h index 33668d9..e928591 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -9,6 +9,8 @@ * \brief Header file for sandbox.c. **/ +// TODO: thinking of only having allow_file for multiple syscalls + #ifndef SANDBOX_H_ #define SANDBOX_H_ @@ -110,6 +112,11 @@ int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, int num, ...); int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com); int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...); +int sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, + char fr); +int sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, + int num, ...); + int sandbox_init(sandbox_cfg_t* cfg); #endif /* SANDBOX_H_ */ diff --git a/src/common/util.c b/src/common/util.c index 75462b6..8408a36 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -1803,7 +1803,7 @@ file_status(const char *fname) int r; f = tor_strdup(fname); clean_name_for_stat(f); - r = stat(f, &st); + r = stat(sandbox_intern_string(f), &st); tor_free(f); if (r) { if (errno == ENOENT) { @@ -1853,7 +1853,7 @@ check_private_dir(const char *dirname, cpd_check_t check, tor_assert(dirname); f = tor_strdup(dirname); clean_name_for_stat(f); - r = stat(f, &st); + r = stat(sandbox_intern_string(f), &st); tor_free(f); if (r) { if (errno != ENOENT) { diff --git a/src/or/config.c b/src/or/config.c index e53c288..e1b7b4e 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -6121,7 +6121,7 @@ remove_file_if_very_old(const char *fname, time_t now) #define VERY_OLD_FILE_AGE (28*24*60*60) struct stat st; - if (stat(fname, &st)==0 && st.st_mtime < now-VERY_OLD_FILE_AGE) { + if (stat(sandbox_intern_string(fname), &st)==0 && st.st_mtime < now-VERY_OLD_FILE_AGE) { char buf[ISO_TIME_LEN+1]; format_local_iso_time(buf, st.st_mtime); log_notice(LD_GENERAL, "Obsolete file %s hasn't been modified since %s. " diff --git a/src/or/dns.c b/src/or/dns.c index edcf92e..6dc0c05 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -24,6 +24,7 @@ #include "relay.h" #include "router.h" #include "ht.h" +#include "../common/sandbox.h" #ifdef HAVE_EVENT2_DNS_H #include <event2/event.h> #include <event2/dns.h> @@ -1477,7 +1478,7 @@ configure_nameservers(int force) evdns_set_log_fn(evdns_log_cb); if (conf_fname) { - if (stat(conf_fname, &st)) { + if (stat(sandbox_intern_string(conf_fname), &st)) { log_warn(LD_EXIT, "Unable to stat resolver configuration in '%s': %s", conf_fname, strerror(errno)); goto err; diff --git a/src/or/main.c b/src/or/main.c index c236e83..a2fbe5f 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2672,6 +2672,14 @@ sandbox_init_filter() "/dev/urandom", 0 ); + sandbox_cfg_allow_stat64_filename_array(&cfg, 5, + get_datadir_fname(NULL), 1, + get_datadir_fname("lock"), 1, + get_datadir_fname("state"), 1, + get_datadir_fname("router-stability"), 1, + get_datadir_fname("cached-extrainfo.new"), 1 + ); + // orport if (server_mode(get_options())) { sandbox_cfg_allow_open_filename_array(&cfg, 13, @@ -2689,6 +2697,11 @@ sandbox_init_filter() "/etc/resolv.conf", 0, "/dev/random", 0 ); + + sandbox_cfg_allow_stat64_filename_array(&cfg, 2, + get_datadir_fname("keys"), 1, + get_datadir_fname("stats/dirreq-stats"), 1 + ); } sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");

1 0

[tor/master] fixed memory leak, added array filter support
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit 44a4464cf6d4dac88c46b8ffdb6ad002d03ade62 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Sat Aug 10 18:04:48 2013 +0300 fixed memory leak, added array filter support --- src/common/sandbox.c | 81 +++++++++++++++++++++++++++++++++++++- src/common/sandbox.h | 13 ++++++- src/or/main.c | 106 ++++++++++++++++++++------------------------------ 3 files changed, 132 insertions(+), 68 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 2ba1432..f2ead21 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -37,6 +37,7 @@ #include <linux/futex.h> #include <bits/signum.h> +#include <stdarg.h> #include <seccomp.h> #include <signal.h> #include <unistd.h> @@ -616,7 +617,7 @@ prot_strdup(char* str) } int -sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file) +sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, char fr) { sandbox_cfg_t *elem = NULL; @@ -630,11 +631,37 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file) elem->next = *cfg; *cfg = elem; + if (fr) tor_free_(file); + + return 0; +} + +int +sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, int num, ...) +{ + int rc = 0, i; + + va_list ap; + va_start(ap, num); + + for (i = 0; i < num; i++) { + char *fn = va_arg(ap, char*); + char fr = (char) va_arg(ap, int); + + rc = sandbox_cfg_allow_open_filename(cfg, fn, fr); + if(rc) { + log_err(LD_BUG,"(Sandbox) failed on par %d", i); + goto end; + } + } + + end: + va_end(ap); return 0; } int -sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) +sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, char fr) { sandbox_cfg_t *elem = NULL; @@ -648,6 +675,32 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) elem->next = *cfg; *cfg = elem; + if (fr) tor_free_(file); + + return 0; +} + +int +sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, int num, ...) +{ + int rc = 0, i; + + va_list ap; + va_start(ap, num); + + for (i = 0; i < num; i++) { + char *fn = va_arg(ap, char*); + char fr = (char) va_arg(ap, int); + + rc = sandbox_cfg_allow_openat_filename(cfg, fn, fr); + if(rc) { + log_err(LD_BUG,"(Sandbox) failed on par %d", i); + goto end; + } + } + + end: + va_end(ap); return 0; } @@ -669,6 +722,30 @@ sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com) return 0; } +int +sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...) +{ + int rc = 0, i; + + va_list ap; + va_start(ap, num); + + for (i = 0; i < num; i++) { + char *fn = va_arg(ap, char*); + + rc = sandbox_cfg_allow_execve(cfg, fn); + + if(rc) { + log_err(LD_BUG,"(Sandbox) failed on par %d", i); + goto end; + } + } + + end: + va_end(ap); + return 0; +} + static int add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) { diff --git a/src/common/sandbox.h b/src/common/sandbox.h index 2b26544..33668d9 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -98,9 +98,18 @@ int tor_global_sandbox(void); const char* sandbox_intern_string(const char *param); sandbox_cfg_t * sandbox_cfg_new(); -int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file); -int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file); + +int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, + char fr); +int sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, int num, ...); + +int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, + char fr); +int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, int num, ...); + int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com); +int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...); + int sandbox_init(sandbox_cfg_t* cfg); #endif /* SANDBOX_H_ */ diff --git a/src/or/main.c b/src/or/main.c index 36acde4..c236e83 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2644,73 +2644,51 @@ sandbox_init_filter() { sandbox_cfg_t *cfg = sandbox_cfg_new(); - // TODO: mem leak - sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status")); - - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs")); - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs.tmp")); - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-consensus")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("unverified-consensus")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-microdesc-consensus")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-microdesc-consensus.tmp")); - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-microdescs.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-microdescs.new")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-microdescs.new.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("unverified-microdesc-consensus")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-descriptors")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-descriptors.new")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-descriptors.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-descriptors.new.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-descriptors.tmp.tmp")); - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-extrainfo")); - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("state.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("unparseable-desc.tmp")); - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc")); + sandbox_cfg_allow_openat_filename(&cfg, + get_datadir_fname("cached-status"), 1); + + sandbox_cfg_allow_open_filename_array(&cfg, 22, + get_datadir_fname("cached-certs"), 1, + get_datadir_fname("cached-certs.tmp"), 1, + get_datadir_fname("cached-consensus"), 1, + get_datadir_fname("unverified-consensus"), 1, + get_datadir_fname("cached-microdesc-consensus"), 1, + get_datadir_fname("cached-microdesc-consensus.tmp"), 1, + get_datadir_fname("cached-microdescs"), 1, + get_datadir_fname("cached-microdescs.tmp"), 1, + get_datadir_fname("cached-microdescs.new"), 1, + get_datadir_fname("cached-microdescs.new.tmp"), 1, + get_datadir_fname("unverified-microdesc-consensus"), 1, + get_datadir_fname("cached-descriptors"), 1, + get_datadir_fname("cached-descriptors.new"), 1, + get_datadir_fname("cached-descriptors.tmp"), 1, + get_datadir_fname("cached-descriptors.new.tmp"), 1, + get_datadir_fname("cached-descriptors.tmp.tmp"), 1, + get_datadir_fname("cached-extrainfo"), 1, + get_datadir_fname("state.tmp"), 1, + get_datadir_fname("unparseable-desc.tmp"), 1, + get_datadir_fname("unparseable-desc"), 1, + "/dev/srandom", 0, + "/dev/urandom", 0 + ); // orport if (server_mode(get_options())) { - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_id_key")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_onion_key")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_onion_key_ntor")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_onion_key_ntor.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_id_key.old")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_onion_key.old")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_onion_key_ntor.old")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname2("keys", "secret_onion_key.tmp")); - - sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("fingerprint")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-consensus.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-consensus")); - - sandbox_cfg_allow_open_filename(&cfg, "/etc/resolv.conf"); - sandbox_cfg_allow_open_filename(&cfg, "/dev/srandom"); - sandbox_cfg_allow_open_filename(&cfg, "/dev/urandom"); - sandbox_cfg_allow_open_filename(&cfg, "/dev/random"); - + sandbox_cfg_allow_open_filename_array(&cfg, 13, + get_datadir_fname2("keys", "secret_id_key"), 1, + get_datadir_fname2("keys", "secret_onion_key"), 1, + get_datadir_fname2("keys", "secret_onion_key_ntor"), 1, + get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"), 1, + get_datadir_fname2("keys", "secret_id_key.old"), 1, + get_datadir_fname2("keys", "secret_onion_key.old"), 1, + get_datadir_fname2("keys", "secret_onion_key_ntor.old"), 1, + get_datadir_fname2("keys", "secret_onion_key.tmp"), 1, + get_datadir_fname("fingerprint"), 1, + get_datadir_fname("cached-consensus"), 1, + get_datadir_fname("cached-consensus.tmp"), 1, + "/etc/resolv.conf", 0, + "/dev/random", 0 + ); } sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");

1 0

[tor/master] orport progress (not functional), nickm suggested fixes
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit b3a8c08a9217effb0065b9bc5769f18e120ca4d1 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Wed Aug 7 13:13:12 2013 +0300 orport progress (not functional), nickm suggested fixes --- src/common/sandbox.c | 100 +++++++++++++++++++++++++++++++++++++++++--------- src/or/cpuworker.c | 2 + src/or/main.c | 49 ++++++++++++++++--------- 3 files changed, 116 insertions(+), 35 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index ed7fe3b..1f15674 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -50,6 +50,7 @@ static sandbox_cfg_t *filter_dynamic = NULL; * stage 1 general Tor sandbox. */ static int filter_nopar_gen[] = { + SCMP_SYS(access), SCMP_SYS(brk), SCMP_SYS(close), SCMP_SYS(clone), @@ -90,23 +91,22 @@ static int filter_nopar_gen[] = { SCMP_SYS(read), SCMP_SYS(rename), SCMP_SYS(rt_sigreturn), + SCMP_SYS(set_robust_list), #ifdef __NR_sigreturn SCMP_SYS(sigreturn), #endif SCMP_SYS(stat), #ifdef __NR_stat64 - SCMP_SYS(stat64), + SCMP_SYS(stat64), // TODO #endif + SCMP_SYS(uname), SCMP_SYS(write), SCMP_SYS(exit_group), SCMP_SYS(exit), // Not needed.. -// SCMP_SYS(access), -// SCMP_SYS(set_robust_list), // SCMP_SYS(set_thread_area), // SCMP_SYS(set_tid_address), -// SCMP_SYS(uname), // socket syscalls SCMP_SYS(bind), @@ -201,6 +201,34 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; } + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), + SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK)); + if (rc) { + return rc; + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE)); + if (rc) { + return rc; + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)); + if (rc) { + return rc; + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC), + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE)); + if (rc) { + return rc; + } + return 0; } #endif @@ -225,6 +253,24 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } } + // todo remove when libevent fix + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, + SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " + "error %d", rc); + return rc; + } + + // problem: required by getaddrinfo + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, + SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " + "error %d", rc); + return rc; + } + return 0; } @@ -315,6 +361,17 @@ sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1, + SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD)); + if (rc) + return rc; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2, + SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD), + SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC)); + if (rc) + return rc; + return 0; } #endif @@ -373,12 +430,14 @@ sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE)); + if (rc) + return rc; + return 0; } -/** - * does not NEED tobe here.. only occurs before filter - */ static int sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { @@ -389,6 +448,11 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1, + SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK)); + if (rc) + return rc; + return 0; } @@ -408,20 +472,28 @@ sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } -/** - * does not NEED tobe here.. only occurs before filter - */ static int sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; + // can remove rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME)); if (rc) return rc; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE)); + if (rc) + return rc; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE)); + if (rc) + return rc; + return 0; } @@ -605,14 +677,8 @@ add_noparam_filter(scmp_filter_ctx ctx) { int i, filter_size, rc = 0; - if (filter_nopar_gen != NULL) { - filter_size = sizeof(filter_nopar_gen) / sizeof(filter_nopar_gen[0]); - } else { - filter_size = 0; - } - // add general filters - for (i = 0; i < filter_size; i++) { + for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) { rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i], 0); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add syscall index %d, " diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c index 61f9faa..245f67e 100644 --- a/src/or/cpuworker.c +++ b/src/or/cpuworker.c @@ -571,6 +571,8 @@ spawn_enough_cpuworkers(void) if (num_cpuworkers_needed > MAX_CPUWORKERS) num_cpuworkers_needed = MAX_CPUWORKERS; + getchar(); + while (num_cpuworkers < num_cpuworkers_needed) { if (spawn_cpuworker() < 0) { log_warn(LD_GENERAL,"Cpuworker spawn failed. Will try again later."); diff --git a/src/or/main.c b/src/or/main.c index 3c98246..5b6b778 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2645,23 +2645,18 @@ sandbox_init_filter() sandbox_cfg_t *cfg = sandbox_cfg_new(); // TODO: mem leak - sandbox_cfg_allow_openat_filename(&cfg, - get_datadir_fname("cached-status")); + sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-certs")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-certs.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-consensus")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs.tmp")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdesc-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdesc-consensus.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-microdescs")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs.tmp")); sandbox_cfg_allow_open_filename(&cfg, @@ -2670,18 +2665,36 @@ sandbox_init_filter() get_datadir_fname("cached-microdescs.new.tmp")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-microdesc-consensus")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-descriptors")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors.new")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-extrainfo")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("state.tmp")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-extrainfo")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("state.tmp")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("unparseable-desc")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc")); + + // orport + if (server_mode(get_options())) { + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_id_key")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key_ntor")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_id_key.old")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key.old")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key_ntor.old")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key.tmp")); + + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("fingerprint")); + + sandbox_cfg_allow_open_filename(&cfg, "/etc/resolv.conf"); + } sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");

1 0

[tor/master] partial libevent open fix
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit e2a7b484f47b242eb8399751cb0fbe73e14ef0b8 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Wed Aug 14 23:03:38 2013 +0300 partial libevent open fix --- src/common/sandbox.c | 18 ++++++------------ src/or/main.c | 14 +++++++++----- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 0be4c52..6ff4296 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -9,6 +9,8 @@ * \brief Code to enable sandboxing. **/ +#define _LARGEFILE64_SOURCE + #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -32,10 +34,12 @@ #include <sys/mman.h> #include <sys/syscall.h> #include <sys/types.h> +#include <sys/stat.h> #include <sys/epoll.h> #include <sys/prctl.h> #include <linux/futex.h> #include <bits/signum.h> +#include <event2/event.h> #include <stdarg.h> #include <seccomp.h> @@ -53,6 +57,7 @@ static sandbox_cfg_t *filter_dynamic = NULL; static int filter_nopar_gen[] = { SCMP_SYS(access), SCMP_SYS(brk), + SCMP_SYS(clock_gettime), SCMP_SYS(close), SCMP_SYS(clone), SCMP_SYS(epoll_create), @@ -105,9 +110,6 @@ static int filter_nopar_gen[] = { SCMP_SYS(madvise), // getaddrinfo uses this.. SCMP_SYS(stat64), - // Not needed.. -// SCMP_SYS(set_thread_area), -// SCMP_SYS(set_tid_address), // socket syscalls SCMP_SYS(bind), @@ -263,7 +265,7 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) // todo remove when libevent fix rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, - SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY)); + SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_LARGEFILE|O_CLOEXEC)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " "error %d", rc); @@ -305,13 +307,6 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } -static int -sb_clock_gettime(scmp_filter_ctx ctx, sandbox_cfg_t *filter) -{ - return seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 1, - SCMP_CMP(0, SCMP_CMP_EQ, CLOCK_MONOTONIC)); -} - // TODO: param not working static int sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) @@ -574,7 +569,6 @@ static sandbox_filter_func_t filter_func[] = { sb_mmap2, sb_open, sb_openat, - sb_clock_gettime, sb_fcntl64, sb_epoll_ctl, sb_prctl, diff --git a/src/or/main.c b/src/or/main.c index a2fbe5f..9d0719c 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2647,7 +2647,7 @@ sandbox_init_filter() sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status"), 1); - sandbox_cfg_allow_open_filename_array(&cfg, 22, + sandbox_cfg_allow_open_filename_array(&cfg, 23, get_datadir_fname("cached-certs"), 1, get_datadir_fname("cached-certs.tmp"), 1, get_datadir_fname("cached-consensus"), 1, @@ -2669,7 +2669,8 @@ sandbox_init_filter() get_datadir_fname("unparseable-desc.tmp"), 1, get_datadir_fname("unparseable-desc"), 1, "/dev/srandom", 0, - "/dev/urandom", 0 + "/dev/urandom", 0, + "/dev/random", 0 ); sandbox_cfg_allow_stat64_filename_array(&cfg, 5, @@ -2682,7 +2683,7 @@ sandbox_init_filter() // orport if (server_mode(get_options())) { - sandbox_cfg_allow_open_filename_array(&cfg, 13, + sandbox_cfg_allow_open_filename_array(&cfg, 12, get_datadir_fname2("keys", "secret_id_key"), 1, get_datadir_fname2("keys", "secret_onion_key"), 1, get_datadir_fname2("keys", "secret_onion_key_ntor"), 1, @@ -2694,8 +2695,7 @@ sandbox_init_filter() get_datadir_fname("fingerprint"), 1, get_datadir_fname("cached-consensus"), 1, get_datadir_fname("cached-consensus.tmp"), 1, - "/etc/resolv.conf", 0, - "/dev/random", 0 + "/etc/resolv.conf", 0 ); sandbox_cfg_allow_stat64_filename_array(&cfg, 2, @@ -2783,6 +2783,10 @@ tor_main(int argc, char *argv[]) log_err(LD_BUG,"Failed to create syscall sandbox filter"); return -1; } + + // registering libevent rng + evutil_secure_rng_set_urandom_device_file( + (char*) sandbox_intern_string("/dev/random")); } switch (get_options()->command) {

1 0

[tor/master] added comments for sandbox.h
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit 372e0f91fdb8baa43a6495c66d8df9d9d64f711c Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Thu Aug 15 00:09:07 2013 +0300 added comments for sandbox.h --- src/common/compat.c | 1 + src/common/sandbox.c | 13 +++---- src/common/sandbox.h | 106 ++++++++++++++++++++++++++++++++++++++++---------- 3 files changed, 92 insertions(+), 28 deletions(-) diff --git a/src/common/compat.c b/src/common/compat.c index 47b65d3..adabf6e 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -109,6 +109,7 @@ #include "util.h" #include "container.h" #include "address.h" +#include "sandbox.h" /* Inline the strl functions if the platform doesn't have them. */ #ifndef HAVE_STRLCPY diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 6ff4296..f4c0779 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -9,6 +9,10 @@ * \brief Code to enable sandboxing. **/ +/** + * Temporarily required for O_LARGEFILE flag. Needs to be removed + * with the libevent fix. + */ #define _LARGEFILE64_SOURCE #include <stdio.h> @@ -243,7 +247,6 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } #endif -// TODO parameters static int sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { @@ -589,8 +592,7 @@ sandbox_intern_string(const char *param) return NULL; for (elem = filter_dynamic; elem != NULL; elem = elem->next) { - if (elem->prot && elem->ptype == PARAM_PTR - && !strncmp(param, (char*)(elem->param), MAX_PARAM_LEN)) { + if (elem->prot && !strncmp(param, (char*)(elem->param), MAX_PARAM_LEN)) { return (char*)(elem->param); } } @@ -643,7 +645,6 @@ sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, char fr) elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t)); elem->syscall = SCMP_SYS(stat64); elem->pindex = 0; - elem->ptype = PARAM_PTR; elem->param = (intptr_t) prot_strdup((char*) file); elem->prot = 1; @@ -688,7 +689,6 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, char fr) elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t)); elem->syscall = SCMP_SYS(open); elem->pindex = 0; - elem->ptype = PARAM_PTR; elem->param = (intptr_t) prot_strdup((char*) file); elem->prot = 1; @@ -732,7 +732,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, char fr) elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t)); elem->syscall = SCMP_SYS(openat); elem->pindex = 1; - elem->ptype = PARAM_PTR; elem->param = (intptr_t) prot_strdup((char*) file);; elem->prot = 1; @@ -776,7 +775,6 @@ sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com) elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t)); elem->syscall = SCMP_SYS(openat); elem->pindex = 1; - elem->ptype = PARAM_PTR; elem->param = (intptr_t) prot_strdup((char*) com);; elem->prot = 1; @@ -1062,7 +1060,6 @@ tor_global_sandbox(void) #endif } -/** Use fd to log non-survivable sandbox violations. */ void sandbox_set_debugging_fd(int fd) { diff --git a/src/common/sandbox.h b/src/common/sandbox.h index e928591..ad31e54 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -9,8 +9,6 @@ * \brief Header file for sandbox.c. **/ -// TODO: thinking of only having allow_file for multiple syscalls - #ifndef SANDBOX_H_ #define SANDBOX_H_ @@ -37,40 +35,38 @@ #include <sys/ucontext.h> #include <seccomp.h> +/** Security measure for filter string parameter lengths*/ #define MAX_PARAM_LEN 64 #define PARAM_PTR 0 #define PARAM_NUM 1 -typedef struct { - int syscall; - - char ptype; - char pindex; - intptr_t param; - - char prot; -} sandbox_static_cfg_t; - +/** + * Structure used to manage a sandbox configuration. + * + * It is implemented as a linked list of parameters. Currently only controls + * parameters for open, openat, execve, stat64. + */ struct pfd_elem { - int syscall; + int syscall; // syscall associated with parameter - char ptype; - char pindex; - intptr_t param; + char pindex; // parameter index + intptr_t param; // parameter value - char prot; + char prot; // parameter flag (0 = not protected, 1 = protected) struct pfd_elem *next; }; +/** Typedef to structure used to manage a sandbox configuration. */ typedef struct pfd_elem sandbox_cfg_t; +/** Function pointer defining the prototype of a filter function.*/ typedef int (*sandbox_filter_func_t)(scmp_filter_ctx ctx, sandbox_cfg_t *filter); - +/** Type that will be used in step 3 in order to manage multiple sandboxes.*/ typedef struct { - // function pointers associated with filter + // function pointers associated with the filter sandbox_filter_func_t *filter_func; // filter function pointer parameters @@ -95,28 +91,98 @@ typedef struct { #endif // __linux__ +/** Use fd to log non-survivable sandbox violations. */ void sandbox_set_debugging_fd(int fd); -int tor_global_sandbox(void); + +/** Returns a registered protected string used with the sandbox, given that + * it matches the parameter. + */ const char* sandbox_intern_string(const char *param); +/** Creates an empty sandbox configuration file.*/ sandbox_cfg_t * sandbox_cfg_new(); +/** + * Function used to add a open allowed filename to a supplied configuration. + * The (char*) specifies the path to the allowed file, fr = 1 tells the + * function that the char* needs to be free-ed, 0 means the pointer does not + * need to be free-ed. + */ int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, char fr); + +/** Function used to add a series of open allowed filenames to a supplied + * configuration. + * @param cfg sandbox configuration. + * @param num number of files. + * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> + * the char* specifies the path to the allowed file, 1 tells the function + * that the char* needs to be free-ed, 0 means the pointer does not need to + * be free-ed. + */ int sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, int num, ...); +/** + * Function used to add a openat allowed filename to a supplied configuration. + * The (char*) specifies the path to the allowed file, fr = 1 tells the + * function that the char* needs to be free-ed, 0 means the pointer does not + * need to be free-ed. + */ int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, char fr); + +/** Function used to add a series of openat allowed filenames to a supplied + * configuration. + * @param cfg sandbox configuration. + * @param num number of files. + * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> + * the char* specifies the path to the allowed file, 1 tells the function + * that the char* needs to be free-ed, 0 means the pointer does not need to + * be free-ed. + */ int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, int num, ...); +/** + * Function used to add a execve allowed filename to a supplied configuration. + * The (char*) specifies the path to the allowed file, fr = 1 tells the + * function that the char* needs to be free-ed, 0 means the pointer does not + * need to be free-ed. + */ int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com); + +/** Function used to add a series of execve allowed filenames to a supplied + * configuration. + * @param cfg sandbox configuration. + * @param num number of files. + * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> + * the char* specifies the path to the allowed file, 1 tells the function + * that the char* needs to be free-ed, 0 means the pointer does not need to + * be free-ed. + */ int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...); +/** + * Function used to add a stat64 allowed filename to a supplied configuration. + * The (char*) specifies the path to the allowed file, fr = 1 tells the + * function that the char* needs to be free-ed, 0 means the pointer does not + * need to be free-ed. + */ int sandbox_cfg_allow_stat64_filename(sandbox_cfg_t **cfg, char *file, char fr); + +/** Function used to add a series of stat64 allowed filenames to a supplied + * configuration. + * @param cfg sandbox configuration. + * @param num number of files. + * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> + * the char* specifies the path to the allowed file, 1 tells the function + * that the char* needs to be free-ed, 0 means the pointer does not need to + * be free-ed. + */ int sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, int num, ...); +/** Function used to initialise a sandbox configuration.*/ int sandbox_init(sandbox_cfg_t* cfg); #endif /* SANDBOX_H_ */

1 0

[tor/master] fixed openssl open syscall, fixed sandbox_getaddrinfo
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit 71612f00ae6df941861fbd9c67f0bbf15256b873 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Tue Aug 20 13:10:07 2013 +0300 fixed openssl open syscall, fixed sandbox_getaddrinfo --- src/common/sandbox.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index c71efb0..87c8946 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -264,13 +264,13 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } // problem: required by getaddrinfo -// rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, -// SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); -// if (rc != 0) { -// log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " -// "error %d", rc); -// return rc; -// } + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), SCMP_SYS(open), 1, + SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " + "error %d", rc); + return rc; + } return 0; } @@ -872,6 +872,10 @@ int sandbox_getaddrinfo(const char *name, struct addrinfo **res) return -2; } *res = NULL; + *res = (struct addrinfo *) malloc (sizeof(struct addrinfo)); + if (!res) { + return -2; + } if (gethostname(hname, sizeof(hname)) < 0) { return -1; @@ -882,7 +886,7 @@ int sandbox_getaddrinfo(const char *name, struct addrinfo **res) return -1; } - *res = sb_addr_info; + memcpy(*res, sb_addr_info, sizeof(struct addrinfo)); return 0; }

1 0

[tor/master] finalised fix on libevent open string issue
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit a9910d89f170933a7730798c98ebbb1d743a1c46 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Mon Aug 19 11:41:46 2013 +0300 finalised fix on libevent open string issue --- src/common/sandbox.c | 9 --------- src/or/dns.c | 12 +++++++++--- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index c5e1231..210aa7c 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -261,15 +261,6 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } } - // todo remove when libevent fix - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, - SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_LARGEFILE|O_CLOEXEC)); - if (rc != 0) { - log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " - "error %d", rc); - return rc; - } - // problem: required by getaddrinfo rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); diff --git a/src/or/dns.c b/src/or/dns.c index 6dc0c05..09601e9 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -1444,13 +1444,14 @@ configure_nameservers(int force) const or_options_t *options; const char *conf_fname; struct stat st; - int r; + int r, flags; options = get_options(); conf_fname = options->ServerDNSResolvConfFile; #ifndef _WIN32 if (!conf_fname) conf_fname = "/etc/resolv.conf"; #endif + flags = DNS_OPTIONS_ALL; if (!the_evdns_base) { if (!(the_evdns_base = evdns_base_new(tor_libevent_get_base(), 0))) { @@ -1492,9 +1493,14 @@ configure_nameservers(int force) evdns_base_search_clear(the_evdns_base); evdns_base_clear_nameservers_and_suspend(the_evdns_base); } + if (flags & DNS_OPTION_HOSTSFILE) { + flags ^= DNS_OPTION_HOSTSFILE; + evdns_base_load_hosts(the_evdns_base, + sandbox_intern_string("/etc/resolv.conf")); + } log_info(LD_EXIT, "Parsing resolver configuration in '%s'", conf_fname); - if ((r = evdns_base_resolv_conf_parse(the_evdns_base, - DNS_OPTIONS_ALL, conf_fname))) { + if ((r = evdns_base_resolv_conf_parse(the_evdns_base, flags, + sandbox_intern_string(conf_fname)))) { log_warn(LD_EXIT, "Unable to parse '%s', or no nameservers in '%s' (%d)", conf_fname, conf_fname, r); goto err;

1 0

[tor/master] fix: flock filter update
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit 8aa5517ff639fe7101de34c24701057d56a44346 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Wed Aug 21 13:38:00 2013 +0300 fix: flock filter update --- src/common/sandbox.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 87c8946..7ff0fb0 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -531,6 +531,11 @@ sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1, + SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN)); + if (rc) + return rc; + return 0; }

1 0

[tor/master] make check-spaces fixes
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit bc19ea100cf85c458cce7d91b84c0b6f8892f71d Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Wed Aug 21 17:57:15 2013 +0300 make check-spaces fixes --- src/common/sandbox.c | 34 +++++++++++++++++++--------------- src/or/config.c | 3 ++- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 3fb75ef..a4a93db 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -161,8 +161,8 @@ sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter) rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_CMP(0, SCMP_CMP_EQ, elem->param)); if (rc != 0) { - log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received libseccomp " - "error %d", rc); + log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received " + "libseccomp error %d", rc); return rc; } } @@ -256,8 +256,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(0, SCMP_CMP_EQ, elem->param)); if (rc != 0) { - log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " - "error %d", rc); + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received " + "libseccomp error %d", rc); return rc; } } @@ -382,7 +382,8 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } -static int sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +static int +sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; @@ -608,8 +609,8 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64), 1, SCMP_CMP(0, SCMP_CMP_EQ, elem->param)); if (rc != 0) { - log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " - "error %d", rc); + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received " + "libseccomp error %d", rc); return rc; } } @@ -730,7 +731,7 @@ sandbox_cfg_allow_stat64_filename_array(sandbox_cfg_t **cfg, int num, ...) char fr = (char) va_arg(ap, int); rc = sandbox_cfg_allow_stat64_filename(cfg, fn, fr); - if(rc) { + if (rc) { log_err(LD_BUG,"(Sandbox) failed on par %d", i); goto end; } @@ -774,7 +775,7 @@ sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, int num, ...) char fr = (char) va_arg(ap, int); rc = sandbox_cfg_allow_open_filename(cfg, fn, fr); - if(rc) { + if (rc) { log_err(LD_BUG,"(Sandbox) failed on par %d", i); goto end; } @@ -817,7 +818,7 @@ sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, int num, ...) char fr = (char) va_arg(ap, int); rc = sandbox_cfg_allow_openat_filename(cfg, fn, fr); - if(rc) { + if (rc) { log_err(LD_BUG,"(Sandbox) failed on par %d", i); goto end; } @@ -858,7 +859,7 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...) rc = sandbox_cfg_allow_execve(cfg, fn); - if(rc) { + if (rc) { log_err(LD_BUG,"(Sandbox) failed on par %d", i); goto end; } @@ -869,7 +870,8 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...) return 0; } -int sandbox_getaddrinfo(const char *name, struct addrinfo **res) +int +sandbox_getaddrinfo(const char *name, struct addrinfo **res) { char hname[256]; @@ -877,7 +879,7 @@ int sandbox_getaddrinfo(const char *name, struct addrinfo **res) return -2; } *res = NULL; - *res = (struct addrinfo *) malloc (sizeof(struct addrinfo)); + *res = (struct addrinfo *)malloc(sizeof(struct addrinfo)); if (!res) { return -2; } @@ -913,7 +915,7 @@ init_addrinfo(void) hints.ai_socktype = SOCK_STREAM; ret = getaddrinfo(hname, NULL, &hints, &sb_addr_info); - if(ret) { + if (ret) { sb_addr_info = NULL; return -2; } @@ -1078,7 +1080,9 @@ install_sigsys_debugging(void) return 0; } -static int register_cfg(sandbox_cfg_t* cfg) { +static int +register_cfg(sandbox_cfg_t* cfg) +{ sandbox_cfg_t *elem = NULL; if (filter_dynamic == NULL) { diff --git a/src/or/config.c b/src/or/config.c index e1b7b4e..75ec097 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -6121,7 +6121,8 @@ remove_file_if_very_old(const char *fname, time_t now) #define VERY_OLD_FILE_AGE (28*24*60*60) struct stat st; - if (stat(sandbox_intern_string(fname), &st)==0 && st.st_mtime < now-VERY_OLD_FILE_AGE) { + if (stat(sandbox_intern_string(fname), &st)==0 && + st.st_mtime < now-VERY_OLD_FILE_AGE) { char buf[ISO_TIME_LEN+1]; format_local_iso_time(buf, st.st_mtime); log_notice(LD_GENERAL, "Obsolete file %s hasn't been modified since %s. "

1 0

[tor/master] fix for getaddrinfo open syscall
by nickm＠torproject.org 13 Sep '13

13 Sep '13

commit 36aeca0ecf5f6e724a4d5da1795c9c9d76410290 Author: Cristian Toader <cristian.matei.toader(a)gmail.com> Date: Mon Aug 19 13:56:50 2013 +0300 fix for getaddrinfo open syscall --- src/common/address.c | 3 ++- src/common/sandbox.c | 72 +++++++++++++++++++++++++++++++++++++++++++------- src/common/sandbox.h | 4 +++ 3 files changed, 69 insertions(+), 10 deletions(-) diff --git a/src/common/address.c b/src/common/address.c index 227b4fb..5c8603e 100644 --- a/src/common/address.c +++ b/src/common/address.c @@ -14,6 +14,7 @@ #include "address.h" #include "torlog.h" #include "container.h" +#include "sandbox.h" #ifdef _WIN32 #include <process.h> @@ -234,7 +235,7 @@ tor_addr_lookup(const char *name, uint16_t family, tor_addr_t *addr) memset(&hints, 0, sizeof(hints)); hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; - err = getaddrinfo(name, NULL, &hints, &res); + err = sandbox_getaddrinfo(name, &res); if (!err) { best = NULL; for (res_p = res; res_p; res_p = res_p->ai_next) { diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 210aa7c..c71efb0 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -55,6 +55,8 @@ static sandbox_cfg_t *filter_dynamic = NULL; +static struct addrinfo *sb_addr_info= NULL; + /** Variable used for storing all syscall numbers that will be allowed with the * stage 1 general Tor sandbox. */ @@ -262,13 +264,13 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } // problem: required by getaddrinfo - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, - SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); - if (rc != 0) { - log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " - "error %d", rc); - return rc; - } +// rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, +// SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); +// if (rc != 0) { +// log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " +// "error %d", rc); +// return rc; +// } return 0; } @@ -288,8 +290,8 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY| O_CLOEXEC)); if (rc != 0) { - log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received libseccomp " - "error %d", rc); + log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received " + "libseccomp error %d", rc); return rc; } } @@ -862,6 +864,54 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...) return 0; } +int sandbox_getaddrinfo(const char *name, struct addrinfo **res) +{ + char hname[256]; + + if (!res) { + return -2; + } + *res = NULL; + + if (gethostname(hname, sizeof(hname)) < 0) { + return -1; + } + + if (strncmp(name, hname, sizeof(hname)) || sb_addr_info == NULL) { + log_err(LD_BUG,"(Sandbox) failed for hname %s!", name); + return -1; + } + + *res = sb_addr_info; + return 0; +} + +static int +init_addrinfo(void) +{ + int ret; + struct addrinfo hints; + char hname[256]; + + sb_addr_info = NULL; + + if (gethostname(hname, sizeof(hname)) < 0) { + return -1; + } + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; + hints.ai_socktype = SOCK_STREAM; + + ret = getaddrinfo(hname, NULL, &hints, &sb_addr_info); + if(ret) { + sb_addr_info = NULL; + return -2; + } + + return 0; +} + static int add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) { @@ -1047,6 +1097,10 @@ initialise_libseccomp_sandbox(sandbox_cfg_t* cfg) if (install_sigsys_debugging()) return -1; + if (init_addrinfo()) { + return -4; + } + if (install_syscall_filter(cfg)) return -2; diff --git a/src/common/sandbox.h b/src/common/sandbox.h index ad31e54..6cb827e 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -34,6 +34,7 @@ #endif #include <sys/ucontext.h> #include <seccomp.h> +#include <netdb.h> /** Security measure for filter string parameter lengths*/ #define MAX_PARAM_LEN 64 @@ -91,6 +92,9 @@ typedef struct { #endif // __linux__ +/** Replacement for getaddrinfo(), using pre-recorded results. */ +int sandbox_getaddrinfo(const char *name, struct addrinfo **res); + /** Use fd to log non-survivable sandbox violations. */ void sandbox_set_debugging_fd(int fd);

1 0