April 2019 - tor-commits - lists.torproject.org

[tor/master] map_anon: define a macro if it is possible for noinherit to fail.
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 361e955cf3f852caebb63f618fbae883237bf28b Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Mar 6 11:03:26 2019 -0500 map_anon: define a macro if it is possible for noinherit to fail. --- src/lib/malloc/map_anon.h | 21 +++++++++++++++++++++ src/test/test_util.c | 6 ++++++ 2 files changed, 27 insertions(+) diff --git a/src/lib/malloc/map_anon.h b/src/lib/malloc/map_anon.h index edd750082..89fb9da0f 100644 --- a/src/lib/malloc/map_anon.h +++ b/src/lib/malloc/map_anon.h @@ -41,6 +41,27 @@ * the child process. */ #define INHERIT_ZERO 2 +/* Here we define the NOINHERIT_CAN_FAIL macro if and only if + * it's possible that ANONMAP_NOINHERIT might yield inheritable memory. + */ +#ifdef _WIN32 +/* Windows can't fork, so NOINHERIT is never needed. */ +#elif defined(HAVE_MINHERIT) +/* minherit() will always have a working MAP_INHERIT_NONE or MAP_INHERIT_ZERO. + * NOINHERIT should always work. + */ +#elif defined(HAVE_MADVISE) +/* madvise() sometimes has neither MADV_DONTFORK and MADV_WIPEONFORK. + * We need to be ready for the possibility it failed. + * + * (Linux added DONTFORK in 2.6.16 and WIPEONFORK in 4.14. If we someday + * require 2.6.16 or later, we can assume that DONTFORK will work.) + */ +#define NOINHERIT_CAN_FAIL +#else +#define NOINHERIT_CAN_FAIL +#endif + void *tor_mmap_anonymous(size_t sz, unsigned flags, unsigned *inherit_result_out); void tor_munmap_anonymous(void *mapping, size_t sz); diff --git a/src/test/test_util.c b/src/test/test_util.c index 039fc435c..f6085fdb9 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -6224,11 +6224,17 @@ test_util_map_anon_nofork(void *arg) int ws; waitpid(child, &ws, 0); +#ifndef NOINHERIT_CAN_FAIL + /* Only if NOINHERIT_CAN_FAIL should it be possible for us to get + * INHERIT_KEEP behavior in this case. */ + tt_assert(inherit, OP_NE, INHERIT_KEEP); +#else if (inherit == INHERIT_KEEP) { /* Call this test "skipped", not "passed", since noinherit wasn't * implemented. */ tt_skip(); } +#endif done: tor_munmap_anonymous(ptr, sz);

1 0

[tor/master] Make map_anon expose the result of a noinherit attempt
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 12205c3cbee4e71ded2b5710a57342b510e9d6df Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Mar 6 10:35:02 2019 -0500 Make map_anon expose the result of a noinherit attempt Previously we did this for tests only, but it's valuable for getting proper fork behavior in rand_fast. --- src/lib/crypt_ops/crypto_rand_fast.c | 4 +-- src/lib/malloc/map_anon.c | 48 ++++++++++++++---------------------- src/lib/malloc/map_anon.h | 17 +++++++++---- src/test/test_util.c | 21 +++++++++------- 4 files changed, 45 insertions(+), 45 deletions(-) diff --git a/src/lib/crypt_ops/crypto_rand_fast.c b/src/lib/crypt_ops/crypto_rand_fast.c index 760e1025e..f1acc9faf 100644 --- a/src/lib/crypt_ops/crypto_rand_fast.c +++ b/src/lib/crypt_ops/crypto_rand_fast.c @@ -134,8 +134,8 @@ crypto_fast_rng_new_from_seed(const uint8_t *seed) * having it get dumped, swapped, or shared after fork. */ crypto_fast_rng_t *result = tor_mmap_anonymous(sizeof(*result), - ANONMAP_PRIVATE | ANONMAP_NOINHERIT); - + ANONMAP_PRIVATE | ANONMAP_NOINHERIT, + NULL); memcpy(result->buf.seed, seed, SEED_LEN); /* Causes an immediate refill once the user asks for data. */ result->bytes_left = 0; diff --git a/src/lib/malloc/map_anon.c b/src/lib/malloc/map_anon.c index 5dac5256a..bb0a3d574 100644 --- a/src/lib/malloc/map_anon.c +++ b/src/lib/malloc/map_anon.c @@ -107,54 +107,34 @@ nodump_mem(void *mem, size_t sz) #endif } -#ifdef TOR_UNIT_TESTS -static unsigned last_anon_map_noinherit = ~0; -/* Testing helper: return the outcome of the last call to noinherit_mem(): - * 0 if it did no good; 1 if it caused the memory not to be inherited, and - * 2 if it caused the memory to be cleared on fork */ -unsigned -get_last_anon_map_noinherit(void) -{ - return last_anon_map_noinherit; -} -static void -set_last_anon_map_noinherit(unsigned f) -{ - last_anon_map_noinherit = f; -} -#else -static void -set_last_anon_map_noinherit(unsigned f) -{ - (void)f; -} -#endif - /** * Helper: try to prevent the sz bytes at mem from being * accessible in child processes -- ideally by having them set to 0 after a * fork, and if that doesn't work, by having them unmapped after a fork. * Return 0 on success or if the facility is not available on this OS; return * -1 on failure. + * + * If we successfully make the memory uninheritable, adjust the value of + * *inherit_result_out. */ static int -noinherit_mem(void *mem, size_t sz) +noinherit_mem(void *mem, size_t sz, unsigned *inherit_result_out) { - set_last_anon_map_noinherit(0); #ifdef FLAG_ZERO int r = MINHERIT(mem, sz, FLAG_ZERO); if (r == 0) { - set_last_anon_map_noinherit(2); + *inherit_result_out = INHERIT_ZERO; return 0; } #endif #ifdef FLAG_NOINHERIT int r2 = MINHERIT(mem, sz, FLAG_NOINHERIT); if (r2 == 0) { - set_last_anon_map_noinherit(1); + *inherit_result_out = INHERIT_DROP; } return r2; #else + (void)inherit_result_out; (void)mem; (void)sz; return 0; @@ -174,14 +154,24 @@ noinherit_mem(void *mem, size_t sz) * Memory returned from this function must be released with * tor_munmap_anonymous(). * + * If inherit_result_out is non-NULL, set it to one of INHERIT_KEEP, + * INHERIT_DROP, and INHERIT_ZERO, depending on the properties of the returned + * memory. + * * [Note: OS people use the word "anonymous" here to mean that the memory * isn't associated with any file. This has *nothing* to do with the kind of * anonymity that Tor is trying to provide.] */ void * -tor_mmap_anonymous(size_t sz, unsigned flags) +tor_mmap_anonymous(size_t sz, unsigned flags, unsigned *inherit_result_out) { void *ptr; + unsigned itmp=0; + if (inherit_result_out == NULL) { + inherit_result_out = &itmp; + } + *inherit_result_out = INHERIT_KEEP; + #if defined(_WIN32) HANDLE mapping = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, /*attributes*/ @@ -214,7 +204,7 @@ tor_mmap_anonymous(size_t sz, unsigned flags) } if (flags & ANONMAP_NOINHERIT) { - int noinherit_result = noinherit_mem(ptr, sz); + int noinherit_result = noinherit_mem(ptr, sz, inherit_result_out); raw_assert(noinherit_result == 0); } diff --git a/src/lib/malloc/map_anon.h b/src/lib/malloc/map_anon.h index 395145bd7..edd750082 100644 --- a/src/lib/malloc/map_anon.h +++ b/src/lib/malloc/map_anon.h @@ -31,11 +31,18 @@ */ #define ANONMAP_NOINHERIT (1u<<1) -void *tor_mmap_anonymous(size_t sz, unsigned flags); -void tor_munmap_anonymous(void *mapping, size_t sz); +/** Possible value for inherit_result_out: the memory will be kept + * by any child process. */ +#define INHERIT_KEEP 0 +/** Possible value for inherit_result_out: the memory will be dropped in + * the child process. Attempting to access it will likely cause a segfault. */ +#define INHERIT_DROP 1 +/** Possible value for inherit_result_out: the memory will be cleared in + * the child process. */ +#define INHERIT_ZERO 2 -#ifdef TOR_UNIT_TESTS -unsigned get_last_anon_map_noinherit(void); -#endif +void *tor_mmap_anonymous(size_t sz, unsigned flags, + unsigned *inherit_result_out); +void tor_munmap_anonymous(void *mapping, size_t sz); #endif /* !defined(TOR_MAP_ANON_H) */ diff --git a/src/test/test_util.c b/src/test/test_util.c index 4990aa709..039fc435c 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -6130,10 +6130,12 @@ test_util_map_anon(void *arg) (void)arg; char *ptr = NULL; size_t sz = 16384; + unsigned inherit=0; /* Basic checks. */ - ptr = tor_mmap_anonymous(sz, 0); + ptr = tor_mmap_anonymous(sz, 0, &inherit); tt_ptr_op(ptr, OP_NE, 0); + tt_int_op(inherit, OP_EQ, INHERIT_KEEP); ptr[sz-1] = 3; tt_int_op(ptr[0], OP_EQ, 0); tt_int_op(ptr[sz-2], OP_EQ, 0); @@ -6141,8 +6143,9 @@ test_util_map_anon(void *arg) /* Try again, with a private (non-swappable) mapping. */ tor_munmap_anonymous(ptr, sz); - ptr = tor_mmap_anonymous(sz, ANONMAP_PRIVATE); + ptr = tor_mmap_anonymous(sz, ANONMAP_PRIVATE, &inherit); tt_ptr_op(ptr, OP_NE, 0); + tt_int_op(inherit, OP_EQ, INHERIT_KEEP); ptr[sz-1] = 10; tt_int_op(ptr[0], OP_EQ, 0); tt_int_op(ptr[sz/2], OP_EQ, 0); @@ -6150,7 +6153,7 @@ test_util_map_anon(void *arg) /* Now let's test a drop-on-fork mapping. */ tor_munmap_anonymous(ptr, sz); - ptr = tor_mmap_anonymous(sz, ANONMAP_NOINHERIT); + ptr = tor_mmap_anonymous(sz, ANONMAP_NOINHERIT, &inherit); tt_ptr_op(ptr, OP_NE, 0); ptr[sz-1] = 10; tt_int_op(ptr[0], OP_EQ, 0); @@ -6179,10 +6182,10 @@ test_util_map_anon_nofork(void *arg) char *ptr = NULL; size_t sz = 16384; int pipefd[2] = {-1, -1}; + unsigned inherit=0; tor_munmap_anonymous(ptr, sz); - ptr = tor_mmap_anonymous(sz, ANONMAP_NOINHERIT); - int outcome = get_last_anon_map_noinherit(); + ptr = tor_mmap_anonymous(sz, ANONMAP_NOINHERIT, &inherit); tt_ptr_op(ptr, OP_NE, 0); memset(ptr, 0xd0, sz); @@ -6204,16 +6207,16 @@ test_util_map_anon_nofork(void *arg) char buf[1]; ssize_t r = read(pipefd[0], buf, 1); - if (outcome == 2) { + if (inherit == INHERIT_ZERO) { // We should be seeing clear-on-fork behavior. tt_int_op((int)r, OP_EQ, 1); // child should send us a byte. tt_int_op(buf[0], OP_EQ, 0); // that byte should be zero. - } else if (outcome == 1) { + } else if (inherit == INHERIT_DROP) { // We should be seeing noinherit behavior. tt_int_op(r, OP_LE, 0); // child said nothing; it should have crashed. } else { // noinherit isn't implemented. - tt_int_op(outcome, OP_EQ, 0); + tt_int_op(inherit, OP_EQ, INHERIT_KEEP); tt_int_op((int)r, OP_EQ, 1); // child should send us a byte. tt_int_op(buf[0], OP_EQ, 0xd0); // that byte should what we set it to. } @@ -6221,7 +6224,7 @@ test_util_map_anon_nofork(void *arg) int ws; waitpid(child, &ws, 0); - if (outcome == 0) { + if (inherit == INHERIT_KEEP) { /* Call this test "skipped", not "passed", since noinherit wasn't * implemented. */ tt_skip();

1 0

[tor/master] rename inherit values to avoid conflict with system defines
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 027c536598f336014d7ef406610207ec4559d490 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Mar 6 12:08:25 2019 -0500 rename inherit values to avoid conflict with system defines --- src/lib/crypt_ops/crypto_rand_fast.c | 12 ++++++------ src/lib/malloc/map_anon.c | 12 ++++++------ src/lib/malloc/map_anon.h | 6 +++--- src/test/test_util.c | 14 +++++++------- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/lib/crypt_ops/crypto_rand_fast.c b/src/lib/crypt_ops/crypto_rand_fast.c index 384c172c3..01817c618 100644 --- a/src/lib/crypt_ops/crypto_rand_fast.c +++ b/src/lib/crypt_ops/crypto_rand_fast.c @@ -152,7 +152,7 @@ crypto_fast_rng_new(void) crypto_fast_rng_t * crypto_fast_rng_new_from_seed(const uint8_t *seed) { - unsigned inherit = INHERIT_KEEP; + unsigned inherit = INHERIT_RES_KEEP; /* We try to allocate this object as securely as we can, to avoid * having it get dumped, swapped, or shared after fork. */ @@ -164,7 +164,7 @@ crypto_fast_rng_new_from_seed(const uint8_t *seed) result->bytes_left = 0; result->n_till_reseed = RESEED_AFTER; #ifdef CHECK_PID - if (inherit == INHERIT_KEEP) { + if (inherit == INHERIT_RES_KEEP) { /* This value will neither be dropped nor zeroed after fork, so we need to * check our pid to make sure we are not sharing it across a fork. This * can be expensive if the pid value isn't cached, sadly. @@ -176,7 +176,7 @@ crypto_fast_rng_new_from_seed(const uint8_t *seed) #else /* We decided above that noinherit would always do _something_. Assert here * that we were correct. */ - tor_assert(inherit != INHERIT_KEEP); + tor_assert(inherit != INHERIT_RES_KEEP); #endif return result; } @@ -253,12 +253,12 @@ crypto_fast_rng_getbytes_impl(crypto_fast_rng_t *rng, uint8_t *out, if (rng->owner) { /* Note that we only need to do this check when we have owner set: that * is, when our attempt to block inheriting failed, and the result was - * INHERIT_KEEP. + * INHERIT_RES_KEEP. * - * If the result was INHERIT_DROP, then any attempt to access the rng + * If the result was INHERIT_RES_DROP, then any attempt to access the rng * memory after forking will crash. * - * If the result was INHERIT_ZERO, then forking will set the bytes_left + * If the result was INHERIT_RES_ZERO, then forking will set the bytes_left * and n_till_reseed fields to zero. This function will call * crypto_fast_rng_refill(), which will in turn reseed the PRNG. * diff --git a/src/lib/malloc/map_anon.c b/src/lib/malloc/map_anon.c index bb0a3d574..3e1c22648 100644 --- a/src/lib/malloc/map_anon.c +++ b/src/lib/malloc/map_anon.c @@ -123,14 +123,14 @@ noinherit_mem(void *mem, size_t sz, unsigned *inherit_result_out) #ifdef FLAG_ZERO int r = MINHERIT(mem, sz, FLAG_ZERO); if (r == 0) { - *inherit_result_out = INHERIT_ZERO; + *inherit_result_out = INHERIT_RES_ZERO; return 0; } #endif #ifdef FLAG_NOINHERIT int r2 = MINHERIT(mem, sz, FLAG_NOINHERIT); if (r2 == 0) { - *inherit_result_out = INHERIT_DROP; + *inherit_result_out = INHERIT_RES_DROP; } return r2; #else @@ -154,9 +154,9 @@ noinherit_mem(void *mem, size_t sz, unsigned *inherit_result_out) * Memory returned from this function must be released with * tor_munmap_anonymous(). * - * If inherit_result_out is non-NULL, set it to one of INHERIT_KEEP, - * INHERIT_DROP, and INHERIT_ZERO, depending on the properties of the returned - * memory. + * If inherit_result_out is non-NULL, set it to one of + * INHERIT_RES_KEEP, INHERIT_RES_DROP, or INHERIT_RES_ZERO, depending on the + * properties of the returned memory. * * [Note: OS people use the word "anonymous" here to mean that the memory * isn't associated with any file. This has *nothing* to do with the kind of @@ -170,7 +170,7 @@ tor_mmap_anonymous(size_t sz, unsigned flags, unsigned *inherit_result_out) if (inherit_result_out == NULL) { inherit_result_out = &itmp; } - *inherit_result_out = INHERIT_KEEP; + *inherit_result_out = INHERIT_RES_KEEP; #if defined(_WIN32) HANDLE mapping = CreateFileMapping(INVALID_HANDLE_VALUE, diff --git a/src/lib/malloc/map_anon.h b/src/lib/malloc/map_anon.h index 89fb9da0f..f101654eb 100644 --- a/src/lib/malloc/map_anon.h +++ b/src/lib/malloc/map_anon.h @@ -33,13 +33,13 @@ /** Possible value for inherit_result_out: the memory will be kept * by any child process. */ -#define INHERIT_KEEP 0 +#define INHERIT_RES_KEEP 0 /** Possible value for inherit_result_out: the memory will be dropped in * the child process. Attempting to access it will likely cause a segfault. */ -#define INHERIT_DROP 1 +#define INHERIT_RES_DROP 1 /** Possible value for inherit_result_out: the memory will be cleared in * the child process. */ -#define INHERIT_ZERO 2 +#define INHERIT_RES_ZERO 2 /* Here we define the NOINHERIT_CAN_FAIL macro if and only if * it's possible that ANONMAP_NOINHERIT might yield inheritable memory. diff --git a/src/test/test_util.c b/src/test/test_util.c index f6085fdb9..4f81e54d2 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -6135,7 +6135,7 @@ test_util_map_anon(void *arg) /* Basic checks. */ ptr = tor_mmap_anonymous(sz, 0, &inherit); tt_ptr_op(ptr, OP_NE, 0); - tt_int_op(inherit, OP_EQ, INHERIT_KEEP); + tt_int_op(inherit, OP_EQ, INHERIT_RES_KEEP); ptr[sz-1] = 3; tt_int_op(ptr[0], OP_EQ, 0); tt_int_op(ptr[sz-2], OP_EQ, 0); @@ -6145,7 +6145,7 @@ test_util_map_anon(void *arg) tor_munmap_anonymous(ptr, sz); ptr = tor_mmap_anonymous(sz, ANONMAP_PRIVATE, &inherit); tt_ptr_op(ptr, OP_NE, 0); - tt_int_op(inherit, OP_EQ, INHERIT_KEEP); + tt_int_op(inherit, OP_EQ, INHERIT_RES_KEEP); ptr[sz-1] = 10; tt_int_op(ptr[0], OP_EQ, 0); tt_int_op(ptr[sz/2], OP_EQ, 0); @@ -6207,16 +6207,16 @@ test_util_map_anon_nofork(void *arg) char buf[1]; ssize_t r = read(pipefd[0], buf, 1); - if (inherit == INHERIT_ZERO) { + if (inherit == INHERIT_RES_ZERO) { // We should be seeing clear-on-fork behavior. tt_int_op((int)r, OP_EQ, 1); // child should send us a byte. tt_int_op(buf[0], OP_EQ, 0); // that byte should be zero. - } else if (inherit == INHERIT_DROP) { + } else if (inherit == INHERIT_RES_DROP) { // We should be seeing noinherit behavior. tt_int_op(r, OP_LE, 0); // child said nothing; it should have crashed. } else { // noinherit isn't implemented. - tt_int_op(inherit, OP_EQ, INHERIT_KEEP); + tt_int_op(inherit, OP_EQ, INHERIT_RES_KEEP); tt_int_op((int)r, OP_EQ, 1); // child should send us a byte. tt_int_op(buf[0], OP_EQ, 0xd0); // that byte should what we set it to. } @@ -6227,9 +6227,9 @@ test_util_map_anon_nofork(void *arg) #ifndef NOINHERIT_CAN_FAIL /* Only if NOINHERIT_CAN_FAIL should it be possible for us to get * INHERIT_KEEP behavior in this case. */ - tt_assert(inherit, OP_NE, INHERIT_KEEP); + tt_assert(inherit, OP_NE, INHERIT_RES_KEEP); #else - if (inherit == INHERIT_KEEP) { + if (inherit == INHERIT_RES_KEEP) { /* Call this test "skipped", not "passed", since noinherit wasn't * implemented. */ tt_skip();

1 0

[tor/master] Syntax fix in test.
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 8c06f02c94067d7ad1bf39982e7238b7fafae0e0 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Mar 6 12:09:46 2019 -0500 Syntax fix in test. --- src/test/test_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/test_util.c b/src/test/test_util.c index 4f81e54d2..c683c9475 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -6227,7 +6227,7 @@ test_util_map_anon_nofork(void *arg) #ifndef NOINHERIT_CAN_FAIL /* Only if NOINHERIT_CAN_FAIL should it be possible for us to get * INHERIT_KEEP behavior in this case. */ - tt_assert(inherit, OP_NE, INHERIT_RES_KEEP); + tt_int_op(inherit, OP_NE, INHERIT_RES_KEEP); #else if (inherit == INHERIT_RES_KEEP) { /* Call this test "skipped", not "passed", since noinherit wasn't

1 0

[tor/master] Use an enum for inherit_result_out.
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 76912bf140ec61856c0bb0d25354283d024229f5 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Apr 3 10:57:06 2019 -0400 Use an enum for inherit_result_out. --- src/lib/malloc/map_anon.c | 7 ++++--- src/lib/malloc/map_anon.h | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/src/lib/malloc/map_anon.c b/src/lib/malloc/map_anon.c index 3e1c22648..f4fda00bf 100644 --- a/src/lib/malloc/map_anon.c +++ b/src/lib/malloc/map_anon.c @@ -118,7 +118,7 @@ nodump_mem(void *mem, size_t sz) * *inherit_result_out. */ static int -noinherit_mem(void *mem, size_t sz, unsigned *inherit_result_out) +noinherit_mem(void *mem, size_t sz, inherit_res_t *inherit_result_out) { #ifdef FLAG_ZERO int r = MINHERIT(mem, sz, FLAG_ZERO); @@ -163,10 +163,11 @@ noinherit_mem(void *mem, size_t sz, unsigned *inherit_result_out) * anonymity that Tor is trying to provide.] */ void * -tor_mmap_anonymous(size_t sz, unsigned flags, unsigned *inherit_result_out) +tor_mmap_anonymous(size_t sz, unsigned flags, + inherit_res_t *inherit_result_out) { void *ptr; - unsigned itmp=0; + inherit_res_t itmp=0; if (inherit_result_out == NULL) { inherit_result_out = &itmp; } diff --git a/src/lib/malloc/map_anon.h b/src/lib/malloc/map_anon.h index f101654eb..6c02cd6c1 100644 --- a/src/lib/malloc/map_anon.h +++ b/src/lib/malloc/map_anon.h @@ -31,15 +31,17 @@ */ #define ANONMAP_NOINHERIT (1u<<1) -/** Possible value for inherit_result_out: the memory will be kept - * by any child process. */ -#define INHERIT_RES_KEEP 0 -/** Possible value for inherit_result_out: the memory will be dropped in - * the child process. Attempting to access it will likely cause a segfault. */ -#define INHERIT_RES_DROP 1 -/** Possible value for inherit_result_out: the memory will be cleared in - * the child process. */ -#define INHERIT_RES_ZERO 2 +typedef enum { + /** Possible value for inherit_result_out: the memory will be kept + * by any child process. */ + INHERIT_RES_KEEP=0, + /** Possible value for inherit_result_out: the memory will be dropped in the + * child process. Attempting to access it will likely cause a segfault. */ + INHERIT_RES_DROP, + /** Possible value for inherit_result_out: the memory will be cleared in + * the child process. */ + INHERIT_RES_ZERO +} inherit_res_t; /* Here we define the NOINHERIT_CAN_FAIL macro if and only if * it's possible that ANONMAP_NOINHERIT might yield inheritable memory. @@ -63,7 +65,7 @@ #endif void *tor_mmap_anonymous(size_t sz, unsigned flags, - unsigned *inherit_result_out); + inherit_res_t *inherit_result_out); void tor_munmap_anonymous(void *mapping, size_t sz); #endif /* !defined(TOR_MAP_ANON_H) */

1 0

[tor/master] Merge branch 'tor-github/pr/761'
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit b371ea5b0eaca7affed4cdc39d68a34ad8c47c0a Merge: 574c20767 76912bf14 Author: George Kadianakis <desnacked(a)riseup.net> Date: Fri Apr 5 14:52:36 2019 +0300 Merge branch 'tor-github/pr/761' src/lib/crypt_ops/crypto_init.c | 6 ++++ src/lib/crypt_ops/crypto_rand_fast.c | 65 ++++++++++++++++++++++++++++++++++-- src/lib/malloc/map_anon.c | 49 +++++++++++---------------- src/lib/malloc/map_anon.h | 38 ++++++++++++++++++--- src/test/test_util.c | 27 ++++++++++----- 5 files changed, 140 insertions(+), 45 deletions(-)

1 0

[tor/release-0.4.0] Merge branch 'tor-github/pr/800' into maint-0.4.0
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 747b74c1825de055bd027c9c74088efdd61d7481 Merge: d016bbaa7 d194f6bed Author: George Kadianakis <desnacked(a)riseup.net> Date: Fri Apr 5 14:51:21 2019 +0300 Merge branch 'tor-github/pr/800' into maint-0.4.0 changes/ticket29357 | 7 +++++++ doc/tor.1.txt | 15 +++++++++++++++ src/app/config/config.c | 1 + src/app/config/or_options_st.h | 5 +++++ src/core/mainloop/netstatus.c | 4 ++++ src/test/test_mainloop.c | 8 ++++++++ 6 files changed, 40 insertions(+)

1 0

[tor/release-0.4.0] Merge branch 'maint-0.4.0' into release-0.4.0
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 4bc88a266a333eb58352c1c5fb87acb86cde05de Merge: 8a010c8b8 747b74c18 Author: George Kadianakis <desnacked(a)riseup.net> Date: Fri Apr 5 14:51:33 2019 +0300 Merge branch 'maint-0.4.0' into release-0.4.0 changes/ticket29357 | 7 +++++++ doc/tor.1.txt | 15 +++++++++++++++ src/app/config/config.c | 1 + src/app/config/or_options_st.h | 5 +++++ src/core/mainloop/netstatus.c | 4 ++++ src/test/test_mainloop.c | 8 ++++++++ 6 files changed, 40 insertions(+)

1 0

[tor/release-0.4.0] Implement an DormantCanceledByStartup option
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit d194f6bedf48410132b03fdab06b679512c14db1 Author: Nick Mathewson <nickm(a)torproject.org> Date: Sun Mar 17 13:48:00 2019 -0400 Implement an DormantCanceledByStartup option Closes ticket 29357, and comes with appropriate notions of caution. --- changes/ticket29357 | 7 +++++++ doc/tor.1.txt | 15 +++++++++++++++ src/app/config/config.c | 1 + src/app/config/or_options_st.h | 5 +++++ src/core/mainloop/netstatus.c | 4 ++++ src/test/test_mainloop.c | 8 ++++++++ 6 files changed, 40 insertions(+) diff --git a/changes/ticket29357 b/changes/ticket29357 new file mode 100644 index 000000000..3aab930cd --- /dev/null +++ b/changes/ticket29357 @@ -0,0 +1,7 @@ + o Minor features (dormant mode): + - Add a DormantCanceledByStartup option to tell Tor that it should + treat a startup event as cancelling any previous dormant state. + Integrators should use this option with caution: it should + only be used if Tor is being started because of something that the + user did, and not if Tor is being automatically started in the + background. Closes ticket 29357. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 52f5bfa0c..ea9942a28 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1850,6 +1850,21 @@ The following options are useful only for clients (that is, if After the first time Tor starts, it begins in dormant mode if it was dormant before, and not otherwise. (Default: 0) +[[DormantCanceledByStartup]] **DormantCanceledByStartup** **0**|**1**:: + By default, Tor starts in active mode if it was active the last time + it was shut down, and in dormant mode if it was dormant. But if + this option is true, Tor treats every startup event as user + activity, and Tor will never start in Dormant mode, even if it has + been unused for a long time on previous runs. (Default: 0) + + + Note: Packagers and application developers should change the value of + this option only with great caution: it has the potential to + create spurious traffic on the network. This option should only + be used if Tor is started by an affirmative user activity (like + clicking on an applcation or running a command), and not if Tor + is launched for some other reason (for example, by a startup + process, or by an application that launches itself on every login.) + SERVER OPTIONS -------------- diff --git a/src/app/config/config.c b/src/app/config/config.c index 8e0bfbe79..dc213ce2f 100644 --- a/src/app/config/config.c +++ b/src/app/config/config.c @@ -396,6 +396,7 @@ static config_var_t option_vars_[] = { V(DormantClientTimeout, INTERVAL, "24 hours"), V(DormantTimeoutDisabledByIdleStreams, BOOL, "1"), V(DormantOnFirstStartup, BOOL, "0"), + V(DormantCanceledByStartup, BOOL, "0"), /* DoS circuit creation options. */ V(DoSCircuitCreationEnabled, AUTOBOOL, "auto"), V(DoSCircuitCreationMinConnections, UINT, "0"), diff --git a/src/app/config/or_options_st.h b/src/app/config/or_options_st.h index 06e11d3c7..bd707fd19 100644 --- a/src/app/config/or_options_st.h +++ b/src/app/config/or_options_st.h @@ -1092,6 +1092,11 @@ struct or_options_t { /** Boolean: true if Tor should be dormant the first time it starts with * a datadirectory; false otherwise. */ int DormantOnFirstStartup; + /** + * Boolean: true if Tor should treat every startup event as cancelling + * a possible previous dormant state. + **/ + int DormantCanceledByStartup; }; #endif diff --git a/src/core/mainloop/netstatus.c b/src/core/mainloop/netstatus.c index fc5a465ff..492488859 100644 --- a/src/core/mainloop/netstatus.c +++ b/src/core/mainloop/netstatus.c @@ -144,6 +144,10 @@ netstatus_load_from_state(const or_state_t *state, time_t now) last_activity = now - 60 * state->MinutesSinceUserActivity; participating_on_network = true; } + if (get_options()->DormantCanceledByStartup) { + last_activity = now; + participating_on_network = true; + } reset_user_activity(last_activity); } diff --git a/src/test/test_mainloop.c b/src/test/test_mainloop.c index 2c3449305..ed6b8a9b6 100644 --- a/src/test/test_mainloop.c +++ b/src/test/test_mainloop.c @@ -317,6 +317,14 @@ test_mainloop_dormant_load_state(void *arg) tt_assert(is_participating_on_network()); tt_i64_op(get_last_user_activity_time(), OP_EQ, start - 123*60); + // If we would start dormant, but DormantCanceledByStartup is set, then + // we start up non-dormant. + state->Dormant = 1; + get_options_mutable()->DormantCanceledByStartup = 1; + netstatus_load_from_state(state, start); + tt_assert(is_participating_on_network()); + tt_i64_op(get_last_user_activity_time(), OP_EQ, start); + done: or_state_free(state); }

1 0

[tor/maint-0.4.0] Merge branch 'tor-github/pr/800' into maint-0.4.0
by asn＠torproject.org 05 Apr '19

05 Apr '19

commit 747b74c1825de055bd027c9c74088efdd61d7481 Merge: d016bbaa7 d194f6bed Author: George Kadianakis <desnacked(a)riseup.net> Date: Fri Apr 5 14:51:21 2019 +0300 Merge branch 'tor-github/pr/800' into maint-0.4.0 changes/ticket29357 | 7 +++++++ doc/tor.1.txt | 15 +++++++++++++++ src/app/config/config.c | 1 + src/app/config/or_options_st.h | 5 +++++ src/core/mainloop/netstatus.c | 4 ++++ src/test/test_mainloop.c | 8 ++++++++ 6 files changed, 40 insertions(+)

1 0