commit e2a7b484f47b242eb8399751cb0fbe73e14ef0b8 Author: Cristian Toader cristian.matei.toader@gmail.com Date: Wed Aug 14 23:03:38 2013 +0300
partial libevent open fix --- src/common/sandbox.c | 18 ++++++------------ src/or/main.c | 14 +++++++++----- 2 files changed, 15 insertions(+), 17 deletions(-)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 0be4c52..6ff4296 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -9,6 +9,8 @@ * \brief Code to enable sandboxing. **/
+#define _LARGEFILE64_SOURCE + #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -32,10 +34,12 @@ #include <sys/mman.h> #include <sys/syscall.h> #include <sys/types.h> +#include <sys/stat.h> #include <sys/epoll.h> #include <sys/prctl.h> #include <linux/futex.h> #include <bits/signum.h> +#include <event2/event.h>
#include <stdarg.h> #include <seccomp.h> @@ -53,6 +57,7 @@ static sandbox_cfg_t *filter_dynamic = NULL; static int filter_nopar_gen[] = { SCMP_SYS(access), SCMP_SYS(brk), + SCMP_SYS(clock_gettime), SCMP_SYS(close), SCMP_SYS(clone), SCMP_SYS(epoll_create), @@ -105,9 +110,6 @@ static int filter_nopar_gen[] = { SCMP_SYS(madvise), // getaddrinfo uses this.. SCMP_SYS(stat64), - // Not needed.. -// SCMP_SYS(set_thread_area), -// SCMP_SYS(set_tid_address),
// socket syscalls SCMP_SYS(bind), @@ -263,7 +265,7 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
// todo remove when libevent fix rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, - SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY)); + SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_LARGEFILE|O_CLOEXEC)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " "error %d", rc); @@ -305,13 +307,6 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; }
-static int -sb_clock_gettime(scmp_filter_ctx ctx, sandbox_cfg_t *filter) -{ - return seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 1, - SCMP_CMP(0, SCMP_CMP_EQ, CLOCK_MONOTONIC)); -} - // TODO: param not working static int sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) @@ -574,7 +569,6 @@ static sandbox_filter_func_t filter_func[] = { sb_mmap2, sb_open, sb_openat, - sb_clock_gettime, sb_fcntl64, sb_epoll_ctl, sb_prctl, diff --git a/src/or/main.c b/src/or/main.c index a2fbe5f..9d0719c 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2647,7 +2647,7 @@ sandbox_init_filter() sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status"), 1);
- sandbox_cfg_allow_open_filename_array(&cfg, 22, + sandbox_cfg_allow_open_filename_array(&cfg, 23, get_datadir_fname("cached-certs"), 1, get_datadir_fname("cached-certs.tmp"), 1, get_datadir_fname("cached-consensus"), 1, @@ -2669,7 +2669,8 @@ sandbox_init_filter() get_datadir_fname("unparseable-desc.tmp"), 1, get_datadir_fname("unparseable-desc"), 1, "/dev/srandom", 0, - "/dev/urandom", 0 + "/dev/urandom", 0, + "/dev/random", 0 );
sandbox_cfg_allow_stat64_filename_array(&cfg, 5, @@ -2682,7 +2683,7 @@ sandbox_init_filter()
// orport if (server_mode(get_options())) { - sandbox_cfg_allow_open_filename_array(&cfg, 13, + sandbox_cfg_allow_open_filename_array(&cfg, 12, get_datadir_fname2("keys", "secret_id_key"), 1, get_datadir_fname2("keys", "secret_onion_key"), 1, get_datadir_fname2("keys", "secret_onion_key_ntor"), 1, @@ -2694,8 +2695,7 @@ sandbox_init_filter() get_datadir_fname("fingerprint"), 1, get_datadir_fname("cached-consensus"), 1, get_datadir_fname("cached-consensus.tmp"), 1, - "/etc/resolv.conf", 0, - "/dev/random", 0 + "/etc/resolv.conf", 0 );
sandbox_cfg_allow_stat64_filename_array(&cfg, 2, @@ -2783,6 +2783,10 @@ tor_main(int argc, char *argv[]) log_err(LD_BUG,"Failed to create syscall sandbox filter"); return -1; } + + // registering libevent rng + evutil_secure_rng_set_urandom_device_file( + (char*) sandbox_intern_string("/dev/random")); }
switch (get_options()->command) {