[tor-commits] [tor/master] orport progress (not functional), nickm suggested fixes

commit b3a8c08a9217effb0065b9bc5769f18e120ca4d1 Author: Cristian Toader cristian.matei.toader@gmail.com Date: Wed Aug 7 13:13:12 2013 +0300

orport progress (not functional), nickm suggested fixes --- src/common/sandbox.c | 100 +++++++++++++++++++++++++++++++++++++++++--------- src/or/cpuworker.c | 2 + src/or/main.c | 49 ++++++++++++++++--------- 3 files changed, 116 insertions(+), 35 deletions(-)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c index ed7fe3b..1f15674 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -50,6 +50,7 @@ static sandbox_cfg_t *filter_dynamic = NULL; * stage 1 general Tor sandbox. */ static int filter_nopar_gen[] = { + SCMP_SYS(access), SCMP_SYS(brk), SCMP_SYS(close), SCMP_SYS(clone), @@ -90,23 +91,22 @@ static int filter_nopar_gen[] = { SCMP_SYS(read), SCMP_SYS(rename), SCMP_SYS(rt_sigreturn), + SCMP_SYS(set_robust_list), #ifdef __NR_sigreturn SCMP_SYS(sigreturn), #endif SCMP_SYS(stat), #ifdef __NR_stat64 - SCMP_SYS(stat64), + SCMP_SYS(stat64), // TODO #endif + SCMP_SYS(uname), SCMP_SYS(write), SCMP_SYS(exit_group), SCMP_SYS(exit),

// Not needed.. -// SCMP_SYS(access), -// SCMP_SYS(set_robust_list), // SCMP_SYS(set_thread_area), // SCMP_SYS(set_tid_address), -// SCMP_SYS(uname),

// socket syscalls SCMP_SYS(bind), @@ -201,6 +201,34 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; }

+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), + SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK)); + if (rc) { + return rc; + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE)); + if (rc) { + return rc; + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)); + if (rc) { + return rc; + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC), + SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE)); + if (rc) { + return rc; + } + return 0; } #endif @@ -225,6 +253,24 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } }

+ // todo remove when libevent fix + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, + SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " + "error %d", rc); + return rc; + } + + // problem: required by getaddrinfo + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, + SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " + "error %d", rc); + return rc; + } + return 0; }

@@ -315,6 +361,17 @@ sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc;

+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1, + SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD)); + if (rc) + return rc; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2, + SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD), + SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC)); + if (rc) + return rc; + return 0; } #endif @@ -373,12 +430,14 @@ sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc;

+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1, + SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE)); + if (rc) + return rc; + return 0; }

-/** - * does not NEED tobe here.. only occurs before filter - */ static int sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { @@ -389,6 +448,11 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc;

+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1, + SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK)); + if (rc) + return rc; + return 0; }

@@ -408,20 +472,28 @@ sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; }

-/** - * does not NEED tobe here.. only occurs before filter - */ static int sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0;

+ // can remove rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME)); if (rc) return rc;

+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE)); + if (rc) + return rc; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE)); + if (rc) + return rc; + return 0; }

@@ -605,14 +677,8 @@ add_noparam_filter(scmp_filter_ctx ctx) { int i, filter_size, rc = 0;

- if (filter_nopar_gen != NULL) { - filter_size = sizeof(filter_nopar_gen) / sizeof(filter_nopar_gen[0]); - } else { - filter_size = 0; - } - // add general filters - for (i = 0; i < filter_size; i++) { + for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) { rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i], 0); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add syscall index %d, " diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c index 61f9faa..245f67e 100644 --- a/src/or/cpuworker.c +++ b/src/or/cpuworker.c @@ -571,6 +571,8 @@ spawn_enough_cpuworkers(void) if (num_cpuworkers_needed > MAX_CPUWORKERS) num_cpuworkers_needed = MAX_CPUWORKERS;

+ getchar(); + while (num_cpuworkers < num_cpuworkers_needed) { if (spawn_cpuworker() < 0) { log_warn(LD_GENERAL,"Cpuworker spawn failed. Will try again later."); diff --git a/src/or/main.c b/src/or/main.c index 3c98246..5b6b778 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2645,23 +2645,18 @@ sandbox_init_filter() sandbox_cfg_t *cfg = sandbox_cfg_new();

// TODO: mem leak - sandbox_cfg_allow_openat_filename(&cfg, - get_datadir_fname("cached-status")); + sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status"));

- sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-certs")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-certs.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-consensus")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs.tmp")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdesc-consensus")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdesc-consensus.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-microdescs")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs.tmp")); sandbox_cfg_allow_open_filename(&cfg, @@ -2670,18 +2665,36 @@ sandbox_init_filter() get_datadir_fname("cached-microdescs.new.tmp")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-microdesc-consensus")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-descriptors")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors.new")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("cached-extrainfo")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("state.tmp")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-extrainfo")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("state.tmp")); sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc.tmp")); - sandbox_cfg_allow_open_filename(&cfg, - get_datadir_fname("unparseable-desc")); + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc")); + + // orport + if (server_mode(get_options())) { + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_id_key")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key_ntor")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_id_key.old")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key.old")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key_ntor.old")); + sandbox_cfg_allow_open_filename(&cfg, + get_datadir_fname2("keys", "secret_onion_key.tmp")); + + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("fingerprint")); + + sandbox_cfg_allow_open_filename(&cfg, "/etc/resolv.conf"); + }

sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");