commit ea8e9f17f52877cc795f1792acb81d7fdaff6baf Author: Nick Mathewson nickm@torproject.org Date: Thu Feb 1 08:39:38 2018 -0500
Revert "Change the sandbox behavior on all failed opens() to EACCES"
This reverts commit 9a06282546418b2e9d21559d4853bcf124b953f4.
It appears that I misunderstood how the seccomp2 filter rules interact. It appears that `SCMP_ACT_ERRNO()` always takes precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that earlier rules would override later ones. But this change caused bug 25115 (not in any released Tor). --- changes/bug16106 | 6 ------ src/common/sandbox.c | 8 ++++++-- 2 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/changes/bug16106 b/changes/bug16106 deleted file mode 100644 index 9142a37e3..000000000 --- a/changes/bug16106 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (linux seccomp2 sandbox): - - Cause a wider variety of unpermitted open() calls to fail with the - EACCES error when the sandbox is running. This won't enable any - previously non-working functionality, but it should turn several cases - from crashes into sandbox warnings. Fixes bug 16106; bugfix on - 0.2.5.1-alpha. diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 043b8bf14..37f582048 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -481,14 +481,18 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } }
- rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)); + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), + SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW, + O_RDONLY)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " "error %d", rc); return rc; }
- rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat)); + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat), + SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW, + O_RDONLY)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received " "libseccomp error %d", rc);