commit a68e5323f809056cae9fcefc06357f9646595d89 Author: Peter Palfrader peter@palfrader.org Date: Tue Jun 2 20:06:49 2015 +0200

Fix sandboxing to work when running as a relay

This includes correctly allowing renaming secret_id_key and allowing the eventfd2 and futex syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. --- changes/bug16244 | 7 +++++++ src/common/sandbox.c | 2 ++ src/or/main.c | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/changes/bug16244 b/changes/bug16244 new file mode 100644 index 0000000..00bc557 --- /dev/null +++ b/changes/bug16244 @@ -0,0 +1,7 @@ + o Minor bugfixes (sandbox, relay): + - Fix sandboxing to work when running as a relay again. This + includes correctly allowing renaming secret_id_key and + allowing the eventfd2 and futex syscalls. + Fixes bug 16244; bugfix on 0.2.6.1-alpha. + Patch by Peter Palfrader. + diff --git a/src/common/sandbox.c b/src/common/sandbox.c index a32bd0d..cdb4521 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -129,11 +129,13 @@ static int filter_nopar_gen[] = { SCMP_SYS(clone), SCMP_SYS(epoll_create), SCMP_SYS(epoll_wait), + SCMP_SYS(eventfd2), SCMP_SYS(fcntl), SCMP_SYS(fstat), #ifdef __NR_fstat64 SCMP_SYS(fstat64), #endif + SCMP_SYS(futex), SCMP_SYS(getdents64), SCMP_SYS(getegid), #ifdef __NR_getegid32 diff --git a/src/or/main.c b/src/or/main.c index d0fe8cb..8aa9a15 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2984,7 +2984,7 @@ sandbox_init_filter(void) // orport if (server_mode(get_options())) {

- OPEN_DATADIR2_SUFFIX("keys", "secret_id_key", "tmp"); + OPEN_DATADIR2_SUFFIX("keys", "secret_id_key", ".tmp"); OPEN_DATADIR2_SUFFIX("keys", "secret_onion_key", ".tmp"); OPEN_DATADIR2_SUFFIX("keys", "secret_onion_key_ntor", ".tmp"); OPEN_DATADIR2("keys", "secret_id_key.old");