commit 21ac0cd2afb2275bfe89237c3aeb545fb7de537e Author: Nick Mathewson nickm@torproject.org Date: Mon Feb 23 12:33:58 2015 -0500

Let AF_UNIX connections through the sandbox

Fixes bug 15003; bugfix on 0.2.6.3-alpha. --- changes/bug15003 | 3 +++ src/common/sandbox.c | 5 +++++ 2 files changed, 8 insertions(+)

diff --git a/changes/bug15003 b/changes/bug15003 new file mode 100644 index 0000000..2dcce74 --- /dev/null +++ b/changes/bug15003 @@ -0,0 +1,3 @@ + o Major bugfixes (linux seccomp2 sandbox): + - Allow AF_UNIX hidden services to be used with the seccomp2 sandbox. + Fixes bug 15003; bugfix on 0.2.6.3-alpha. diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 57847e1..fe97af3 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -543,6 +543,11 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) }

rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), + SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), + SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), + SCMP_CMP(2, SCMP_CMP_EQ, 0)); + + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK), SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW), SCMP_CMP(2, SCMP_CMP_EQ, 0));