commit 682c2252a564be67fd4fa817d535df0ddc1c758a Author: Nick Mathewson nickm@torproject.org Date: Mon Jan 6 04:27:58 2014 -0500

Fix some seccomp2 issues

Fix for #10563. This is a compatibility issue with libseccomp-2.1. I guess you could call it a bugfix on 0.2.5.1? --- changes/seccomp2-fixes | 3 +++ src/common/sandbox.c | 10 ++++++++++ 2 files changed, 13 insertions(+)

diff --git a/changes/seccomp2-fixes b/changes/seccomp2-fixes new file mode 100644 index 0000000..600feec --- /dev/null +++ b/changes/seccomp2-fixes @@ -0,0 +1,3 @@ + o Minor bugfixes: + - Fix compilation warnings and startup issues when running with + libseccomp-2.1.0. Fixes bug 10563. diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 7ef577d..0b67b18 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -250,6 +250,7 @@ static int sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; + (void)filter;

rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ), @@ -405,6 +406,14 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)

rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, SCMP_CMP(0, SCMP_CMP_EQ, PF_INET), + SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK), + SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP)); + if (rc) + return rc; + + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, + SCMP_CMP(0, SCMP_CMP_EQ, PF_INET), SCMP_CMP(1, SCMP_CMP_EQ, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK), SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP)); if (rc) @@ -504,6 +513,7 @@ static int sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; + (void) filter;

rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1, SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));