[tor-bugs] #18397 [Core Tor/Tor]: `Sandbox 1` in Tor 0.2.7.6 should not filter `getsockopt` syscall

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jul 9 00:55:09 UTC 2016


#18397: `Sandbox 1` in Tor 0.2.7.6 should not filter `getsockopt` syscall
-------------------------------------------------+-------------------------
 Reporter:  fowlslegs                            |          Owner:  nickm
     Type:  defect                               |         Status:
 Priority:  High                                 |  needs_review
Component:  Core Tor/Tor                         |      Milestone:  Tor:
 Severity:  Major                                |  0.2.???
 Keywords:  seccomp, sandbox, getsockopt,        |        Version:  Tor:
  027-backport                                   |  0.2.7.6
Parent ID:                                       |     Resolution:
 Reviewer:                                       |  Actual Points:
                                                 |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by Jigsaw52):

 * status:  needs_information => needs_review


Comment:

 I've written the patch. It is available on github:

 https://github.com/Jigsaw52/tor/tree/seccomp-fix-18397

 The patch changes the sandbox filter to allow the following when built
 with systemd:
  - getsockopt with SOL_SOCKET and SO_SNDBUF as arugments
  - setsockopt with SOL_SOCKET and SO_SNDBUFFORCE

 This calls are used by the systemd sd_notify function.

 It also allows the sysinfo syscall as the libc qsort function uses it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18397#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list