[tor-commits] [tor/master] sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap
nickm at torproject.org
nickm at torproject.org
Fri Sep 13 16:31:55 UTC 2013
commit 313cbe6e24618c4c5875c8e3aab4cd563c97791f
Author: Cristian Toader <cristian.matei.toader at gmail.com>
Date: Wed Jul 31 11:35:25 2013 +0300
sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap
---
src/common/sandbox.c | 115 ++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 107 insertions(+), 8 deletions(-)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 6de95da..fe2f457 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -34,6 +34,8 @@
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/epoll.h>
+#include <sys/prctl.h>
+#include <linux/futex.h>
#include <bits/signum.h>
#include <seccomp.h>
@@ -55,13 +57,10 @@ static int filter_nopar_gen[] = {
SCMP_SYS(epoll_create),
SCMP_SYS(epoll_wait),
SCMP_SYS(fcntl),
-
- SCMP_SYS(flock),
SCMP_SYS(fstat),
#ifdef __NR_fstat64
SCMP_SYS(fstat64),
#endif
- SCMP_SYS(futex),
SCMP_SYS(getdents64),
SCMP_SYS(getegid),
#ifdef __NR_getegid32
@@ -88,14 +87,10 @@ static int filter_nopar_gen[] = {
SCMP_SYS(mkdir),
SCMP_SYS(mlockall),
SCMP_SYS(mmap),
- SCMP_SYS(mprotect),
- SCMP_SYS(mremap),
SCMP_SYS(munmap),
SCMP_SYS(poll),
- SCMP_SYS(prctl),
SCMP_SYS(read),
SCMP_SYS(rename),
- SCMP_SYS(rt_sigprocmask),
SCMP_SYS(rt_sigreturn),
#ifdef __NR_sigreturn
SCMP_SYS(sigreturn),
@@ -344,8 +339,107 @@ sb_epoll_ctl(scmp_filter_ctx ctx)
return 0;
}
+/**
+ * If multiple filters need to be added, seccomp needs to be whitelisted in
+ * this list.
+ */
+static int
+sb_prctl(scmp_filter_ctx ctx)
+{
+ int rc = 0;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1,
+ SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
+ if (rc)
+ return rc;
+
+ return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_mprotect(scmp_filter_ctx ctx)
+{
+ int rc = 0;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
+ if (rc)
+ return rc;
+
+ return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_rt_sigprocmask(scmp_filter_ctx ctx)
+{
+ int rc = 0;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1,
+ SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
+ if (rc)
+ return rc;
+
+ return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_flock(scmp_filter_ctx ctx)
+{
+ int rc = 0;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
+ if (rc)
+ return rc;
+
+ return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_futex(scmp_filter_ctx ctx)
+{
+ int rc = 0;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ,
+ FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
+ if (rc)
+ return rc;
+
+ return 0;
+}
+
+/**
+ * does not NEED tobe here.. only occurs before filter
+ */
+static int
+sb_mremap(scmp_filter_ctx ctx)
+{
+ int rc = 0;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ, MREMAP_MAYMOVE));
+ if (rc)
+ return rc;
+
+ return 0;
+}
+
static sandbox_filter_func_t filter_func[] = {
sb_rt_sigaction,
+ sb_rt_sigprocmask,
sb_execve,
sb_time,
sb_accept4,
@@ -354,7 +448,12 @@ static sandbox_filter_func_t filter_func[] = {
sb_openat,
sb_clock_gettime,
sb_fcntl64,
- sb_epoll_ctl
+ sb_epoll_ctl,
+ sb_prctl,
+ sb_mprotect,
+ sb_flock,
+ sb_futex,
+ sb_mremap
};
const char*
More information about the tor-commits
mailing list