[tor-commits] [tor/master] received feedback and fixed (partly) the socket filters

nickm at torproject.org nickm at torproject.org
Fri Sep 13 16:31:55 UTC 2013 

commit 863dd4d4b30f03313189ba40509ae114adbd7f60
Author: Cristian Toader <cristian.matei.toader at gmail.com>
Date:   Thu Aug 15 00:23:51 2013 +0300

    received feedback and fixed (partly) the socket filters
---
 src/common/sandbox.c |   29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index f4c0779..6f95f64 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -125,8 +125,6 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(recvmsg),
     SCMP_SYS(sendto),
     SCMP_SYS(send),
-    SCMP_SYS(setsockopt),
-    SCMP_SYS(socket),
     SCMP_SYS(socketpair),
     SCMP_SYS(recvfrom),
     SCMP_SYS(unlink),
@@ -310,32 +308,30 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   return 0;
 }
 
-// TODO: param not working
+// TODO: add correct param
 static int
 sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc = 0;
 
-  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 4,
-      SCMP_CMP(0, SCMP_CMP_EQ, 1),
-      SCMP_CMP(1, SCMP_CMP_EQ, PF_INET),
-      SCMP_CMP(2, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC),
-      SCMP_CMP(3, SCMP_CMP_EQ, IPPROTO_TCP));
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC),
+      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
   if (rc)
     return rc;
 
-  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 4,
-      SCMP_CMP(0, SCMP_CMP_EQ, 1),
-      SCMP_CMP(1, SCMP_CMP_EQ, PF_NETLINK),
-      SCMP_CMP(2, SCMP_CMP_EQ, SOCK_RAW),
-      SCMP_CMP(3, SCMP_CMP_EQ, 0));
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
+      SCMP_CMP(2, SCMP_CMP_EQ, 0));
   if (rc)
     return rc;
 
   return 0;
 }
 
-// TODO: param not working
+// TODO: add correct param
 static int
 sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
@@ -580,7 +576,10 @@ static sandbox_filter_func_t filter_func[] = {
     sb_futex,
     sb_mremap,
     sb_poll,
-    sb_stat64
+    sb_stat64,
+
+    sb_socket,
+    sb_setsockopt
 };
 
 const char*

More information about the tor-commits mailing list