[tor-commits] [tor/master] orport progress (not functional), nickm suggested fixes
nickm at torproject.org
nickm at torproject.org
Fri Sep 13 16:31:55 UTC 2013
commit b3a8c08a9217effb0065b9bc5769f18e120ca4d1
Author: Cristian Toader <cristian.matei.toader at gmail.com>
Date: Wed Aug 7 13:13:12 2013 +0300
orport progress (not functional), nickm suggested fixes
---
src/common/sandbox.c | 100 +++++++++++++++++++++++++++++++++++++++++---------
src/or/cpuworker.c | 2 +
src/or/main.c | 49 ++++++++++++++++---------
3 files changed, 116 insertions(+), 35 deletions(-)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index ed7fe3b..1f15674 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -50,6 +50,7 @@ static sandbox_cfg_t *filter_dynamic = NULL;
* stage 1 general Tor sandbox.
*/
static int filter_nopar_gen[] = {
+ SCMP_SYS(access),
SCMP_SYS(brk),
SCMP_SYS(close),
SCMP_SYS(clone),
@@ -90,23 +91,22 @@ static int filter_nopar_gen[] = {
SCMP_SYS(read),
SCMP_SYS(rename),
SCMP_SYS(rt_sigreturn),
+ SCMP_SYS(set_robust_list),
#ifdef __NR_sigreturn
SCMP_SYS(sigreturn),
#endif
SCMP_SYS(stat),
#ifdef __NR_stat64
- SCMP_SYS(stat64),
+ SCMP_SYS(stat64), // TODO
#endif
+ SCMP_SYS(uname),
SCMP_SYS(write),
SCMP_SYS(exit_group),
SCMP_SYS(exit),
// Not needed..
-// SCMP_SYS(access),
-// SCMP_SYS(set_robust_list),
// SCMP_SYS(set_thread_area),
// SCMP_SYS(set_tid_address),
-// SCMP_SYS(uname),
// socket syscalls
SCMP_SYS(bind),
@@ -201,6 +201,34 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return rc;
}
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
+ SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
+ if (rc) {
+ return rc;
+ }
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
+ SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
+ if (rc) {
+ return rc;
+ }
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
+ SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
+ if (rc) {
+ return rc;
+ }
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
+ SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
+ if (rc) {
+ return rc;
+ }
+
return 0;
}
#endif
@@ -225,6 +253,24 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
}
+ // todo remove when libevent fix
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY));
+ if (rc != 0) {
+ log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
+ "error %d", rc);
+ return rc;
+ }
+
+ // problem: required by getaddrinfo
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC));
+ if (rc != 0) {
+ log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
+ "error %d", rc);
+ return rc;
+ }
+
return 0;
}
@@ -315,6 +361,17 @@ sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (rc)
return rc;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
+ if (rc)
+ return rc;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2,
+ SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
+ SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
+ if (rc)
+ return rc;
+
return 0;
}
#endif
@@ -373,12 +430,14 @@ sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (rc)
return rc;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
+ SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
+ if (rc)
+ return rc;
+
return 0;
}
-/**
- * does not NEED tobe here.. only occurs before filter
- */
static int
sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
@@ -389,6 +448,11 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (rc)
return rc;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1,
+ SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
+ if (rc)
+ return rc;
+
return 0;
}
@@ -408,20 +472,28 @@ sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0;
}
-/**
- * does not NEED tobe here.. only occurs before filter
- */
static int
sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
+ // can remove
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
SCMP_CMP(1, SCMP_CMP_EQ,
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
if (rc)
return rc;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
+ if (rc)
+ return rc;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
+ SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
+ if (rc)
+ return rc;
+
return 0;
}
@@ -605,14 +677,8 @@ add_noparam_filter(scmp_filter_ctx ctx)
{
int i, filter_size, rc = 0;
- if (filter_nopar_gen != NULL) {
- filter_size = sizeof(filter_nopar_gen) / sizeof(filter_nopar_gen[0]);
- } else {
- filter_size = 0;
- }
-
// add general filters
- for (i = 0; i < filter_size; i++) {
+ for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i], 0);
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add syscall index %d, "
diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c
index 61f9faa..245f67e 100644
--- a/src/or/cpuworker.c
+++ b/src/or/cpuworker.c
@@ -571,6 +571,8 @@ spawn_enough_cpuworkers(void)
if (num_cpuworkers_needed > MAX_CPUWORKERS)
num_cpuworkers_needed = MAX_CPUWORKERS;
+ getchar();
+
while (num_cpuworkers < num_cpuworkers_needed) {
if (spawn_cpuworker() < 0) {
log_warn(LD_GENERAL,"Cpuworker spawn failed. Will try again later.");
diff --git a/src/or/main.c b/src/or/main.c
index 3c98246..5b6b778 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2645,23 +2645,18 @@ sandbox_init_filter()
sandbox_cfg_t *cfg = sandbox_cfg_new();
// TODO: mem leak
- sandbox_cfg_allow_openat_filename(&cfg,
- get_datadir_fname("cached-status"));
+ sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("cached-certs"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("cached-certs.tmp"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("cached-consensus"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs.tmp"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-consensus"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("unverified-consensus"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("cached-microdesc-consensus"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("cached-microdesc-consensus.tmp"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("cached-microdescs"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("cached-microdescs.tmp"));
sandbox_cfg_allow_open_filename(&cfg,
@@ -2670,18 +2665,36 @@ sandbox_init_filter()
get_datadir_fname("cached-microdescs.new.tmp"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("unverified-microdesc-consensus"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("cached-descriptors"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("cached-descriptors.new"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("cached-extrainfo"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("state.tmp"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-extrainfo"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("state.tmp"));
sandbox_cfg_allow_open_filename(&cfg,
get_datadir_fname("unparseable-desc.tmp"));
- sandbox_cfg_allow_open_filename(&cfg,
- get_datadir_fname("unparseable-desc"));
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc"));
+
+ // orport
+ if (server_mode(get_options())) {
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_id_key"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_onion_key"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_onion_key_ntor"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_id_key.old"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_onion_key.old"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_onion_key_ntor.old"));
+ sandbox_cfg_allow_open_filename(&cfg,
+ get_datadir_fname2("keys", "secret_onion_key.tmp"));
+
+ sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("fingerprint"));
+
+ sandbox_cfg_allow_open_filename(&cfg, "/etc/resolv.conf");
+ }
sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");
More information about the tor-commits
mailing list