[tor-commits] [tor/master] Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse
nickm at torproject.org
nickm at torproject.org
Thu Apr 17 03:48:07 UTC 2014
commit f70cf9982ae3b0e57ca62612988478906707567f
Author: Nick Mathewson <nickm at torproject.org>
Date: Wed Apr 16 21:50:49 2014 -0400
Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse
OpenSSL needs this, or RAND_poll() will kill the process.
Also, refuse with EACCESS, not errno==-1 (!).
---
src/common/sandbox.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 0722751..7067a72 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -363,8 +363,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
}
- rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(-1), SCMP_SYS(open),
- SCMP_CMP_MASKED(1, O_CLOEXEC, O_RDONLY));
+ rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
+ SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
"error %d", rc);
More information about the tor-commits
mailing list