[tor-commits] [tor/master] Add the transparent proxy getsockopt to the sandbox

nickm at torproject.org nickm at torproject.org
Tue Dec 23 15:59:58 UTC 2014


commit cca6ed80bf6814386e3d1640c1849eb20f18b34f
Author: Francisco Blas Izquierdo Riera (klondike) <klondike at gentoo.org>
Date:   Tue Dec 23 10:51:36 2014 -0500

    Add the transparent proxy getsockopt to the sandbox
    
    When receiving a trasnsparently proxied request with tor using iptables tor
    dies because the appropriate getsockopt calls aren't enabled on the sandbox.
    
    This patch fixes this by adding the two getsockopt calls used when doing
    transparent proxying with tor to the sandbox for the getsockopt policy.
    
    This patch is released under the same license as the original file as
    long as the author is credited.
    
    Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike at gentoo.org>
---
 src/common/sandbox.c |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index ece56df..82117cb 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -58,6 +58,17 @@
 #include <time.h>
 #include <poll.h>
 
+#ifdef HAVE_LINUX_NETFILTER_IPV4_H
+#include <linux/netfilter_ipv4.h>
+#endif
+#ifdef HAVE_LINUX_IF_H
+#include <linux/if.h>
+#endif
+#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#endif
+
+
 #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
   defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
 #define USE_BACKTRACE
@@ -634,6 +645,22 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   if (rc)
     return rc;
 
+#ifdef HAVE_LINUX_NETFILTER_IPV4_H
+  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
+      SCMP_CMP(2, SCMP_CMP_EQ, SO_ORIGINAL_DST));
+  if (rc)
+    return rc;
+#endif
+
+#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
+  rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOL_IPV6),
+      SCMP_CMP(2, SCMP_CMP_EQ, IP6T_SO_ORIGINAL_DST));
+  if (rc)
+    return rc;
+#endif
+
   return 0;
 }
 





More information about the tor-commits mailing list