[tor-commits] [tor/master] sandbox: allow access to cookie files, approved-routers
nickm at torproject.org
nickm at torproject.org
Fri May 23 00:40:26 UTC 2014
commit ffc1fde01fb4fc752aa54de0282cf027bdb738cf
Author: Nick Mathewson <nickm at torproject.org>
Date: Thu May 22 19:56:56 2014 -0400
sandbox: allow access to cookie files, approved-routers
fixes part of 12064
---
src/or/config.c | 10 ++++++++++
src/or/control.c | 9 ++++-----
src/or/control.h | 1 +
src/or/main.c | 11 +++++++++++
4 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/src/or/config.c b/src/or/config.c
index 0f7b1d2..f0b559d 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -3750,6 +3750,16 @@ options_transition_allowed(const or_options_t *old,
" while Sandbox is active");
return -1;
}
+ if (! opt_streq(old->CookieAuthFile, new_val->CookieAuthFile)) {
+ *msg = tor_strdup("Can't change CookieAuthFile while Sandbox is active");
+ return -1;
+ }
+ if (! opt_streq(old->ExtORPortCookieAuthFile,
+ new_val->ExtORPortCookieAuthFile)) {
+ *msg = tor_strdup("Can't change ExtORPortCookieAuthFile"
+ " while Sandbox is active");
+ return -1;
+ }
}
return 0;
diff --git a/src/or/control.c b/src/or/control.c
index 2865d78..21504e6 100755
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -160,7 +160,6 @@ static int write_stream_target_to_buf(entry_connection_t *conn, char *buf,
size_t len);
static void orconn_target_get_name(char *buf, size_t len,
or_connection_t *conn);
-static char *get_cookie_file(void);
/** Given a control event code for a message event, return the corresponding
* log severity. */
@@ -2944,7 +2943,7 @@ handle_control_protocolinfo(control_connection_t *conn, uint32_t len,
} else {
const or_options_t *options = get_options();
int cookies = options->CookieAuthentication;
- char *cfile = get_cookie_file();
+ char *cfile = get_controller_cookie_file_name();
char *abs_cfile;
char *esc_cfile;
char *methods;
@@ -4639,8 +4638,8 @@ control_event_conf_changed(const smartlist_t *elements)
/** Helper: Return a newly allocated string containing a path to the
* file where we store our authentication cookie. */
-static char *
-get_cookie_file(void)
+char *
+get_controller_cookie_file_name(void)
{
const or_options_t *options = get_options();
if (options->CookieAuthFile && strlen(options->CookieAuthFile)) {
@@ -4664,7 +4663,7 @@ init_control_cookie_authentication(int enabled)
return 0;
}
- fname = get_cookie_file();
+ fname = get_controller_cookie_file_name();
retval = init_cookie_authentication(fname, "", /* no header */
AUTHENTICATION_COOKIE_LEN,
&authentication_cookie,
diff --git a/src/or/control.h b/src/or/control.h
index 988c171..68a6c24 100644
--- a/src/or/control.h
+++ b/src/or/control.h
@@ -85,6 +85,7 @@ int control_event_buildtimeout_set(buildtimeout_set_event_t type,
int control_event_signal(uintptr_t signal);
int init_control_cookie_authentication(int enabled);
+char *get_controller_cookie_file_name(void);
smartlist_t *decode_hashed_passwords(config_line_t *passwords);
void disable_control_logging(void);
void enable_control_logging(void);
diff --git a/src/or/main.c b/src/or/main.c
index 8e241d4..ba462dc 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2838,6 +2838,16 @@ sandbox_init_filter(void)
smartlist_free(logfiles);
}
+ {
+ char *fname;
+ if ((fname = get_controller_cookie_file_name())) {
+ sandbox_cfg_allow_open_filename(&cfg, fname);
+ }
+ if ((fname = get_ext_or_auth_cookie_file_name())) {
+ sandbox_cfg_allow_open_filename(&cfg, fname);
+ }
+ }
+
// orport
if (server_mode(get_options())) {
sandbox_cfg_allow_open_filename_array(&cfg,
@@ -2862,6 +2872,7 @@ sandbox_init_filter(void)
get_datadir_fname2("stats", "buffer-stats.tmp"),
get_datadir_fname2("stats", "conn-stats"),
get_datadir_fname2("stats", "conn-stats.tmp"),
+ get_datadir_fname("approved-routers"),
get_datadir_fname("fingerprint"),
get_datadir_fname("fingerprint.tmp"),
get_datadir_fname("hashed-fingerprint"),
More information about the tor-commits
mailing list