[tor-commits] [tor/release-0.2.6] Fix sandbox use with systemd. bug 16212.

nickm at torproject.org nickm at torproject.org
Mon Jun 8 14:47:40 UTC 2015


commit 97330ced0c2e0eeae9bb2bc576bb72190237819d
Author: Nick Mathewson <nickm at torproject.org>
Date:   Thu May 28 14:05:46 2015 -0400

    Fix sandbox use with systemd. bug 16212.
---
 changes/bug16212     |    5 +++++
 src/common/sandbox.c |   10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/changes/bug16212 b/changes/bug16212
new file mode 100644
index 0000000..bc12463
--- /dev/null
+++ b/changes/bug16212
@@ -0,0 +1,5 @@
+  o Minor bugfixes (sandbox, systemd):
+    - Allow systemd connections to work with the Linux seccomp2 sandbox
+      code.  Fixes bug 16212; bugfix on 0.2.6.2-alpha.
+      Patch by Peter Palfrader.
+
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 49316c6..a32bd0d 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -170,6 +170,7 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
     SCMP_SYS(sched_getaffinity),
+    SCMP_SYS(sendmsg),
     SCMP_SYS(set_robust_list),
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
@@ -547,6 +548,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
       SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
       SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
       SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+    return rc;
+
+  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
+      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
+      SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+    return rc;
 
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
       SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),





More information about the tor-commits mailing list