[tor-commits] [tor/master] Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist

nickm at torproject.org nickm at torproject.org
Sun Jul 17 17:55:21 UTC 2016


commit 36b06be73862d6f3206d0e2a6fe17af06f8b7c88
Author: Peter Palfrader <peter at palfrader.org>
Date:   Mon Jul 11 09:37:01 2016 +0200

    Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist
    
    If we did not find a non-private IPaddress by iterating over interfaces,
    we would try to get one via
    get_interface_address6_via_udp_socket_hack().  This opens a datagram
    socket with IPPROTO_UDP.  Previously all our datagram sockets (via
    libevent) used IPPROTO_IP, so we did not have that in the sandboxing
    whitelist.  Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing
    whitelist.  Fixes bug 19660.
---
 changes/bug19660     |  8 ++++++++
 src/common/sandbox.c | 30 +++++++++++++++---------------
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/changes/bug19660 b/changes/bug19660
new file mode 100644
index 0000000..72d32c8
--- /dev/null
+++ b/changes/bug19660
@@ -0,0 +1,8 @@
+  o Minor bugfixes (sandboxing):
+    - If we did not find a non-private IPaddress by iterating over
+      interfaces, we would try to get one via
+      get_interface_address6_via_udp_socket_hack().  This opens a
+      datagram socket with IPPROTO_UDP.  Previously all our datagram
+      sockets (via libevent) used IPPROTO_IP, so we did not have that
+      in the sandboxing whitelist.  Add (SOCK_DGRAM, IPPROTO_UDP)
+      sockets to the sandboxing whitelist.  Fixes bug 19660.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 70c5bbd..54c1267 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -585,7 +585,7 @@ static int
 sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc = 0;
-  int i;
+  int i, j;
   (void) filter;
 
 #ifdef __i386__
@@ -602,20 +602,20 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
   for (i = 0; i < 2; ++i) {
     const int pf = i ? PF_INET : PF_INET6;
-
-    rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
-      SCMP_CMP(0, SCMP_CMP_EQ, pf),
-      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
-      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
-    if (rc)
-      return rc;
-
-    rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
-      SCMP_CMP(0, SCMP_CMP_EQ, pf),
-      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
-      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
-    if (rc)
-      return rc;
+    for (j=0; j < 3; ++j) {
+      const int type     = (j == 0) ? SOCK_STREAM :
+                           (j == 1) ? SOCK_DGRAM :
+                                      SOCK_DGRAM;
+      const int protocol = (j == 0) ? IPPROTO_TCP :
+                           (j == 1) ? IPPROTO_IP :
+                                      IPPROTO_UDP;
+      rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+        SCMP_CMP(0, SCMP_CMP_EQ, pf),
+        SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
+        SCMP_CMP(2, SCMP_CMP_EQ, protocol));
+      if (rc)
+        return rc;
+    }
   }
 
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),





More information about the tor-commits mailing list