[tor-commits] [tor/master] Revert "Change the sandbox behavior on all failed opens() to EACCES"

nickm at torproject.org nickm at torproject.org
Thu Feb 1 13:40:44 UTC 2018 

commit ea8e9f17f52877cc795f1792acb81d7fdaff6baf
Author: Nick Mathewson <nickm at torproject.org>
Date:   Thu Feb 1 08:39:38 2018 -0500

    Revert "Change the sandbox behavior on all failed opens() to EACCES"
    
    This reverts commit 9a06282546418b2e9d21559d4853bcf124b953f4.
    
    It appears that I misunderstood how the seccomp2 filter rules
    interact.  It appears that `SCMP_ACT_ERRNO()` always takes
    precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that
    earlier rules would override later ones.  But this change caused bug
    25115 (not in any released Tor).
---
 changes/bug16106     | 6 ------
 src/common/sandbox.c | 8 ++++++--
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/changes/bug16106 b/changes/bug16106
deleted file mode 100644
index 9142a37e3..000000000
--- a/changes/bug16106
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (linux seccomp2 sandbox):
-    - Cause a wider variety of unpermitted open() calls to fail with the
-      EACCES error when the sandbox is running. This won't enable any
-      previously non-working functionality, but it should turn several cases
-      from crashes into sandbox warnings. Fixes bug 16106; bugfix on
-      0.2.5.1-alpha.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 043b8bf14..37f582048 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -481,14 +481,18 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     }
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
+                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
         "error %d", rc);
     return rc;
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
+                SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
             "libseccomp error %d", rc);

More information about the tor-commits mailing list