|
@@ -55,6 +55,8 @@
|
|
|
|
|
|
static sandbox_cfg_t *filter_dynamic = NULL;
|
|
|
|
|
|
+static struct addrinfo *sb_addr_info= NULL;
|
|
|
+
|
|
|
/** Variable used for storing all syscall numbers that will be allowed with the
|
|
|
* stage 1 general Tor sandbox.
|
|
|
*/
|
|
@@ -262,13 +264,13 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
}
|
|
|
|
|
|
// problem: required by getaddrinfo
|
|
|
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
|
|
|
- SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC));
|
|
|
- if (rc != 0) {
|
|
|
- log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
|
|
|
- "error %d", rc);
|
|
|
- return rc;
|
|
|
- }
|
|
|
+// rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
|
|
|
+// SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC));
|
|
|
+// if (rc != 0) {
|
|
|
+// log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
|
|
|
+// "error %d", rc);
|
|
|
+// return rc;
|
|
|
+// }
|
|
|
|
|
|
return 0;
|
|
|
}
|
|
@@ -288,8 +290,8 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
|
|
|
O_CLOEXEC));
|
|
|
if (rc != 0) {
|
|
|
- log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received libseccomp "
|
|
|
- "error %d", rc);
|
|
|
+ log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
|
|
|
+ "libseccomp error %d", rc);
|
|
|
return rc;
|
|
|
}
|
|
|
}
|
|
@@ -862,6 +864,54 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, int num, ...)
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
+int sandbox_getaddrinfo(const char *name, struct addrinfo **res)
|
|
|
+{
|
|
|
+ char hname[256];
|
|
|
+
|
|
|
+ if (!res) {
|
|
|
+ return -2;
|
|
|
+ }
|
|
|
+ *res = NULL;
|
|
|
+
|
|
|
+ if (gethostname(hname, sizeof(hname)) < 0) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (strncmp(name, hname, sizeof(hname)) || sb_addr_info == NULL) {
|
|
|
+ log_err(LD_BUG,"(Sandbox) failed for hname %s!", name);
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ *res = sb_addr_info;
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+static int
|
|
|
+init_addrinfo(void)
|
|
|
+{
|
|
|
+ int ret;
|
|
|
+ struct addrinfo hints;
|
|
|
+ char hname[256];
|
|
|
+
|
|
|
+ sb_addr_info = NULL;
|
|
|
+
|
|
|
+ if (gethostname(hname, sizeof(hname)) < 0) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ memset(&hints, 0, sizeof(hints));
|
|
|
+ hints.ai_family = AF_INET;
|
|
|
+ hints.ai_socktype = SOCK_STREAM;
|
|
|
+
|
|
|
+ ret = getaddrinfo(hname, NULL, &hints, &sb_addr_info);
|
|
|
+ if(ret) {
|
|
|
+ sb_addr_info = NULL;
|
|
|
+ return -2;
|
|
|
+ }
|
|
|
+
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
static int
|
|
|
add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
|
|
|
{
|
|
@@ -1047,6 +1097,10 @@ initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
|
|
|
if (install_sigsys_debugging())
|
|
|
return -1;
|
|
|
|
|
|
+ if (init_addrinfo()) {
|
|
|
+ return -4;
|
|
|
+ }
|
|
|
+
|
|
|
if (install_syscall_filter(cfg))
|
|
|
return -2;
|
|
|
|