Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist

If we did not find a non-private IPaddress by iterating over interfaces,
we would try to get one via
get_interface_address6_via_udp_socket_hack().  This opens a datagram
socket with IPPROTO_UDP.  Previously all our datagram sockets (via
libevent) used IPPROTO_IP, so we did not have that in the sandboxing
whitelist.  Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing
whitelist.  Fixes bug 19660.
Peter Palfrader 7 years ago
parent
a931d157fd
commit
36b06be738
2 changed files with 23 additions and 15 deletions
Split View Show Diff Stats
  1. 8 0
      changes/bug19660
  2. 15 15
      src/common/sandbox.c

+ 8 - 0
changes/bug19660
View File 

@@ -0,0 +1,8 @@
 
+  o Minor bugfixes (sandboxing):
 
+    - If we did not find a non-private IPaddress by iterating over
 
+      interfaces, we would try to get one via
 
+      get_interface_address6_via_udp_socket_hack().  This opens a
 
+      datagram socket with IPPROTO_UDP.  Previously all our datagram
 
+      sockets (via libevent) used IPPROTO_IP, so we did not have that
 
+      in the sandboxing whitelist.  Add (SOCK_DGRAM, IPPROTO_UDP)
 
+      sockets to the sandboxing whitelist.  Fixes bug 19660.

+ 15 - 15
src/common/sandbox.c
View File 

@@ -585,7 +585,7 @@ static int
 
 sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
 {
 
   int rc = 0;
 
-  int i;
 
+  int i, j;
 
   (void) filter;
 
 
 #ifdef __i386__
 
@@ -602,20 +602,20 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
 
   for (i = 0; i < 2; ++i) {
 
     const int pf = i ? PF_INET : PF_INET6;
 
-
 
-    rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
 
-      SCMP_CMP(0, SCMP_CMP_EQ, pf),
 
-      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
 
-      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
 
-    if (rc)
 
-      return rc;
 
-
 
-    rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
 
-      SCMP_CMP(0, SCMP_CMP_EQ, pf),
 
-      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
 
-      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
 
-    if (rc)
 
-      return rc;
 
+    for (j=0; j < 3; ++j) {
 
+      const int type     = (j == 0) ? SOCK_STREAM :
 
+                           (j == 1) ? SOCK_DGRAM :
 
+                                      SOCK_DGRAM;
 
+      const int protocol = (j == 0) ? IPPROTO_TCP :
 
+                           (j == 1) ? IPPROTO_IP :
 
+                                      IPPROTO_UDP;
 
+      rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
 
+        SCMP_CMP(0, SCMP_CMP_EQ, pf),
 
+        SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
 
+        SCMP_CMP(2, SCMP_CMP_EQ, protocol));
 
+      if (rc)
 
+        return rc;
 
+    }
 
   }
 
 
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),