|
@@ -2726,41 +2726,41 @@ sandbox_init_filter(void)
|
|
|
sandbox_cfg_t *cfg = sandbox_cfg_new();
|
|
|
|
|
|
sandbox_cfg_allow_openat_filename(&cfg,
|
|
|
- get_datadir_fname("cached-status"), 1);
|
|
|
+ get_datadir_fname("cached-status"));
|
|
|
|
|
|
sandbox_cfg_allow_open_filename_array(&cfg,
|
|
|
- get_datadir_fname("cached-certs"), 1,
|
|
|
- get_datadir_fname("cached-certs.tmp"), 1,
|
|
|
- get_datadir_fname("cached-consensus"), 1,
|
|
|
- get_datadir_fname("cached-consensus.tmp"), 1,
|
|
|
- get_datadir_fname("unverified-consensus"), 1,
|
|
|
- get_datadir_fname("unverified-consensus.tmp"), 1,
|
|
|
- get_datadir_fname("unverified-microdesc-consensus"), 1,
|
|
|
- get_datadir_fname("unverified-microdesc-consensus.tmp"), 1,
|
|
|
- get_datadir_fname("cached-microdesc-consensus"), 1,
|
|
|
- get_datadir_fname("cached-microdesc-consensus.tmp"), 1,
|
|
|
- get_datadir_fname("cached-microdescs"), 1,
|
|
|
- get_datadir_fname("cached-microdescs.tmp"), 1,
|
|
|
- get_datadir_fname("cached-microdescs.new"), 1,
|
|
|
- get_datadir_fname("cached-microdescs.new.tmp"), 1,
|
|
|
- get_datadir_fname("cached-descriptors"), 1,
|
|
|
- get_datadir_fname("cached-descriptors.new"), 1,
|
|
|
- get_datadir_fname("cached-descriptors.tmp"), 1,
|
|
|
- get_datadir_fname("cached-descriptors.new.tmp"), 1,
|
|
|
- get_datadir_fname("cached-descriptors.tmp.tmp"), 1,
|
|
|
- get_datadir_fname("cached-extrainfo"), 1,
|
|
|
- get_datadir_fname("cached-extrainfo.new"), 1,
|
|
|
- get_datadir_fname("cached-extrainfo.tmp"), 1,
|
|
|
- get_datadir_fname("cached-extrainfo.new.tmp"), 1,
|
|
|
- get_datadir_fname("cached-extrainfo.tmp.tmp"), 1,
|
|
|
- get_datadir_fname("state.tmp"), 1,
|
|
|
- get_datadir_fname("unparseable-desc.tmp"), 1,
|
|
|
- get_datadir_fname("unparseable-desc"), 1,
|
|
|
- get_datadir_fname("v3-status-votes"), 1,
|
|
|
- get_datadir_fname("v3-status-votes.tmp"), 1,
|
|
|
- "/dev/srandom", 0,
|
|
|
- "/dev/urandom", 0,
|
|
|
- "/dev/random", 0,
|
|
|
+ get_datadir_fname("cached-certs"),
|
|
|
+ get_datadir_fname("cached-certs.tmp"),
|
|
|
+ get_datadir_fname("cached-consensus"),
|
|
|
+ get_datadir_fname("cached-consensus.tmp"),
|
|
|
+ get_datadir_fname("unverified-consensus"),
|
|
|
+ get_datadir_fname("unverified-consensus.tmp"),
|
|
|
+ get_datadir_fname("unverified-microdesc-consensus"),
|
|
|
+ get_datadir_fname("unverified-microdesc-consensus.tmp"),
|
|
|
+ get_datadir_fname("cached-microdesc-consensus"),
|
|
|
+ get_datadir_fname("cached-microdesc-consensus.tmp"),
|
|
|
+ get_datadir_fname("cached-microdescs"),
|
|
|
+ get_datadir_fname("cached-microdescs.tmp"),
|
|
|
+ get_datadir_fname("cached-microdescs.new"),
|
|
|
+ get_datadir_fname("cached-microdescs.new.tmp"),
|
|
|
+ get_datadir_fname("cached-descriptors"),
|
|
|
+ get_datadir_fname("cached-descriptors.new"),
|
|
|
+ get_datadir_fname("cached-descriptors.tmp"),
|
|
|
+ get_datadir_fname("cached-descriptors.new.tmp"),
|
|
|
+ get_datadir_fname("cached-descriptors.tmp.tmp"),
|
|
|
+ get_datadir_fname("cached-extrainfo"),
|
|
|
+ get_datadir_fname("cached-extrainfo.new"),
|
|
|
+ get_datadir_fname("cached-extrainfo.tmp"),
|
|
|
+ get_datadir_fname("cached-extrainfo.new.tmp"),
|
|
|
+ get_datadir_fname("cached-extrainfo.tmp.tmp"),
|
|
|
+ get_datadir_fname("state.tmp"),
|
|
|
+ get_datadir_fname("unparseable-desc.tmp"),
|
|
|
+ get_datadir_fname("unparseable-desc"),
|
|
|
+ get_datadir_fname("v3-status-votes"),
|
|
|
+ get_datadir_fname("v3-status-votes.tmp"),
|
|
|
+ tor_strdup("/dev/srandom"),
|
|
|
+ tor_strdup("/dev/urandom"),
|
|
|
+ tor_strdup("/dev/random"),
|
|
|
NULL, 0
|
|
|
);
|
|
|
|
|
@@ -2793,31 +2793,31 @@ sandbox_init_filter(void)
|
|
|
RENAME_SUFFIX("v3-status-votes", ".tmp");
|
|
|
|
|
|
sandbox_cfg_allow_stat_filename_array(&cfg,
|
|
|
- get_datadir_fname(NULL), 1,
|
|
|
- get_datadir_fname("lock"), 1,
|
|
|
- get_datadir_fname("state"), 1,
|
|
|
- get_datadir_fname("router-stability"), 1,
|
|
|
- get_datadir_fname("cached-extrainfo.new"), 1,
|
|
|
+ get_datadir_fname(NULL),
|
|
|
+ get_datadir_fname("lock"),
|
|
|
+ get_datadir_fname("state"),
|
|
|
+ get_datadir_fname("router-stability"),
|
|
|
+ get_datadir_fname("cached-extrainfo.new"),
|
|
|
NULL, 0
|
|
|
);
|
|
|
|
|
|
// orport
|
|
|
if (server_mode(get_options())) {
|
|
|
sandbox_cfg_allow_open_filename_array(&cfg,
|
|
|
- get_datadir_fname2("keys", "secret_id_key"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_onion_key"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_onion_key_ntor"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_id_key.old"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_onion_key.old"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_onion_key_ntor.old"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_onion_key.tmp"), 1,
|
|
|
- get_datadir_fname2("keys", "secret_id_key.tmp"), 1,
|
|
|
- get_datadir_fname("fingerprint"), 1,
|
|
|
- get_datadir_fname("fingerprint.tmp"), 1,
|
|
|
- get_datadir_fname("hashed-fingerprint"), 1,
|
|
|
- get_datadir_fname("hashed-fingerprint.tmp"), 1,
|
|
|
- "/etc/resolv.conf", 0,
|
|
|
+ get_datadir_fname2("keys", "secret_id_key"),
|
|
|
+ get_datadir_fname2("keys", "secret_onion_key"),
|
|
|
+ get_datadir_fname2("keys", "secret_onion_key_ntor"),
|
|
|
+ get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"),
|
|
|
+ get_datadir_fname2("keys", "secret_id_key.old"),
|
|
|
+ get_datadir_fname2("keys", "secret_onion_key.old"),
|
|
|
+ get_datadir_fname2("keys", "secret_onion_key_ntor.old"),
|
|
|
+ get_datadir_fname2("keys", "secret_onion_key.tmp"),
|
|
|
+ get_datadir_fname2("keys", "secret_id_key.tmp"),
|
|
|
+ get_datadir_fname("fingerprint"),
|
|
|
+ get_datadir_fname("fingerprint.tmp"),
|
|
|
+ get_datadir_fname("hashed-fingerprint"),
|
|
|
+ get_datadir_fname("hashed-fingerprint.tmp"),
|
|
|
+ tor_strdup("/etc/resolv.conf"),
|
|
|
NULL, 0
|
|
|
);
|
|
|
|
|
@@ -2830,8 +2830,8 @@ sandbox_init_filter(void)
|
|
|
RENAME_SUFFIX("hashed-fingerprint", ".tmp");
|
|
|
|
|
|
sandbox_cfg_allow_stat_filename_array(&cfg,
|
|
|
- get_datadir_fname("keys"), 1,
|
|
|
- get_datadir_fname("stats/dirreq-stats"), 1,
|
|
|
+ get_datadir_fname("keys"),
|
|
|
+ get_datadir_fname("stats/dirreq-stats"),
|
|
|
NULL, 0
|
|
|
);
|
|
|
}
|