Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

added openat parameter filter

Cristian Toader 11 years ago
parent
6d5b0367f6
commit
8022def6f0
4 changed files with 22 additions and 7 deletions
Split View Show Diff Stats
  1. 14 5
      src/common/sandbox.c
  2. 3 1
      src/common/sandbox.h
  3. 3 1
      src/common/util.c
  4. 2 0
      src/or/main.c

+ 14 - 5
src/common/sandbox.c
View File 

@@ -117,7 +117,6 @@ static int filter_nopar_gen[] = {
 
     SCMP_SYS(mprotect),
 
     SCMP_SYS(mremap),
 
     SCMP_SYS(munmap),
 
-    SCMP_SYS(openat),
 
     SCMP_SYS(poll),
 
     SCMP_SYS(prctl),
 
     SCMP_SYS(read),
 
@@ -158,7 +157,7 @@ static int filter_nopar_gen[] = {
 
 };
 
 
 const char*
 
-sandbox_intern_string(char *param)
 
+sandbox_intern_string(const char *param)
 
 {
 
   int i, filter_size;
 
   sandbox_cfg_t *elem;
 
@@ -228,15 +227,25 @@ prot_strdup(char* str)
 
 int
 
 sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
 
 {
 
-  sandbox_cfg_t *elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
 
+  sandbox_cfg_t *elem = NULL;
 
+  intptr_t prot_str = (intptr_t) prot_strdup((char*) file);
 
 
+  elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
 
   elem->syscall = SCMP_SYS(open);
 
   elem->pindex = 0;
 
   elem->ptype = PARAM_PTR;
 
-  elem->param = (intptr_t) prot_strdup((char*) file);
 
+  elem->param = prot_str;
 
   elem->prot = 1;
 
+  elem->next = filter_dynamic;
 
+  filter_dynamic = elem;
 
 
-  // fifo
 
+  // also allow openat
 
+  elem = (sandbox_cfg_t*) malloc(sizeof(sandbox_cfg_t));
 
+  elem->syscall = SCMP_SYS(openat);
 
+  elem->pindex = 1;
 
+  elem->ptype = PARAM_PTR;
 
+  elem->param = prot_str;
 
+  elem->prot = 1;
 
   elem->next = filter_dynamic;
 
   filter_dynamic = elem;

+ 3 - 1
src/common/sandbox.h
View File 

@@ -29,7 +29,9 @@
 
  */
 
 #ifdef __linux__
 
 
+#ifndef __USE_GNU
 
 #define __USE_GNU
 
+#endif
 
 #include <sys/ucontext.h>
 
 
 #define MAX_PARAM_LEN 64
 
@@ -80,7 +82,7 @@ typedef struct pfd_elem sandbox_cfg_t;
 
 
 void sandbox_set_debugging_fd(int fd);
 
 int tor_global_sandbox(void);
 
-const char* sandbox_intern_string(char *param);
 
+const char* sandbox_intern_string(const char *param);
 
 
 sandbox_cfg_t * sandbox_cfg_new();
 
 int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file);

+ 3 - 1
src/common/util.c
View File 

@@ -24,6 +24,7 @@
 
 #include "torint.h"
 
 #include "container.h"
 
 #include "address.h"
 
+#include "../common/sandbox.h"
 
 
 #ifdef _WIN32
 
 #include <io.h>
 
@@ -3042,6 +3043,7 @@ smartlist_t *
 
 tor_listdir(const char *dirname)
 
 {
 
   smartlist_t *result;
 
+  const char *prot_dname = sandbox_intern_string(dirname);
 
 #ifdef _WIN32
 
   char *pattern=NULL;
 
   TCHAR tpattern[MAX_PATH] = {0};
 
@@ -3085,7 +3087,7 @@ tor_listdir(const char *dirname)
 
 #else
 
   DIR *d;
 
   struct dirent *de;
 
-  if (!(d = opendir(dirname)))
 
+  if (!(d = opendir(prot_dname)))
 
     return NULL;
 
 
   result = smartlist_new();

+ 2 - 0
src/or/main.c
View File 

@@ -2644,6 +2644,8 @@ sandbox_init_filter()
 
 {
 
   sandbox_cfg_t *cfg = sandbox_cfg_new();
 
 
+  sandbox_cfg_allow_open_filename(&cfg,
 
+      get_datadir_fname("cached-status"));
 
   sandbox_cfg_allow_open_filename(&cfg,
 
       get_datadir_fname("cached-certs"));
 
   sandbox_cfg_allow_open_filename(&cfg,