|
|
@@ -142,12 +142,14 @@ static int filter_nopar_gen[] = {
|
|
|
static int
|
|
|
sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
- int i, rc;
|
|
|
+ unsigned i;
|
|
|
+ int rc;
|
|
|
int param[] = { SIGINT, SIGTERM, SIGPIPE, SIGUSR1, SIGUSR2, SIGHUP, SIGCHLD,
|
|
|
#ifdef SIGXFSZ
|
|
|
SIGXFSZ
|
|
|
#endif
|
|
|
};
|
|
|
+ (void) filter;
|
|
|
|
|
|
for (i = 0; i < ARRAY_LENGTH(param); i++) {
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 1,
|
|
|
@@ -195,6 +197,7 @@ sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
static int
|
|
|
sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
+ (void) filter;
|
|
|
return seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), 1,
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, 0));
|
|
|
}
|
|
|
@@ -207,6 +210,7 @@ static int
|
|
|
sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void)filter;
|
|
|
|
|
|
#ifdef __i386__
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 1,
|
|
|
@@ -365,6 +369,7 @@ static int
|
|
|
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
#ifdef __i386__
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
|
|
|
@@ -411,6 +416,7 @@ static int
|
|
|
sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
#ifdef __i386__
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0);
|
|
|
@@ -435,6 +441,7 @@ static int
|
|
|
sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
#ifdef __i386__
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
|
|
|
@@ -459,6 +466,7 @@ static int
|
|
|
sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
#ifdef __i386__
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0);
|
|
|
@@ -521,6 +529,7 @@ static int
|
|
|
sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
|
|
|
@@ -551,6 +560,7 @@ static int
|
|
|
sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1,
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
|
|
|
@@ -571,6 +581,7 @@ static int
|
|
|
sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
|
|
|
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
|
|
|
@@ -598,6 +609,7 @@ static int
|
|
|
sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1,
|
|
|
SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
|
|
|
@@ -622,6 +634,7 @@ static int
|
|
|
sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1,
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
|
|
|
@@ -644,6 +657,7 @@ static int
|
|
|
sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
// can remove
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
|
|
|
@@ -675,6 +689,7 @@ static int
|
|
|
sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), 1,
|
|
|
SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
|
|
|
@@ -692,6 +707,7 @@ static int
|
|
|
sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|
|
{
|
|
|
int rc = 0;
|
|
|
+ (void) filter;
|
|
|
|
|
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 2,
|
|
|
SCMP_CMP(1, SCMP_CMP_EQ, 1),
|
|
|
@@ -825,13 +841,13 @@ prot_strings(sandbox_cfg_t* cfg)
|
|
|
char *param_val = (char*)((smp_param_t *)el->param)->value;
|
|
|
size_t param_size = strlen(param_val) + 1;
|
|
|
|
|
|
- if (pr_mem_left - param_size >= 0) {
|
|
|
+ if (pr_mem_left >= param_size) {
|
|
|
// copy to protected
|
|
|
memcpy(pr_mem_next, param_val, param_size);
|
|
|
|
|
|
// re-point el parameter to protected
|
|
|
{
|
|
|
- void *old_val = ((smp_param_t*)el->param)->value;
|
|
|
+ void *old_val = (void *) ((smp_param_t*)el->param)->value;
|
|
|
tor_free(old_val);
|
|
|
}
|
|
|
((smp_param_t*)el->param)->value = (intptr_t) pr_mem_next;
|
|
|
@@ -900,7 +916,7 @@ sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr)
|
|
|
{
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
|
- elem = new_element(SCMP_stat, 0, (intptr_t) tor_strdup(file));
|
|
|
+ elem = new_element(SCMP_stat, 0, (intptr_t)(void*) tor_strdup(file));
|
|
|
if (!elem) {
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
return -1;
|
|
|
@@ -942,7 +958,7 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr)
|
|
|
{
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
|
- elem = new_element(SCMP_SYS(open), 0, (intptr_t) tor_strdup(file));
|
|
|
+ elem = new_element(SCMP_SYS(open), 0, (intptr_t)(void *)tor_strdup(file));
|
|
|
if (!elem) {
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
return -1;
|
|
|
@@ -985,7 +1001,7 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr)
|
|
|
{
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
|
- elem = new_element(SCMP_SYS(openat), 1, (intptr_t) tor_strdup(file));
|
|
|
+ elem = new_element(SCMP_SYS(openat), 1, (intptr_t)(void *)tor_strdup(file));
|
|
|
if (!elem) {
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
return -1;
|
|
|
@@ -1024,11 +1040,11 @@ sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...)
|
|
|
}
|
|
|
|
|
|
int
|
|
|
-sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, char *com)
|
|
|
+sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
|
|
|
{
|
|
|
sandbox_cfg_t *elem = NULL;
|
|
|
|
|
|
- elem = new_element(SCMP_SYS(execve), 1, (intptr_t) tor_strdup(com));
|
|
|
+ elem = new_element(SCMP_SYS(execve), 1, (intptr_t)(void *)tor_strdup(com));
|
|
|
if (!elem) {
|
|
|
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
|
|
|
return -1;
|
|
|
@@ -1141,7 +1157,8 @@ sandbox_add_addrinfo(const char* name)
|
|
|
static int
|
|
|
add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
|
|
|
{
|
|
|
- int i, rc = 0;
|
|
|
+ unsigned i;
|
|
|
+ int rc = 0;
|
|
|
|
|
|
// function pointer
|
|
|
for (i = 0; i < ARRAY_LENGTH(filter_func); i++) {
|
|
|
@@ -1162,7 +1179,8 @@ add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
|
|
|
static int
|
|
|
add_noparam_filter(scmp_filter_ctx ctx)
|
|
|
{
|
|
|
- int i, rc = 0;
|
|
|
+ unsigned i;
|
|
|
+ int rc = 0;
|
|
|
|
|
|
// add general filters
|
|
|
for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
|
Nick Mathewson