Преглед на файлове

Revert "Change the sandbox behavior on all failed opens() to EACCES"

This reverts commit 9a06282546418b2e9d21559d4853bcf124b953f4.

It appears that I misunderstood how the seccomp2 filter rules
interact.  It appears that `SCMP_ACT_ERRNO()` always takes
precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that
earlier rules would override later ones.  But this change caused bug
25115 (not in any released Tor).
Nick Mathewson преди 6 години
родител
ревизия
ea8e9f17f5
променени са 2 файла, в които са добавени 6 реда и са изтрити 8 реда
  1. 0 6
      changes/bug16106
  2. 6 2
      src/common/sandbox.c

+ 0 - 6
changes/bug16106

@@ -1,6 +0,0 @@
-  o Minor bugfixes (linux seccomp2 sandbox):
-    - Cause a wider variety of unpermitted open() calls to fail with the
-      EACCES error when the sandbox is running. This won't enable any
-      previously non-working functionality, but it should turn several cases
-      from crashes into sandbox warnings. Fixes bug 16106; bugfix on
-      0.2.5.1-alpha.

+ 6 - 2
src/common/sandbox.c

@@ -481,14 +481,18 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
     }
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
+                SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
         "error %d", rc);
     return rc;
   }
 
-  rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat));
+  rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(openat),
+                SCMP_CMP_MASKED(2, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
+                                O_RDONLY));
   if (rc != 0) {
     log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
             "libseccomp error %d", rc);