nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-20 13:06:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'public/sandbox_fixes_rebased_2'

Browse Source
This commit is contained in:
Nick Mathewson 2014-04-16 23:45:55 -04:00
commit 4367cbd71b
17 changed files with 1743 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
changes/sandbox_fixes_11351 Normal file
View File

@ -0,0 +1,13 @@
o Major features:
- Refinements and improvements to the Linux seccomp2 sandbox code:
the sandbox can now run a test network for multiple hours without
crashing. (Previous crash reasons included: reseeding the OpenSSL PRNG,
seeding the Libevent PRNG, using the wrong combination of CLOEXEC and
NONBLOCK at the same place and time, having server keys, being an
authority, receiving a HUP, or using IPv6.) The sandbox is still
experimental, and more bugs will probably turn up. To try it,
enable "Sandbox 1" on a Linux host.
- Strengthen the Linux seccomp2 sandbox code: the sandbox can now
test the arguments for rename(), and blocks _sysctl() entirely.

1
configure.ac
View File

@ -435,6 +435,7 @@ AC_CHECK_FUNCS([event_get_version \
event_set_log_callback \
evdns_set_outgoing_bind_address \
evutil_secure_rng_set_urandom_device_file \
evutil_secure_rng_init \
event_base_loopexit])
AC_CHECK_MEMBERS([struct event.min_heap_idx], , ,
[#include <event.h>

14
src/common/compat.c
View File

@ -144,6 +144,7 @@ tor_open_cloexec(const char *path, int flags, unsigned mode)
return -1;
#endif
log_debug(LD_FS, "Opening %s with flags %x", path, flags);
fd = open(path, flags, mode);
#ifdef FD_CLOEXEC
if (fd >= 0) {
@ -175,6 +176,15 @@ tor_fopen_cloexec(const char *path, const char *mode)
return result;
}
/** As rename(), but work correctly with the sandbox. */
int
tor_rename(const char *path_old, const char *path_new)
{
log_debug(LD_FS, "Renaming %s to %s", path_old, path_new);
return rename(sandbox_intern_string(path_old),
sandbox_intern_string(path_new));
}
#if defined(HAVE_SYS_MMAN_H) || defined(RUNNING_DOXYGEN)
/** Try to create a memory mapping for <b>filename</b> and return it. On
* failure, return NULL. Sets errno properly, using ERANGE to mean
@ -799,7 +809,7 @@ int
replace_file(const char *from, const char *to)
{
#ifndef _WIN32
return rename(from,to);
return tor_rename(from, to);
#else
switch (file_status(to))
{
@ -814,7 +824,7 @@ replace_file(const char *from, const char *to)
errno = EISDIR;
return -1;
}
return rename(from,to);
return tor_rename(from,to);
#endif
}

1
src/common/compat.h
View File

@ -410,6 +410,7 @@ struct tm *tor_gmtime_r(const time_t *timep, struct tm *result);
/* ===== File compatibility */
int tor_open_cloexec(const char *path, int flags, unsigned mode);
FILE *tor_fopen_cloexec(const char *path, const char *mode);
int tor_rename(const char *path_old, const char *path_new);
int replace_file(const char *from, const char *to);
int touch_file(const char *fname);

19
src/common/compat_libevent.c
View File

@ -13,6 +13,8 @@
#include "compat.h"
#include "compat_libevent.h"
#include "crypto.h"
#include "util.h"
#include "torlog.h"
@ -626,6 +628,23 @@ tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev,
}
#endif
int
tor_init_libevent_rng(void)
{
int rv = 0;
#ifdef HAVE_EVUTIL_SECURE_RNG_INIT
char buf[256];
if (evutil_secure_rng_init() < 0) {
rv = -1;
}
/* Older libevent -- manually initialize the RNG */
crypto_rand(buf, 32);
evutil_secure_rng_add_bytes(buf, 32);
evutil_secure_rng_get_bytes(buf, sizeof(buf));
#endif
return rv;
}
#if defined(LIBEVENT_VERSION_NUMBER) && LIBEVENT_VERSION_NUMBER >= V(2,1,1) \
&& !defined(TOR_UNIT_TESTS)
void

2
src/common/compat_libevent.h
View File

@ -89,6 +89,8 @@ int tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev,
struct bufferevent_rate_limit_group *g);
#endif
int tor_init_libevent_rng(void);
void tor_gettimeofday_cached(struct timeval *tv);
void tor_gettimeofday_cache_clear(void);
#ifdef TOR_UNIT_TESTS

1
src/common/crypto.c
View File

@ -2471,6 +2471,7 @@ crypto_strongest_rand(uint8_t *out, size_t out_len)
return 0;
#else
for (i = 0; filenames[i]; ++i) {
log_debug(LD_FS, "Opening %s for entropy", filenames[i]);
fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
if (fd<0) continue;
log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);

37
src/common/gen_linux_syscalls.pl Executable file
View File

@ -0,0 +1,37 @@
#!/usr/bin/perl -w
use strict;
my %syscalls = ();
while (<>) {
if (/^#define (__NR_\w+) /) {
$syscalls{$1} = 1;
}
}
print <<EOL;
/* Automatically generated with
gen_sandbox_syscalls.pl /usr/include/asm/unistd*.h
Do not edit.
*/
static const struct {
int syscall_num; const char *syscall_name;
} SYSCALLS_BY_NUMBER[] = {
EOL
for my $k (sort keys %syscalls) {
my $name = $k;
$name =~ s/^__NR_//;
print <<EOL;
#ifdef $k
{ $k, "$name" },
#endif
EOL
}
print <<EOL
{0, NULL}
};
EOL

1
src/common/include.am
View File

@ -103,6 +103,7 @@ COMMONHEADERS = \
src/common/di_ops.h \
src/common/memarea.h \
src/common/mempool.h \
src/common/linux_syscalls.inc \
src/common/procmon.h \
src/common/sandbox.h \
src/common/testsupport.h \

1153
src/common/linux_syscalls.inc Normal file
View File

File diff suppressed because it is too large Load Diff

436
src/common/sandbox.c
View File

@ -27,6 +27,7 @@
#include <stdlib.h>
#include "sandbox.h"
#include "container.h"
#include "torlog.h"
#include "torint.h"
#include "util.h"
@ -76,6 +77,13 @@ static sb_addr_info_t *sb_addr_info = NULL;
#undef SCMP_CMP
#define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
#define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
/* We use a wrapper here because these masked comparisons seem to be pretty
* verbose. Also, it's important to cast to scmp_datum_t before negating the
* mask, since otherwise the negation might get applied to a 32 bit value, and
* the high bits of the value might get masked out improperly. */
#define SCMP_CMP_MASKED(a,b,c) \
SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
/** Variable used for storing all syscall numbers that will be allowed with the
* stage 1 general Tor sandbox.
@ -121,7 +129,6 @@ static int filter_nopar_gen[] = {
SCMP_SYS(mmap),
SCMP_SYS(munmap),
SCMP_SYS(read),
SCMP_SYS(rename),
SCMP_SYS(rt_sigreturn),
SCMP_SYS(set_robust_list),
#ifdef __NR_sigreturn
@ -159,6 +166,19 @@ static int filter_nopar_gen[] = {
SCMP_SYS(unlink)
};
/* These macros help avoid the error where the number of filters we add on a
* single rule don't match the arg_cnt param. */
#define seccomp_rule_add_0(ctx,act,call) \
seccomp_rule_add((ctx),(act),(call),0)
#define seccomp_rule_add_1(ctx,act,call,f1) \
seccomp_rule_add((ctx),(act),(call),1,(f1))
#define seccomp_rule_add_2(ctx,act,call,f1,f2) \
seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
#define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
#define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
/**
* Function responsible for setting up the rt_sigaction syscall for
* the seccomp filter sandbox.
@ -176,7 +196,7 @@ sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
(void) filter;
for (i = 0; i < ARRAY_LENGTH(param); i++) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction),
SCMP_CMP(0, SCMP_CMP_EQ, param[i]));
if (rc)
break;
@ -197,11 +217,11 @@ sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = (smp_param_t*) elem->param;
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(execve)) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve),
SCMP_CMP(0, SCMP_CMP_EQ, param->value));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received "
@ -222,7 +242,7 @@ static int
sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
(void) filter;
return seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), 1,
return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time),
SCMP_CMP(0, SCMP_CMP_EQ, 0));
}
@ -237,15 +257,15 @@ sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
(void)filter;
#ifdef __i386__
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall),
SCMP_CMP(0, SCMP_CMP_EQ, 18));
if (rc) {
return rc;
}
#endif
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 1,
SCMP_CMP(3, SCMP_CMP_EQ, SOCK_CLOEXEC));
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4),
SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0));
if (rc) {
return rc;
}
@ -264,49 +284,49 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void)filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE));
if (rc) {
return rc;
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE),
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE));
if (rc) {
return rc;
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS));
if (rc) {
return rc;
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
if (rc) {
return rc;
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
if (rc) {
return rc;
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
if (rc) {
return rc;
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
if (rc) {
@ -333,7 +353,7 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(open)) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
SCMP_CMP(0, SCMP_CMP_EQ, param->value));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
@ -343,8 +363,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(-1), SCMP_SYS(open), 1,
SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC));
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
"error %d", rc);
@ -354,6 +374,54 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0;
}
static int
sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
(void) filter;
(void) ctx;
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, "
"received libseccomp error %d", rc);
return rc;
}
return 0;
}
/**
* Function responsible for setting up the rename syscall for
* the seccomp filter sandbox.
*/
static int
sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 &&
param->syscall == SCMP_SYS(rename)) {
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
SCMP_CMP(0, SCMP_CMP_EQ, param->value),
SCMP_CMP(1, SCMP_CMP_EQ, param->value2));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
"libseccomp error %d", rc);
return rc;
}
}
}
return 0;
}
/**
* Function responsible for setting up the openat syscall for
* the seccomp filter sandbox.
@ -370,7 +438,7 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(openat)) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
@ -394,43 +462,40 @@ static int
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
int i;
(void) filter;
#ifdef __i386__
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
if (rc)
return rc;
#endif
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC),
for (i = 0; i < 2; ++i) {
const int pf = i ? PF_INET : PF_INET6;
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, pf),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
if (rc)
return rc;
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, pf),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
if (rc)
return rc;
if (rc)
return rc;
}
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
SCMP_CMP(2, SCMP_CMP_EQ, 0));
@ -451,12 +516,12 @@ sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
(void) filter;
#ifdef __i386__
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0);
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair));
if (rc)
return rc;
#endif
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair),
SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC));
if (rc)
@ -476,19 +541,19 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
(void) filter;
#ifdef __i386__
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt));
if (rc)
return rc;
#endif
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
if (rc)
return rc;
#ifdef IP_TRANSPARENT
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt),
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
if (rc)
@ -509,12 +574,12 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
(void) filter;
#ifdef __i386__
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0);
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt));
if (rc)
return rc;
#endif
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt),
SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR));
if (rc)
@ -534,23 +599,23 @@ sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
if (rc)
@ -572,17 +637,17 @@ sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl),
SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL));
if (rc)
return rc;
@ -603,7 +668,7 @@ sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl),
SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE));
if (rc)
return rc;
@ -624,12 +689,12 @@ sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
if (rc)
return rc;
@ -647,12 +712,12 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
if (rc)
return rc;
@ -672,12 +737,12 @@ sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
if (rc)
return rc;
@ -696,18 +761,18 @@ sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
(void) filter;
// can remove
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
SCMP_CMP(1, SCMP_CMP_EQ,
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
if (rc)
return rc;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
if (rc)
return rc;
@ -727,7 +792,7 @@ sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap),
SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE));
if (rc)
return rc;
@ -745,7 +810,7 @@ sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 2,
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll),
SCMP_CMP(1, SCMP_CMP_EQ, 1),
SCMP_CMP(2, SCMP_CMP_EQ, 10));
if (rc)
@ -771,7 +836,7 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open)
|| param->syscall == SCMP_SYS(stat64))) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64), 1,
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64),
SCMP_CMP(0, SCMP_CMP_EQ, param->value));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
@ -800,6 +865,8 @@ static sandbox_filter_func_t filter_func[] = {
#endif
sb_open,
sb_openat,
sb__sysctl,
sb_rename,
#ifdef __NR_fcntl64
sb_fcntl64,
#endif
@ -820,7 +887,7 @@ static sandbox_filter_func_t filter_func[] = {
sb_socketpair
};
const char*
const char *
sandbox_intern_string(const char *str)
{
sandbox_cfg_t *elem;
@ -831,15 +898,65 @@ sandbox_intern_string(const char *str)
for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param->prot && !strcmp(str, (char*)(param->value))) {
return (char*)(param->value);
if (param->prot) {
if (!strcmp(str, (char*)(param->value))) {
return (char*)param->value;
}
if (param->value2 && !strcmp(str, (char*)param->value2)) {
return (char*)param->value2;
}
}
}
log_info(LD_GENERAL, "(Sandbox) Parameter %s not found", str);
if (sandbox_active)
log_warn(LD_BUG, "No interned sandbox parameter found for %s", str);
return str;
}
/** DOCDOC */
static int
prot_strings_helper(strmap_t *locations,
char **pr_mem_next_p,
size_t *pr_mem_left_p,
intptr_t *value_p)
{
char *param_val;
size_t param_size;
void *location;
if (*value_p == 0)
return 0;
param_val = (char*) *value_p;
param_size = strlen(param_val) + 1;
location = strmap_get(locations, param_val);
if (location) {
// We already interned this string.
tor_free(param_val);
*value_p = (intptr_t) location;
return 0;
} else if (*pr_mem_left_p >= param_size) {
// copy to protected
location = *pr_mem_next_p;
memcpy(location, param_val, param_size);
// re-point el parameter to protected
tor_free(param_val);
*value_p = (intptr_t) location;
strmap_set(locations, location, location); /* good real estate advice */
// move next available protected memory
*pr_mem_next_p += param_size;
*pr_mem_left_p -= param_size;
return 0;
} else {
log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
return -1;
}
}
/**
* Protects all the strings in the sandbox's parameter list configuration. It
* works by calculating the total amount of memory required by the parameter
@ -853,10 +970,13 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
size_t pr_mem_size = 0, pr_mem_left = 0;
char *pr_mem_next = NULL, *pr_mem_base;
sandbox_cfg_t *el = NULL;
strmap_t *locations = NULL;
// get total number of bytes required to mmap
// get total number of bytes required to mmap. (Overestimate.)
for (el = cfg; el != NULL; el = el->next) {
pr_mem_size += strlen((char*) ((smp_param_t*)el->param)->value) + 1;
pr_mem_size += strlen((char*) el->param->value) + 1;
if (el->param->value2)
pr_mem_size += strlen((char*) el->param->value2) + 1;
}
// allocate protected memory with MALLOC_MP_LIM canary
@ -872,31 +992,21 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
pr_mem_next = pr_mem_base + MALLOC_MP_LIM;
pr_mem_left = pr_mem_size;
locations = strmap_new();
// change el value pointer to protected
for (el = cfg; el != NULL; el = el->next) {
char *param_val = (char*)((smp_param_t *)el->param)->value;
size_t param_size = strlen(param_val) + 1;
if (pr_mem_left >= param_size) {
// copy to protected
memcpy(pr_mem_next, param_val, param_size);
// re-point el parameter to protected
{
void *old_val = (void *) ((smp_param_t*)el->param)->value;
tor_free(old_val);
}
((smp_param_t*)el->param)->value = (intptr_t) pr_mem_next;
((smp_param_t*)el->param)->prot = 1;
// move next available protected memory
pr_mem_next += param_size;
pr_mem_left -= param_size;
} else {
log_err(LD_BUG,"(Sandbox) insufficient protected memory!");
if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
&el->param->value) < 0) {
ret = -2;
goto out;
}
if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left,
&el->param->value2) < 0) {
ret = -2;
goto out;
}
el->param->prot = 1;
}
// protecting from writes
@ -911,7 +1021,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
* Setting sandbox restrictions so the string memory cannot be tampered with
*/
// no mremap of the protected base address
ret = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap), 1,
ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap),
SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
if (ret) {
log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!");
@ -919,7 +1029,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
}
// no munmap of the protected base address
ret = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap), 1,
ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap),
SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base));
if (ret) {
log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!");
@ -936,7 +1046,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
* There is a restriction on how much you can mprotect with R|W up to the
* size of the canary.
*/
ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 2,
ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
@ -945,7 +1055,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
return ret;
}
ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 2,
ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
MALLOC_MP_LIM),
SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
@ -956,7 +1066,8 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
}
out:
return ret;
strmap_free(locations, NULL);
return ret;
}
/**
@ -966,22 +1077,27 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
* point.
*/
static sandbox_cfg_t*
new_element(int syscall, int index, intptr_t value)
new_element2(int syscall, intptr_t value, intptr_t value2)
{
smp_param_t *param = NULL;
sandbox_cfg_t *elem = tor_malloc(sizeof(sandbox_cfg_t));
elem->param = tor_malloc(sizeof(smp_param_t));
sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t));
param = elem->param = tor_malloc_zero(sizeof(smp_param_t));
param = elem->param;
param->syscall = syscall;
param->pindex = index;
param->value = value;
param->value2 = value2;
param->prot = 0;
return elem;
}
static sandbox_cfg_t*
new_element(int syscall, intptr_t value)
{
return new_element2(syscall, value, 0);
}
#ifdef __NR_stat64
#define SCMP_stat SCMP_SYS(stat64)
#else
@ -989,11 +1105,11 @@ new_element(int syscall, int index, intptr_t value)
#endif
int
sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr)
sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
{
sandbox_cfg_t *elem = NULL;
elem = new_element(SCMP_stat, 0, (intptr_t)(void*) tor_strdup(file));
elem = new_element(SCMP_stat, (intptr_t)(void*) file);
if (!elem) {
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
return -1;
@ -1002,7 +1118,6 @@ sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr)
elem->next = *cfg;
*cfg = elem;
if (fr) tor_free(file);
return 0;
}
@ -1016,9 +1131,7 @@ sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...)
va_start(ap, cfg);
while ((fn = va_arg(ap, char*)) != NULL) {
int fr = va_arg(ap, int);
rc = sandbox_cfg_allow_stat_filename(cfg, fn, fr);
rc = sandbox_cfg_allow_stat_filename(cfg, fn);
if (rc) {
log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_stat_filename_array fail");
goto end;
@ -1031,11 +1144,11 @@ sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...)
}
int
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr)
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
{
sandbox_cfg_t *elem = NULL;
elem = new_element(SCMP_SYS(open), 0, (intptr_t)(void *)tor_strdup(file));
elem = new_element(SCMP_SYS(open), (intptr_t)(void *) file);
if (!elem) {
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
return -1;
@ -1044,7 +1157,25 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr)
elem->next = *cfg;
*cfg = elem;
if (fr) tor_free(file);
return 0;
}
int
sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
{
sandbox_cfg_t *elem = NULL;
elem = new_element2(SCMP_SYS(rename),
(intptr_t)(void *) file1,
(intptr_t)(void *) file2);
if (!elem) {
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
return -1;
}
elem->next = *cfg;
*cfg = elem;
return 0;
}
@ -1059,9 +1190,7 @@ sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...)
va_start(ap, cfg);
while ((fn = va_arg(ap, char*)) != NULL) {
int fr = va_arg(ap, int);
rc = sandbox_cfg_allow_open_filename(cfg, fn, fr);
rc = sandbox_cfg_allow_open_filename(cfg, fn);
if (rc) {
log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_open_filename_array fail");
goto end;
@ -1074,11 +1203,11 @@ sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...)
}
int
sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr)
sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
{
sandbox_cfg_t *elem = NULL;
elem = new_element(SCMP_SYS(openat), 1, (intptr_t)(void *)tor_strdup(file));
elem = new_element(SCMP_SYS(openat), (intptr_t)(void *) file);
if (!elem) {
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
return -1;
@ -1087,8 +1216,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr)
elem->next = *cfg;
*cfg = elem;
if (fr) tor_free(file);
return 0;
}
@ -1102,9 +1229,7 @@ sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...)
va_start(ap, cfg);
while ((fn = va_arg(ap, char*)) != NULL) {
int fr = va_arg(ap, int);
rc = sandbox_cfg_allow_openat_filename(cfg, fn, fr);
rc = sandbox_cfg_allow_openat_filename(cfg, fn);
if (rc) {
log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_openat_filename_array fail");
goto end;
@ -1121,7 +1246,7 @@ sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com)
{
sandbox_cfg_t *elem = NULL;
elem = new_element(SCMP_SYS(execve), 1, (intptr_t)(void *)tor_strdup(com));
elem = new_element(SCMP_SYS(execve), (intptr_t)(void *) com);
if (!elem) {
log_err(LD_BUG,"(Sandbox) failed to register parameter!");
return -1;
@ -1259,7 +1384,7 @@ add_noparam_filter(scmp_filter_ctx ctx)
// add general filters
for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i], 0);
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]);
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), "
"received libseccomp error %d", i, filter_nopar_gen[i], rc);
@ -1319,6 +1444,24 @@ install_syscall_filter(sandbox_cfg_t* cfg)
return (rc < 0 ? -rc : rc);
}
#include "linux_syscalls.inc"
static const char *
get_syscall_name(int syscall_num)
{
int i;
for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) {
if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num)
return SYSCALLS_BY_NUMBER[i].syscall_name;
}
{
static char syscall_name_buf[64];
format_dec_number_sigsafe(syscall_num,
syscall_name_buf, sizeof(syscall_name_buf));
return syscall_name_buf;
}
}
#ifdef USE_BACKTRACE
#define MAX_DEPTH 256
static void *syscall_cb_buf[MAX_DEPTH];
@ -1333,7 +1476,7 @@ static void
sigsys_debugging(int nr, siginfo_t *info, void *void_context)
{
ucontext_t *ctx = (ucontext_t *) (void_context);
char number[32];
const char *syscall_name;
int syscall;
#ifdef USE_BACKTRACE
int depth;
@ -1358,9 +1501,10 @@ sigsys_debugging(int nr, siginfo_t *info, void *void_context)
clean_backtrace(syscall_cb_buf, depth, ctx);
#endif
format_dec_number_sigsafe(syscall, number, sizeof(number));
syscall_name = get_syscall_name(syscall);
tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ",
number,
syscall_name,
")\n",
NULL);
@ -1421,7 +1565,8 @@ register_cfg(sandbox_cfg_t* cfg)
return 0;
}
for (elem = filter_dynamic; elem->next != NULL; elem = elem->next);
for (elem = filter_dynamic; elem->next != NULL; elem = elem->next)
;
elem->next = cfg;
@ -1450,6 +1595,11 @@ initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
return 0;
}
int
sandbox_is_active(void)
{
return sandbox_active != 0;
}
#endif // USE_LIBSECCOMP
sandbox_cfg_t*
@ -1485,10 +1635,9 @@ sandbox_init(sandbox_cfg_t *cfg)
#ifndef USE_LIBSECCOMP
int
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file,
int fr)
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
{
(void)cfg; (void)file; (void)fr;
(void)cfg; (void)file;
return 0;
}
@ -1500,10 +1649,9 @@ sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...)
}
int
sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file,
int fr)
sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file)
{
(void)cfg; (void)file; (void)fr;
(void)cfg; (void)file;
return 0;
}
@ -1529,10 +1677,9 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...)
}
int
sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file,
int fr)
sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file)
{
(void)cfg; (void)file; (void)fr;
(void)cfg; (void)file;
return 0;
}
@ -1542,5 +1689,18 @@ sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...)
(void)cfg;
return 0;
}
int
sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
{
(void)cfg; (void)file1; (void)file2;
return 0;
}
int
sandbox_is_active(void)
{
return 0;
}
#endif

65
src/common/sandbox.h
View File

@ -65,10 +65,10 @@ typedef struct smp_param {
/** syscall associated with parameter. */
int syscall;
/** parameter index. */
int pindex;
/** parameter value. */
intptr_t value;
/** parameter value, second argument. */
intptr_t value2;
/** parameter flag (0 = not protected, 1 = protected). */
int prot;
@ -85,7 +85,7 @@ struct sandbox_cfg_elem {
SB_IMPL implem;
/** Configuration parameter. */
void *param;
smp_param_t *param;
/** Next element of the configuration*/
struct sandbox_cfg_elem *next;
@ -167,81 +167,70 @@ sandbox_cfg_t * sandbox_cfg_new(void);
/**
* Function used to add a open allowed filename to a supplied configuration.
* The (char*) specifies the path to the allowed file, fr = 1 tells the
* function that the char* needs to be free-ed, 0 means the pointer does not
* need to be free-ed.
* The (char*) specifies the path to the allowed file; we take ownership
* of the pointer.
*/
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file,
int fr);
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file);
/**DOCDOC*/
int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2);
/** Function used to add a series of open allowed filenames to a supplied
* configuration.
* @param cfg sandbox configuration.
* @param ... all future parameters are specified as pairs of <(char*), 1 / 0>
* the char* specifies the path to the allowed file, 1 tells the function
* that the char* needs to be free-ed, 0 means the pointer does not need to
* be free-ed; the final parameter needs to be <NULL, 0>.
*/
* @param ... a list of stealable pointers to permitted files. The last
* one must be NULL.
*/
int sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...);
/**
* Function used to add a openat allowed filename to a supplied configuration.
* The (char*) specifies the path to the allowed file, fr = 1 tells the
* function that the char* needs to be free-ed, 0 means the pointer does not
* need to be free-ed.
* The (char*) specifies the path to the allowed file; we steal the pointer to
* that file.
*/
int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file,
int fr);
int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file);
/** Function used to add a series of openat allowed filenames to a supplied
* configuration.
* @param cfg sandbox configuration.
* @param ... all future parameters are specified as pairs of <(char*), 1 / 0>
* the char* specifies the path to the allowed file, 1 tells the function
* that the char* needs to be free-ed, 0 means the pointer does not need to
* be free-ed; the final parameter needs to be <NULL, 0>.
* @param ... a list of stealable pointers to permitted files. The last
* one must be NULL.
*/
int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...);
/**
* Function used to add a execve allowed filename to a supplied configuration.
* The (char*) specifies the path to the allowed file, fr = 1 tells the
* function that the char* needs to be free-ed, 0 means the pointer does not
* need to be free-ed.
* The (char*) specifies the path to the allowed file; that pointer is stolen.
*/
int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com);
/** Function used to add a series of execve allowed filenames to a supplied
* configuration.
* @param cfg sandbox configuration.
* @param ... all future parameters are specified as pairs of <(char*), 1 / 0>
* the char* specifies the path to the allowed file, 1 tells the function
* that the char* needs to be free-ed, 0 means the pointer does not need to
* be free-ed; the final parameter needs to be <NULL, 0>.
* @param ... an array of stealable pointers to permitted files. The last
* one must be NULL.
*/
int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...);
/**
* Function used to add a stat/stat64 allowed filename to a configuration.
* The (char*) specifies the path to the allowed file, fr = 1 tells the
* function that the char* needs to be free-ed, 0 means the pointer does not
* need to be free-ed.
* The (char*) specifies the path to the allowed file; that pointer is stolen.
*/
int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file,
int fr);
int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file);
/** Function used to add a series of stat64 allowed filenames to a supplied
* configuration.
* @param cfg sandbox configuration.
* @param ... all future parameters are specified as pairs of <(char*), 1 / 0>
* the char* specifies the path to the allowed file, 1 tells the function
* that the char* needs to be free-ed, 0 means the pointer does not need to
* be free-ed; the final parameter needs to be <NULL, 0>.
* @param ... an array of stealable pointers to permitted files. The last
* one must be NULL.
*/
int sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...);
/** Function used to initialise a sandbox configuration.*/
int sandbox_init(sandbox_cfg_t* cfg);
/** Return true iff the sandbox is turned on. */
int sandbox_is_active(void);
#endif /* SANDBOX_H_ */

2
src/common/util.c
View File

@ -1830,6 +1830,7 @@ file_status(const char *fname)
int r;
f = tor_strdup(fname);
clean_name_for_stat(f);
log_debug(LD_FS, "stat()ing %s", f);
r = stat(sandbox_intern_string(f), &st);
tor_free(f);
if (r) {
@ -1880,6 +1881,7 @@ check_private_dir(const char *dirname, cpd_check_t check,
tor_assert(dirname);
f = tor_strdup(dirname);
clean_name_for_stat(f);
log_debug(LD_FS, "stat()ing %s", f);
r = stat(sandbox_intern_string(f), &st);
tor_free(f);
if (r) {

68
src/or/config.c
View File

@ -1,4 +1,4 @@
/* Copyright (c) 2001 Matej Pfajfar.
/* Copyright (c) 2001 Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2013, The Tor Project, Inc. */
@ -1043,12 +1043,18 @@ options_act_reversible(const or_options_t *old_options, char **msg)
if (running_tor) {
int n_ports=0;
/* We need to set the connection limit before we can open the listeners. */
if (set_max_file_descriptors((unsigned)options->ConnLimit,
&options->ConnLimit_) < 0) {
*msg = tor_strdup("Problem with ConnLimit value. See logs for details.");
goto rollback;
if (! sandbox_is_active()) {
if (set_max_file_descriptors((unsigned)options->ConnLimit,
&options->ConnLimit_) < 0) {
*msg = tor_strdup("Problem with ConnLimit value. "
"See logs for details.");
goto rollback;
}
set_conn_limit = 1;
} else {
tor_assert(old_options);
options->ConnLimit_ = old_options->ConnLimit_;
}
set_conn_limit = 1;
/* Set up libevent. (We need to do this before we can register the
* listeners as listeners.) */
@ -1132,11 +1138,13 @@ options_act_reversible(const or_options_t *old_options, char **msg)
if (!running_tor)
goto commit;
mark_logs_temp(); /* Close current logs once new logs are open. */
logs_marked = 1;
if (options_init_logs(options, 0)<0) { /* Configure the tor_log(s) */
*msg = tor_strdup("Failed to init Log options. See logs for details.");
goto rollback;
if (!sandbox_is_active()) {
mark_logs_temp(); /* Close current logs once new logs are open. */
logs_marked = 1;
if (options_init_logs(options, 0)<0) { /* Configure the tor_log(s) */
*msg = tor_strdup("Failed to init Log options. See logs for details.");
goto rollback;
}
}
commit:
@ -1486,8 +1494,9 @@ options_act(const or_options_t *old_options)
/* Write our PID to the PID file. If we do not have write permissions we
* will log a warning */
if (options->PidFile)
if (options->PidFile && !sandbox_is_active()) {
write_pidfile(options->PidFile);
}
/* Register addressmap directives */
config_register_addressmaps(options);
@ -3591,6 +3600,12 @@ options_transition_allowed(const or_options_t *old,
return -1;
}
if (old->Sandbox != new_val->Sandbox) {
*msg = tor_strdup("While Tor is running, changing Sandbox "
"is not allowed.");
return -1;
}
if (strcmp(old->DataDirectory,new_val->DataDirectory)!=0) {
tor_asprintf(msg,
"While Tor is running, changing DataDirectory "
@ -3643,6 +3658,32 @@ options_transition_allowed(const or_options_t *old,
return -1;
}
if (sandbox_is_active()) {
if (! opt_streq(old->PidFile, new_val->PidFile)) {
*msg = tor_strdup("Can't change PidFile while Sandbox is active");
return -1;
}
if (! config_lines_eq(old->Logs, new_val->Logs)) {
*msg = tor_strdup("Can't change Logs while Sandbox is active");
return -1;
}
if (old->ConnLimit != new_val->ConnLimit) {
*msg = tor_strdup("Can't change ConnLimit while Sandbox is active");
return -1;
}
if (! opt_streq(old->ServerDNSResolvConfFile,
new_val->ServerDNSResolvConfFile)) {
*msg = tor_strdup("Can't change ServerDNSResolvConfFile"
" while Sandbox is active");
return -1;
}
if (server_mode(old) != server_mode(new_val)) {
*msg = tor_strdup("Can't start/stop being a server while "
"Sandbox is active");
return -1;
}
}
return 0;
}
@ -6292,7 +6333,7 @@ write_configuration_file(const char *fname, const or_options_t *options)
++i;
}
log_notice(LD_CONFIG, "Renaming old configuration file to \"%s\"", fn_tmp);
if (rename(fname, fn_tmp) < 0) {
if (tor_rename(fname, fn_tmp) < 0) {//XXXX sandbox doesn't allow
log_warn(LD_FS,
"Couldn't rename configuration file \"%s\" to \"%s\": %s",
fname, fn_tmp, strerror(errno));
@ -6478,6 +6519,7 @@ remove_file_if_very_old(const char *fname, time_t now)
#define VERY_OLD_FILE_AGE (28*24*60*60)
struct stat st;
log_debug(LD_FS, "stat()ing %s", fname);
if (stat(sandbox_intern_string(fname), &st)==0 &&
st.st_mtime < now-VERY_OLD_FILE_AGE) {
char buf[ISO_TIME_LEN+1];

2
src/or/dns.c
View File

@ -1480,6 +1480,7 @@ configure_nameservers(int force)
evdns_set_log_fn(evdns_log_cb);
if (conf_fname) {
log_debug(LD_FS, "stat()ing %s", conf_fname);
if (stat(sandbox_intern_string(conf_fname), &st)) {
log_warn(LD_EXIT, "Unable to stat resolver configuration in '%s': %s",
conf_fname, strerror(errno));
@ -1497,6 +1498,7 @@ configure_nameservers(int force)
#if defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP)
if (flags & DNS_OPTION_HOSTSFILE) {
flags ^= DNS_OPTION_HOSTSFILE;
log_debug(LD_FS, "Loading /etc/hosts");
evdns_base_load_hosts(the_evdns_base,
sandbox_intern_string("/etc/hosts"));
}

167
src/or/main.c
View File

@ -2432,6 +2432,9 @@ tor_init(int argc, char *argv[])
return -1;
}
stream_choice_seed_weak_rng();
if (tor_init_libevent_rng() < 0) {
log_warn(LD_NET, "Problem initializing libevent RNG.");
}
return 0;
}
@ -2723,79 +2726,143 @@ init_addrinfo(void)
static sandbox_cfg_t*
sandbox_init_filter(void)
{
const or_options_t *options = get_options();
sandbox_cfg_t *cfg = sandbox_cfg_new();
int i;
sandbox_cfg_allow_openat_filename(&cfg,
get_datadir_fname("cached-status"), 1);
get_datadir_fname("cached-status"));
sandbox_cfg_allow_open_filename_array(&cfg,
get_datadir_fname("cached-certs"), 1,
get_datadir_fname("cached-certs.tmp"), 1,
get_datadir_fname("cached-consensus"), 1,
get_datadir_fname("unverified-consensus"), 1,
get_datadir_fname("unverified-consensus.tmp"), 1,
get_datadir_fname("cached-microdesc-consensus"), 1,
get_datadir_fname("cached-microdesc-consensus.tmp"), 1,
get_datadir_fname("cached-microdescs"), 1,
get_datadir_fname("cached-microdescs.tmp"), 1,
get_datadir_fname("cached-microdescs.new"), 1,
get_datadir_fname("cached-microdescs.new.tmp"), 1,
get_datadir_fname("unverified-microdesc-consensus"), 1,
get_datadir_fname("cached-descriptors"), 1,
get_datadir_fname("cached-descriptors.new"), 1,
get_datadir_fname("cached-descriptors.tmp"), 1,
get_datadir_fname("cached-descriptors.new.tmp"), 1,
get_datadir_fname("cached-descriptors.tmp.tmp"), 1,
get_datadir_fname("cached-extrainfo"), 1,
get_datadir_fname("state.tmp"), 1,
get_datadir_fname("unparseable-desc.tmp"), 1,
get_datadir_fname("unparseable-desc"), 1,
"/dev/srandom", 0,
"/dev/urandom", 0,
"/dev/random", 0,
get_datadir_fname("cached-certs"),
get_datadir_fname("cached-certs.tmp"),
get_datadir_fname("cached-consensus"),
get_datadir_fname("cached-consensus.tmp"),
get_datadir_fname("unverified-consensus"),
get_datadir_fname("unverified-consensus.tmp"),
get_datadir_fname("unverified-microdesc-consensus"),
get_datadir_fname("unverified-microdesc-consensus.tmp"),
get_datadir_fname("cached-microdesc-consensus"),
get_datadir_fname("cached-microdesc-consensus.tmp"),
get_datadir_fname("cached-microdescs"),
get_datadir_fname("cached-microdescs.tmp"),
get_datadir_fname("cached-microdescs.new"),
get_datadir_fname("cached-microdescs.new.tmp"),
get_datadir_fname("cached-descriptors"),
get_datadir_fname("cached-descriptors.new"),
get_datadir_fname("cached-descriptors.tmp"),
get_datadir_fname("cached-descriptors.new.tmp"),
get_datadir_fname("cached-descriptors.tmp.tmp"),
get_datadir_fname("cached-extrainfo"),
get_datadir_fname("cached-extrainfo.new"),
get_datadir_fname("cached-extrainfo.tmp"),
get_datadir_fname("cached-extrainfo.new.tmp"),
get_datadir_fname("cached-extrainfo.tmp.tmp"),
get_datadir_fname("state.tmp"),
get_datadir_fname("unparseable-desc.tmp"),
get_datadir_fname("unparseable-desc"),
get_datadir_fname("v3-status-votes"),
get_datadir_fname("v3-status-votes.tmp"),
tor_strdup("/dev/srandom"),
tor_strdup("/dev/urandom"),
tor_strdup("/dev/random"),
tor_strdup("/etc/hosts"),
NULL, 0
);
if (options->ServerDNSResolvConfFile)
sandbox_cfg_allow_open_filename(&cfg,
tor_strdup(options->ServerDNSResolvConfFile));
else
sandbox_cfg_allow_open_filename(&cfg, tor_strdup("/etc/resolv.conf"));
for (i = 0; i < 2; ++i) {
if (get_torrc_fname(i)) {
sandbox_cfg_allow_open_filename(&cfg, tor_strdup(get_torrc_fname(i)));
}
}
#define RENAME_SUFFIX(name, suffix) \
sandbox_cfg_allow_rename(&cfg, \
get_datadir_fname(name suffix), \
get_datadir_fname(name))
#define RENAME_SUFFIX2(prefix, name, suffix) \
sandbox_cfg_allow_rename(&cfg, \
get_datadir_fname2(prefix, name suffix), \
get_datadir_fname2(prefix, name))
RENAME_SUFFIX("cached-certs", ".tmp");
RENAME_SUFFIX("cached-consensus", ".tmp");
RENAME_SUFFIX("unverified-consensus", ".tmp");
RENAME_SUFFIX("unverified-microdesc-consensus", ".tmp");
RENAME_SUFFIX("cached-microdesc-consensus", ".tmp");
RENAME_SUFFIX("cached-microdescs", ".tmp");
RENAME_SUFFIX("cached-microdescs", ".new");
RENAME_SUFFIX("cached-microdescs.new", ".tmp");
RENAME_SUFFIX("cached-descriptors", ".tmp");
RENAME_SUFFIX("cached-descriptors", ".new");
RENAME_SUFFIX("cached-descriptors.new", ".tmp");
RENAME_SUFFIX("cached-extrainfo", ".tmp");
RENAME_SUFFIX("cached-extrainfo", ".new");
RENAME_SUFFIX("cached-extrainfo.new", ".tmp");
RENAME_SUFFIX("state", ".tmp");
RENAME_SUFFIX("unparseable-desc", ".tmp");
RENAME_SUFFIX("v3-status-votes", ".tmp");
sandbox_cfg_allow_stat_filename_array(&cfg,
get_datadir_fname(NULL), 1,
get_datadir_fname("lock"), 1,
get_datadir_fname("state"), 1,
get_datadir_fname("router-stability"), 1,
get_datadir_fname("cached-extrainfo.new"), 1,
get_datadir_fname(NULL),
get_datadir_fname("lock"),
get_datadir_fname("state"),
get_datadir_fname("router-stability"),
get_datadir_fname("cached-extrainfo.new"),
NULL, 0
);
// orport
if (server_mode(get_options())) {
sandbox_cfg_allow_open_filename_array(&cfg,
get_datadir_fname2("keys", "secret_id_key"), 1,
get_datadir_fname2("keys", "secret_onion_key"), 1,
get_datadir_fname2("keys", "secret_onion_key_ntor"), 1,
get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"), 1,
get_datadir_fname2("keys", "secret_id_key.old"), 1,
get_datadir_fname2("keys", "secret_onion_key.old"), 1,
get_datadir_fname2("keys", "secret_onion_key_ntor.old"), 1,
get_datadir_fname2("keys", "secret_onion_key.tmp"), 1,
get_datadir_fname2("keys", "secret_id_key.tmp"), 1,
get_datadir_fname("fingerprint"), 1,
get_datadir_fname("fingerprint.tmp"), 1,
get_datadir_fname("hashed-fingerprint"), 1,
get_datadir_fname("hashed-fingerprint.tmp"), 1,
get_datadir_fname("cached-consensus"), 1,
get_datadir_fname("cached-consensus.tmp"), 1,
"/etc/resolv.conf", 0,
get_datadir_fname2("keys", "secret_id_key"),
get_datadir_fname2("keys", "secret_onion_key"),
get_datadir_fname2("keys", "secret_onion_key_ntor"),
get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"),
get_datadir_fname2("keys", "secret_id_key.old"),
get_datadir_fname2("keys", "secret_onion_key.old"),
get_datadir_fname2("keys", "secret_onion_key_ntor.old"),
get_datadir_fname2("keys", "secret_onion_key.tmp"),
get_datadir_fname2("keys", "secret_id_key.tmp"),
get_datadir_fname("fingerprint"),
get_datadir_fname("fingerprint.tmp"),
get_datadir_fname("hashed-fingerprint"),
get_datadir_fname("hashed-fingerprint.tmp"),
get_datadir_fname("router-stability"),
get_datadir_fname("router-stability.tmp"),
tor_strdup("/etc/resolv.conf"),
NULL, 0
);
RENAME_SUFFIX("fingerprint", ".tmp");
RENAME_SUFFIX2("keys", "secret_onion_key_ntor", ".tmp");
RENAME_SUFFIX2("keys", "secret_id_key", ".tmp");
RENAME_SUFFIX2("keys", "secret_id_key.old", ".tmp");
RENAME_SUFFIX2("keys", "secret_onion_key", ".tmp");
RENAME_SUFFIX2("keys", "secret_onion_key.old", ".tmp");
RENAME_SUFFIX("hashed-fingerprint", ".tmp");
RENAME_SUFFIX("router-stability", ".tmp");
sandbox_cfg_allow_rename(&cfg,
get_datadir_fname2("keys", "secret_onion_key"),
get_datadir_fname2("keys", "secret_onion_key.old"));
sandbox_cfg_allow_rename(&cfg,
get_datadir_fname2("keys", "secret_onion_key_ntor"),
get_datadir_fname2("keys", "secret_onion_key_ntor.old"));
sandbox_cfg_allow_stat_filename_array(&cfg,
get_datadir_fname("keys"), 1,
get_datadir_fname("stats/dirreq-stats"), 1,
get_datadir_fname("keys"),
get_datadir_fname("stats/dirreq-stats"),
NULL, 0
);
}
sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");
init_addrinfo();
return cfg;

3
src/or/statefile.c
View File

@ -13,6 +13,7 @@
#include "hibernate.h"
#include "rephist.h"
#include "router.h"
#include "sandbox.h"
#include "statefile.h"
/** A list of state-file "abbreviations," for compatibility. */
@ -285,7 +286,7 @@ or_state_save_broken(char *fname)
log_warn(LD_BUG, "Unable to parse state in \"%s\". Moving it aside "
"to \"%s\". This could be a bug in Tor; please tell "
"the developers.", fname, fname2);
if (rename(fname, fname2) < 0) {
if (tor_rename(fname, fname2) < 0) {//XXXX sandbox prohibits
log_warn(LD_BUG, "Weirdly, I couldn't even move the state aside. The "
"OS gave an error of %s", strerror(errno));
}