mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 20:33:31 +01:00
prop224: Sandbox support for service
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
parent
848e701f55
commit
5d2506d70c
@ -124,8 +124,10 @@ cache_store_v3_as_dir(hs_cache_dir_descriptor_t *desc)
|
|||||||
if (cache_entry->plaintext_data->revision_counter >=
|
if (cache_entry->plaintext_data->revision_counter >=
|
||||||
desc->plaintext_data->revision_counter) {
|
desc->plaintext_data->revision_counter) {
|
||||||
log_info(LD_REND, "Descriptor revision counter in our cache is "
|
log_info(LD_REND, "Descriptor revision counter in our cache is "
|
||||||
"greater or equal than the one we received. "
|
"greater or equal than the one we received (%d/%d). "
|
||||||
"Rejecting!");
|
"Rejecting!",
|
||||||
|
(int)cache_entry->plaintext_data->revision_counter,
|
||||||
|
(int)desc->plaintext_data->revision_counter);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
/* We now know that the descriptor we just received is a new one so
|
/* We now know that the descriptor we just received is a new one so
|
||||||
|
@ -2360,10 +2360,56 @@ consider_hsdir_retry(const hs_service_t *service,
|
|||||||
smartlist_free(responsible_dirs);
|
smartlist_free(responsible_dirs);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Add to list every filename used by service. This is used by the sandbox
|
||||||
|
* subsystem. */
|
||||||
|
static void
|
||||||
|
service_add_fnames_to_list(const hs_service_t *service, smartlist_t *list)
|
||||||
|
{
|
||||||
|
const char *s_dir;
|
||||||
|
char fname[128] = {0};
|
||||||
|
|
||||||
|
tor_assert(service);
|
||||||
|
tor_assert(list);
|
||||||
|
|
||||||
|
/* Ease our life. */
|
||||||
|
s_dir = service->config.directory_path;
|
||||||
|
/* The hostname file. */
|
||||||
|
smartlist_add(list, hs_path_from_filename(s_dir, fname_hostname));
|
||||||
|
/* The key files splitted in two. */
|
||||||
|
tor_snprintf(fname, sizeof(fname), "%s_secret_key", fname_keyfile_prefix);
|
||||||
|
smartlist_add(list, hs_path_from_filename(s_dir, fname));
|
||||||
|
tor_snprintf(fname, sizeof(fname), "%s_public_key", fname_keyfile_prefix);
|
||||||
|
smartlist_add(list, hs_path_from_filename(s_dir, fname));
|
||||||
|
}
|
||||||
|
|
||||||
/* ========== */
|
/* ========== */
|
||||||
/* Public API */
|
/* Public API */
|
||||||
/* ========== */
|
/* ========== */
|
||||||
|
|
||||||
|
/* Add to file_list every filename used by a configured hidden service, and to
|
||||||
|
* dir_list every directory path used by a configured hidden service. This is
|
||||||
|
* used by the sandbox subsystem to whitelist those. */
|
||||||
|
void
|
||||||
|
hs_service_lists_fnames_for_sandbox(smartlist_t *file_list,
|
||||||
|
smartlist_t *dir_list)
|
||||||
|
{
|
||||||
|
tor_assert(file_list);
|
||||||
|
tor_assert(dir_list);
|
||||||
|
|
||||||
|
/* Add files and dirs for legacy services. */
|
||||||
|
rend_services_add_filenames_to_lists(file_list, dir_list);
|
||||||
|
|
||||||
|
/* Add files and dirs for v3+. */
|
||||||
|
FOR_EACH_SERVICE_BEGIN(service) {
|
||||||
|
/* Skip ephemeral service, they don't touch the disk. */
|
||||||
|
if (service->config.is_ephemeral) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
service_add_fnames_to_list(service, file_list);
|
||||||
|
smartlist_add_strdup(dir_list, service->config.directory_path);
|
||||||
|
} FOR_EACH_DESCRIPTOR_END;
|
||||||
|
}
|
||||||
|
|
||||||
/* Called when our internal view of the directory has changed. We might have
|
/* Called when our internal view of the directory has changed. We might have
|
||||||
* new descriptors for hidden service directories that we didn't have before
|
* new descriptors for hidden service directories that we didn't have before
|
||||||
* so try them if it's the case. */
|
* so try them if it's the case. */
|
||||||
|
@ -254,6 +254,8 @@ void hs_service_free(hs_service_t *service);
|
|||||||
|
|
||||||
void hs_service_stage_services(const smartlist_t *service_list);
|
void hs_service_stage_services(const smartlist_t *service_list);
|
||||||
int hs_service_load_all_keys(void);
|
int hs_service_load_all_keys(void);
|
||||||
|
void hs_service_lists_fnames_for_sandbox(smartlist_t *file_list,
|
||||||
|
smartlist_t *dir_list);
|
||||||
|
|
||||||
void hs_service_dir_info_changed(void);
|
void hs_service_dir_info_changed(void);
|
||||||
void hs_service_run_scheduled_events(time_t now);
|
void hs_service_run_scheduled_events(time_t now);
|
||||||
|
@ -3572,7 +3572,7 @@ sandbox_init_filter(void)
|
|||||||
{
|
{
|
||||||
smartlist_t *files = smartlist_new();
|
smartlist_t *files = smartlist_new();
|
||||||
smartlist_t *dirs = smartlist_new();
|
smartlist_t *dirs = smartlist_new();
|
||||||
rend_services_add_filenames_to_lists(files, dirs);
|
hs_service_lists_fnames_for_sandbox(files, dirs);
|
||||||
SMARTLIST_FOREACH(files, char *, file_name, {
|
SMARTLIST_FOREACH(files, char *, file_name, {
|
||||||
char *tmp_name = NULL;
|
char *tmp_name = NULL;
|
||||||
tor_asprintf(&tmp_name, "%s.tmp", file_name);
|
tor_asprintf(&tmp_name, "%s.tmp", file_name);
|
||||||
@ -3581,6 +3581,7 @@ sandbox_init_filter(void)
|
|||||||
/* steals references */
|
/* steals references */
|
||||||
sandbox_cfg_allow_open_filename(&cfg, file_name);
|
sandbox_cfg_allow_open_filename(&cfg, file_name);
|
||||||
sandbox_cfg_allow_open_filename(&cfg, tmp_name);
|
sandbox_cfg_allow_open_filename(&cfg, tmp_name);
|
||||||
|
tor_free(file_name);
|
||||||
});
|
});
|
||||||
SMARTLIST_FOREACH(dirs, char *, dir, {
|
SMARTLIST_FOREACH(dirs, char *, dir, {
|
||||||
/* steals reference */
|
/* steals reference */
|
||||||
|
Loading…
Reference in New Issue
Block a user