diff --git a/src/common/sandbox.c b/src/common/sandbox.c index a4afc36fb5..ce6b63c175 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -228,12 +228,6 @@ prot_strdup(char* str) return res; } -sandbox_cfg_t* -sandbox_cfg_new() -{ - return NULL; -} - int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file) { @@ -253,7 +247,7 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file) } static int -add_param_filter(scmp_filter_ctx ctx) +add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) { int i, filter_size, rc = 0; sandbox_cfg_t *elem; @@ -265,7 +259,8 @@ add_param_filter(scmp_filter_ctx ctx) } // for each dynamic parameter filters - for (elem = filter_dynamic; elem != NULL; elem = elem->next) { + elem = (cfg == NULL) ? filter_dynamic : cfg; + for (; elem != NULL; elem = elem->next) { rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, elem->syscall, 1, SCMP_CMP(elem->pindex, SCMP_CMP_EQ, elem->param)); if (rc != 0) { @@ -327,7 +322,7 @@ add_noparam_filter(scmp_filter_ctx ctx) * Returns 0 on success. */ static int -install_glob_syscall_filter(void) +install_syscall_filter(sandbox_cfg_t* cfg) { int rc = 0; scmp_filter_ctx ctx; @@ -340,7 +335,7 @@ install_glob_syscall_filter(void) } // add parameter filters - if ((rc = add_param_filter(ctx))) { + if ((rc = add_param_filter(ctx, cfg))) { log_err(LD_BUG, "(Sandbox) failed to add param filters!"); goto end; } @@ -450,12 +445,12 @@ install_sigsys_debugging(void) * into account various available features for different linux flavours. */ static int -initialise_libseccomp_sandbox(void) +initialise_libseccomp_sandbox(sandbox_cfg_t* cfg) { if (install_sigsys_debugging()) return -1; - if (install_glob_syscall_filter()) + if (install_syscall_filter(cfg)) return -2; return 0; @@ -463,6 +458,33 @@ initialise_libseccomp_sandbox(void) #endif // USE_LIBSECCOMP +sandbox_cfg_t* +sandbox_cfg_new() { + return NULL; +} + +int +sandbox_init(sandbox_cfg_t* cfg) +{ +#if defined(USE_LIBSECCOMP) + return initialise_libseccomp_sandbox(cfg); + +#elif defined(_WIN32) + log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is " + "currently disabled."); + return 0; + +#elif defined(TARGET_OS_MAC) + log_warn(LD_BUG,"Mac OSX sandboxing is not implemented. The feature is " + "currently disabled"); + return 0; +#else + log_warn(LD_BUG,"Sandboxing is not implemented for your platform. The " + "feature is currently disabled"); + return 0; +#endif +} + /** * Enables the stage 1 general sandbox. It applies a syscall filter which does * not restrict any Tor features. The filter is representative for the whole @@ -473,7 +495,7 @@ tor_global_sandbox(void) { #if defined(USE_LIBSECCOMP) - return initialise_libseccomp_sandbox(); + return initialise_libseccomp_sandbox(NULL); #elif defined(_WIN32) log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is " diff --git a/src/common/sandbox.h b/src/common/sandbox.h index 2cb8ab8806..c6d80659e3 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -81,7 +81,10 @@ typedef struct pfd_elem sandbox_cfg_t; void sandbox_set_debugging_fd(int fd); int tor_global_sandbox(void); char* get_prot_param(char *param); + +sandbox_cfg_t * sandbox_cfg_new(); int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file); +int sandbox_init(sandbox_cfg_t* cfg); #endif /* SANDBOX_H_ */ diff --git a/src/or/main.c b/src/or/main.c index 8bcf9277e7..978c17127c 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2639,41 +2639,43 @@ find_flashcard_path(PWCHAR path, size_t size) } #endif -static int -sandbox_cfg_init_open() +static sandbox_cfg_t* +sandbox_init_filter() { - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_t *cfg = sandbox_cfg_new(); + + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-consensus")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-consensus")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdesc-consensus")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdesc-consensus.tmp")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs.tmp")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs.new")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unverified-microdesc-consensus")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors.new")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-extrainfo")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("state.tmp")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc.tmp")); - sandbox_cfg_allow_open_filename(NULL, + sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc")); - return 0; + return cfg; } /** Main entry point for the Tor process. Called from main(). */ @@ -2744,10 +2746,9 @@ tor_main(int argc, char *argv[]) return -1; if (get_options()->Sandbox) { - if (sandbox_cfg_init_open() < 0) - return -1; + sandbox_cfg_t* cfg = sandbox_init_filter(); - if (tor_global_sandbox()) { + if (sandbox_init(cfg)) { log_err(LD_BUG,"Failed to create syscall sandbox filter"); return -1; }