mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 20:33:31 +01:00
integrated context for dynamic filters
This commit is contained in:
parent
3dfe1c0639
commit
626a2b23de
@ -228,12 +228,6 @@ prot_strdup(char* str)
|
|||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
sandbox_cfg_t*
|
|
||||||
sandbox_cfg_new()
|
|
||||||
{
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
int
|
||||||
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
|
sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
|
||||||
{
|
{
|
||||||
@ -253,7 +247,7 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
add_param_filter(scmp_filter_ctx ctx)
|
add_param_filter(scmp_filter_ctx ctx, sandbox_cfg_t* cfg)
|
||||||
{
|
{
|
||||||
int i, filter_size, rc = 0;
|
int i, filter_size, rc = 0;
|
||||||
sandbox_cfg_t *elem;
|
sandbox_cfg_t *elem;
|
||||||
@ -265,7 +259,8 @@ add_param_filter(scmp_filter_ctx ctx)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// for each dynamic parameter filters
|
// for each dynamic parameter filters
|
||||||
for (elem = filter_dynamic; elem != NULL; elem = elem->next) {
|
elem = (cfg == NULL) ? filter_dynamic : cfg;
|
||||||
|
for (; elem != NULL; elem = elem->next) {
|
||||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, elem->syscall, 1,
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, elem->syscall, 1,
|
||||||
SCMP_CMP(elem->pindex, SCMP_CMP_EQ, elem->param));
|
SCMP_CMP(elem->pindex, SCMP_CMP_EQ, elem->param));
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
@ -327,7 +322,7 @@ add_noparam_filter(scmp_filter_ctx ctx)
|
|||||||
* Returns 0 on success.
|
* Returns 0 on success.
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
install_glob_syscall_filter(void)
|
install_syscall_filter(sandbox_cfg_t* cfg)
|
||||||
{
|
{
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
scmp_filter_ctx ctx;
|
scmp_filter_ctx ctx;
|
||||||
@ -340,7 +335,7 @@ install_glob_syscall_filter(void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// add parameter filters
|
// add parameter filters
|
||||||
if ((rc = add_param_filter(ctx))) {
|
if ((rc = add_param_filter(ctx, cfg))) {
|
||||||
log_err(LD_BUG, "(Sandbox) failed to add param filters!");
|
log_err(LD_BUG, "(Sandbox) failed to add param filters!");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
@ -450,12 +445,12 @@ install_sigsys_debugging(void)
|
|||||||
* into account various available features for different linux flavours.
|
* into account various available features for different linux flavours.
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
initialise_libseccomp_sandbox(void)
|
initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
|
||||||
{
|
{
|
||||||
if (install_sigsys_debugging())
|
if (install_sigsys_debugging())
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (install_glob_syscall_filter())
|
if (install_syscall_filter(cfg))
|
||||||
return -2;
|
return -2;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
@ -463,6 +458,33 @@ initialise_libseccomp_sandbox(void)
|
|||||||
|
|
||||||
#endif // USE_LIBSECCOMP
|
#endif // USE_LIBSECCOMP
|
||||||
|
|
||||||
|
sandbox_cfg_t*
|
||||||
|
sandbox_cfg_new() {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
sandbox_init(sandbox_cfg_t* cfg)
|
||||||
|
{
|
||||||
|
#if defined(USE_LIBSECCOMP)
|
||||||
|
return initialise_libseccomp_sandbox(cfg);
|
||||||
|
|
||||||
|
#elif defined(_WIN32)
|
||||||
|
log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is "
|
||||||
|
"currently disabled.");
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
#elif defined(TARGET_OS_MAC)
|
||||||
|
log_warn(LD_BUG,"Mac OSX sandboxing is not implemented. The feature is "
|
||||||
|
"currently disabled");
|
||||||
|
return 0;
|
||||||
|
#else
|
||||||
|
log_warn(LD_BUG,"Sandboxing is not implemented for your platform. The "
|
||||||
|
"feature is currently disabled");
|
||||||
|
return 0;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Enables the stage 1 general sandbox. It applies a syscall filter which does
|
* Enables the stage 1 general sandbox. It applies a syscall filter which does
|
||||||
* not restrict any Tor features. The filter is representative for the whole
|
* not restrict any Tor features. The filter is representative for the whole
|
||||||
@ -473,7 +495,7 @@ tor_global_sandbox(void)
|
|||||||
{
|
{
|
||||||
|
|
||||||
#if defined(USE_LIBSECCOMP)
|
#if defined(USE_LIBSECCOMP)
|
||||||
return initialise_libseccomp_sandbox();
|
return initialise_libseccomp_sandbox(NULL);
|
||||||
|
|
||||||
#elif defined(_WIN32)
|
#elif defined(_WIN32)
|
||||||
log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is "
|
log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is "
|
||||||
|
@ -81,7 +81,10 @@ typedef struct pfd_elem sandbox_cfg_t;
|
|||||||
void sandbox_set_debugging_fd(int fd);
|
void sandbox_set_debugging_fd(int fd);
|
||||||
int tor_global_sandbox(void);
|
int tor_global_sandbox(void);
|
||||||
char* get_prot_param(char *param);
|
char* get_prot_param(char *param);
|
||||||
|
|
||||||
|
sandbox_cfg_t * sandbox_cfg_new();
|
||||||
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file);
|
int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file);
|
||||||
|
int sandbox_init(sandbox_cfg_t* cfg);
|
||||||
|
|
||||||
#endif /* SANDBOX_H_ */
|
#endif /* SANDBOX_H_ */
|
||||||
|
|
||||||
|
@ -2639,41 +2639,43 @@ find_flashcard_path(PWCHAR path, size_t size)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int
|
static sandbox_cfg_t*
|
||||||
sandbox_cfg_init_open()
|
sandbox_init_filter()
|
||||||
{
|
{
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_t *cfg = sandbox_cfg_new();
|
||||||
|
|
||||||
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-certs"));
|
get_datadir_fname("cached-certs"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-consensus"));
|
get_datadir_fname("cached-consensus"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("unverified-consensus"));
|
get_datadir_fname("unverified-consensus"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-microdesc-consensus"));
|
get_datadir_fname("cached-microdesc-consensus"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-microdesc-consensus.tmp"));
|
get_datadir_fname("cached-microdesc-consensus.tmp"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-microdescs"));
|
get_datadir_fname("cached-microdescs"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-microdescs.tmp"));
|
get_datadir_fname("cached-microdescs.tmp"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-microdescs.new"));
|
get_datadir_fname("cached-microdescs.new"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("unverified-microdesc-consensus"));
|
get_datadir_fname("unverified-microdesc-consensus"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-descriptors"));
|
get_datadir_fname("cached-descriptors"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-descriptors.new"));
|
get_datadir_fname("cached-descriptors.new"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("cached-extrainfo"));
|
get_datadir_fname("cached-extrainfo"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("state.tmp"));
|
get_datadir_fname("state.tmp"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("unparseable-desc.tmp"));
|
get_datadir_fname("unparseable-desc.tmp"));
|
||||||
sandbox_cfg_allow_open_filename(NULL,
|
sandbox_cfg_allow_open_filename(&cfg,
|
||||||
get_datadir_fname("unparseable-desc"));
|
get_datadir_fname("unparseable-desc"));
|
||||||
|
|
||||||
return 0;
|
return cfg;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Main entry point for the Tor process. Called from main(). */
|
/** Main entry point for the Tor process. Called from main(). */
|
||||||
@ -2744,10 +2746,9 @@ tor_main(int argc, char *argv[])
|
|||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (get_options()->Sandbox) {
|
if (get_options()->Sandbox) {
|
||||||
if (sandbox_cfg_init_open() < 0)
|
sandbox_cfg_t* cfg = sandbox_init_filter();
|
||||||
return -1;
|
|
||||||
|
|
||||||
if (tor_global_sandbox()) {
|
if (sandbox_init(cfg)) {
|
||||||
log_err(LD_BUG,"Failed to create syscall sandbox filter");
|
log_err(LD_BUG,"Failed to create syscall sandbox filter");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user