nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-12-03 17:13:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

sandbox: Filter "fchownat" on systems using generic syscalls

Browse Source 
On architectures that use Linux's generic syscall interface the legacy "chown"
call is not available; on these systems glibc uses "fchownat" instead.  Modify
the sandbox implementation to match.
This commit is contained in:
Simon South 2021-09-06 09:22:46 -04:00
parent da6b55b6f4
commit 6a004380c9
1 changed files with 34 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
src/lib/sandbox/sandbox.c
View File

@ -654,7 +654,33 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
} }
#endif /* defined(ARCH_USES_GENERIC_SYSCALLS) */ #endif /* defined(ARCH_USES_GENERIC_SYSCALLS) */
#ifdef __i386__ #if defined(ARCH_USES_GENERIC_SYSCALLS)
static int
sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(fchownat)) {
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
"libseccomp error %d", rc);
return rc;
}
}
}
return 0;
}
#elif defined(__i386__)
static int static int
sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter) sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{ {
@ -704,33 +730,7 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return 0; return 0;
} }
#endif /* defined(__i386__) */ #endif /* defined(ARCH_USES_GENERIC_SYSCALLS) || defined(__i386__) */
static int
sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(fchownat)) {
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
"libseccomp error %d", rc);
return rc;
}
}
}
return 0;
}
#if defined(__NR_rename) #if defined(__NR_rename)
/** /**
@ -1481,12 +1481,13 @@ static sandbox_filter_func_t filter_func[] = {
#ifdef __NR_mmap2 #ifdef __NR_mmap2
sb_mmap2, sb_mmap2,
#endif #endif
#ifdef __i386__ #if defined(ARCH_USES_GENERIC_SYSCALLS)
sb_fchownat,
#elif defined(__i386__)
sb_chown32, sb_chown32,
#else #else
sb_chown, sb_chown,
#endif #endif
sb_fchownat,
#if defined(ARCH_USES_GENERIC_SYSCALLS) #if defined(ARCH_USES_GENERIC_SYSCALLS)
sb_fchmodat, sb_fchmodat,
#else #else
@ -1772,10 +1773,10 @@ new_element(int syscall, char *value)
return new_element2(syscall, value, NULL); return new_element2(syscall, value, NULL);
} }
#ifdef __i386__ #if defined(ARCH_USES_GENERIC_SYSCALLS)
#define SCMP_chown SCMP_SYS(chown32)
#elif defined(__aarch64__) && defined(__LP64__)
#define SCMP_chown SCMP_SYS(fchownat) #define SCMP_chown SCMP_SYS(fchownat)
#elif defined(__i386__)
#define SCMP_chown SCMP_SYS(chown32)
#else #else
#define SCMP_chown SCMP_SYS(chown) #define SCMP_chown SCMP_SYS(chown)
#endif #endif