diff --git a/src/common/compat.c b/src/common/compat.c index 5b153674ef..47b65d3560 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -125,7 +125,7 @@ tor_open_cloexec(const char *path, int flags, unsigned mode) { int fd; #ifdef O_CLOEXEC - path = get_prot_param(path); + path = sandbox_intern_string(path); fd = open(path, flags|O_CLOEXEC, mode); if (fd >= 0) return fd; diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 4a3faa47cd..2e8467d7c1 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -49,6 +49,10 @@ static sandbox_static_cfg_t filter_static[] = { #endif {SCMP_SYS(rt_sigaction), PARAM_NUM, 0, (intptr_t)(SIGCHLD), 0}, {SCMP_SYS(time), PARAM_NUM, 0, 0, 0}, + +#ifdef __NR_socketcall + {SCMP_SYS(socketcall), PARAM_NUM, 0, 18, 0}, // accept4 workaround +#endif }; /** Variable used for storing all syscall numbers that will be allowed with the @@ -136,7 +140,7 @@ static int filter_nopar_gen[] = { SCMP_SYS(exit), // socket syscalls - SCMP_SYS(accept4), +// SCMP_SYS(accept4), SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), @@ -149,17 +153,12 @@ static int filter_nopar_gen[] = { SCMP_SYS(setsockopt), SCMP_SYS(socket), SCMP_SYS(socketpair), - -#ifdef __NR_socketcall -// SCMP_SYS(socketcall), -#endif - SCMP_SYS(recvfrom), SCMP_SYS(unlink), }; -char* -get_prot_param(char *param) +const char* +sandbox_intern_string(char *param) { int i, filter_size; sandbox_cfg_t *elem; diff --git a/src/common/sandbox.h b/src/common/sandbox.h index c6d80659e3..9acf8c4a97 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -80,7 +80,7 @@ typedef struct pfd_elem sandbox_cfg_t; void sandbox_set_debugging_fd(int fd); int tor_global_sandbox(void); -char* get_prot_param(char *param); +const char* sandbox_intern_string(char *param); sandbox_cfg_t * sandbox_cfg_new(); int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file);