mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-11 05:33:47 +01:00
orport progress (not functional), nickm suggested fixes
This commit is contained in:
Cristian Toader
parent
a960e56c68
commit
b3a8c08a92
@ -50,6 +50,7 @@ static sandbox_cfg_t *filter_dynamic = NULL;
|
||||
* stage 1 general Tor sandbox.
|
||||
*/
|
||||
static int filter_nopar_gen[] = {
|
||||
SCMP_SYS(access),
|
||||
SCMP_SYS(brk),
|
||||
SCMP_SYS(close),
|
||||
SCMP_SYS(clone),
|
||||
@ -90,23 +91,22 @@ static int filter_nopar_gen[] = {
|
||||
SCMP_SYS(read),
|
||||
SCMP_SYS(rename),
|
||||
SCMP_SYS(rt_sigreturn),
|
||||
SCMP_SYS(set_robust_list),
|
||||
#ifdef __NR_sigreturn
|
||||
SCMP_SYS(sigreturn),
|
||||
#endif
|
||||
SCMP_SYS(stat),
|
||||
#ifdef __NR_stat64
|
||||
SCMP_SYS(stat64),
|
||||
SCMP_SYS(stat64), // TODO
|
||||
#endif
|
||||
SCMP_SYS(uname),
|
||||
SCMP_SYS(write),
|
||||
SCMP_SYS(exit_group),
|
||||
SCMP_SYS(exit),
|
||||
|
||||
// Not needed..
|
||||
// SCMP_SYS(access),
|
||||
// SCMP_SYS(set_robust_list),
|
||||
// SCMP_SYS(set_thread_area),
|
||||
// SCMP_SYS(set_tid_address),
|
||||
// SCMP_SYS(uname),
|
||||
|
||||
// socket syscalls
|
||||
SCMP_SYS(bind),
|
||||
@ -201,6 +201,34 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
return rc;
|
||||
}
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
|
||||
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
|
||||
SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK));
|
||||
if (rc) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
|
||||
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
|
||||
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE));
|
||||
if (rc) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
|
||||
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE),
|
||||
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS));
|
||||
if (rc) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
|
||||
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC),
|
||||
SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE));
|
||||
if (rc) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
@ -225,6 +253,24 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
}
|
||||
}
|
||||
|
||||
// todo remove when libevent fix
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
|
||||
SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY));
|
||||
if (rc != 0) {
|
||||
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
|
||||
"error %d", rc);
|
||||
return rc;
|
||||
}
|
||||
|
||||
// problem: required by getaddrinfo
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
|
||||
SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC));
|
||||
if (rc != 0) {
|
||||
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
|
||||
"error %d", rc);
|
||||
return rc;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -315,6 +361,17 @@ sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1,
|
||||
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2,
|
||||
SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
|
||||
SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
@ -373,12 +430,14 @@ sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1,
|
||||
SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* does not NEED tobe here.. only occurs before filter
|
||||
*/
|
||||
static int
|
||||
sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
{
|
||||
@ -389,6 +448,11 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1,
|
||||
SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -408,20 +472,28 @@ sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* does not NEED tobe here.. only occurs before filter
|
||||
*/
|
||||
static int
|
||||
sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
||||
{
|
||||
int rc = 0;
|
||||
|
||||
// can remove
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
|
||||
SCMP_CMP(1, SCMP_CMP_EQ,
|
||||
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
|
||||
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1,
|
||||
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -605,14 +677,8 @@ add_noparam_filter(scmp_filter_ctx ctx)
|
||||
{
|
||||
int i, filter_size, rc = 0;
|
||||
|
||||
if (filter_nopar_gen != NULL) {
|
||||
filter_size = sizeof(filter_nopar_gen) / sizeof(filter_nopar_gen[0]);
|
||||
} else {
|
||||
filter_size = 0;
|
||||
}
|
||||
|
||||
// add general filters
|
||||
for (i = 0; i < filter_size; i++) {
|
||||
for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) {
|
||||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i], 0);
|
||||
if (rc != 0) {
|
||||
log_err(LD_BUG,"(Sandbox) failed to add syscall index %d, "
|
||||
|
||||
@ -571,6 +571,8 @@ spawn_enough_cpuworkers(void)
|
||||
if (num_cpuworkers_needed > MAX_CPUWORKERS)
|
||||
num_cpuworkers_needed = MAX_CPUWORKERS;
|
||||
|
||||
getchar();
|
||||
|
||||
while (num_cpuworkers < num_cpuworkers_needed) {
|
||||
if (spawn_cpuworker() < 0) {
|
||||
log_warn(LD_GENERAL,"Cpuworker spawn failed. Will try again later.");
|
||||
|
||||
@ -2645,23 +2645,18 @@ sandbox_init_filter()
|
||||
sandbox_cfg_t *cfg = sandbox_cfg_new();
|
||||
|
||||
// TODO: mem leak
|
||||
sandbox_cfg_allow_openat_filename(&cfg,
|
||||
get_datadir_fname("cached-status"));
|
||||
sandbox_cfg_allow_openat_filename(&cfg, get_datadir_fname("cached-status"));
|
||||
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-certs"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-certs.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-consensus"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-certs.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-consensus"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("unverified-consensus"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-microdesc-consensus"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-microdesc-consensus.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-microdescs"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-microdescs"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-microdescs.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
@ -2670,18 +2665,36 @@ sandbox_init_filter()
|
||||
get_datadir_fname("cached-microdescs.new.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("unverified-microdesc-consensus"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-descriptors"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-descriptors"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-descriptors.new"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("cached-extrainfo"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("state.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("cached-extrainfo"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("state.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("unparseable-desc.tmp"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname("unparseable-desc"));
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("unparseable-desc"));
|
||||
|
||||
// orport
|
||||
if (server_mode(get_options())) {
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname2("keys", "secret_id_key"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname2("keys", "secret_onion_key"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname2("keys", "secret_onion_key_ntor"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname2("keys", "secret_id_key.old"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname2("keys", "secret_onion_key.old"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname2("keys", "secret_onion_key_ntor.old"));
|
||||
sandbox_cfg_allow_open_filename(&cfg,
|
||||
get_datadir_fname2("keys", "secret_onion_key.tmp"));
|
||||
|
||||
sandbox_cfg_allow_open_filename(&cfg, get_datadir_fname("fingerprint"));
|
||||
|
||||
sandbox_cfg_allow_open_filename(&cfg, "/etc/resolv.conf");
|
||||
}
|
||||
|
||||
sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor");
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user