From c15d09293bdfc90e94ef34369205cc6db9882607 Mon Sep 17 00:00:00 2001 From: Cristian Toader Date: Tue, 23 Jul 2013 14:01:53 +0300 Subject: [PATCH] added experimental support for open syscall path param --- src/common/compat.c | 1 + src/common/sandbox.c | 39 +++++++++++++++++++++++++++++++++------ src/common/sandbox.h | 2 +- src/or/routerlist.c | 2 +- 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/src/common/compat.c b/src/common/compat.c index 69eb0643d0..5b153674ef 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -125,6 +125,7 @@ tor_open_cloexec(const char *path, int flags, unsigned mode) { int fd; #ifdef O_CLOEXEC + path = get_prot_param(path); fd = open(path, flags|O_CLOEXEC, mode); if (fd >= 0) return fd; diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 7c732157c1..143995d294 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -46,7 +46,34 @@ static ParFilter param_filter[] = { {SCMP_SYS(rt_sigaction), PARAM_NUM, (intptr_t)(SIGXFSZ), 0}, #endif {SCMP_SYS(rt_sigaction), PARAM_NUM, (intptr_t)(SIGCHLD), 0}, - + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-certs"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-consensus"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/unverified-consensus"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-microdesc-consensus"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-microdesc-consensus.tmp"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-microdescs"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-microdescs.new"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/unverified-microdesc-consensus"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-descriptors"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-descriptors.new"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/cached-extrainfo"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/state.tmp"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/unparseable-desc.tmp"), 0}, + {SCMP_SYS(open), PARAM_PTR, + (intptr_t)("/home/cristi/.tor/unparseable-desc"), 0}, }; /** Variable used for storing all syscall numbers that will be allowed with the @@ -106,7 +133,6 @@ static int general_filter[] = { SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), - SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(poll), SCMP_SYS(prctl), @@ -175,13 +201,14 @@ get_prot_param(char *param) } for (i = 0; i < filter_size; i++) { - if (param_filter[i].prot && !strncmp(param, (char*) param_filter[i].param, - MAX_PARAM_LEN) && param_filter[i].ptype == PARAM_PTR) { + if (param_filter[i].prot && param_filter[i].ptype == PARAM_PTR + && !strncmp(param, (char*)(param_filter[i].param), MAX_PARAM_LEN)) { return (char*)(param_filter[i].param); } } - return NULL; + log_warn(LD_BUG, "(Sandbox) Parameter %s not found", param); + return param; } static int @@ -213,7 +240,7 @@ add_param_filter(scmp_filter_ctx ctx) } // copying from non protected to protected + pointer reassign - memcpy(map, (char*) param_filter[i].param, param_size); + memcpy(map, (char*) (param_filter[i].param), param_size); param_filter[i].param = (intptr_t) map; // protecting from writes diff --git a/src/common/sandbox.h b/src/common/sandbox.h index de5699e342..b973d9716e 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -32,7 +32,7 @@ #define __USE_GNU #include -#define MAX_PARAM_LEN 32 +#define MAX_PARAM_LEN 64 #define PARAM_PTR 0 #define PARAM_NUM 1 diff --git a/src/or/routerlist.c b/src/or/routerlist.c index a145ba716e..465aaedb13 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -37,7 +37,7 @@ #include "routerlist.h" #include "routerparse.h" #include "routerset.h" - +#include "../common/sandbox.h" // #define DEBUG_ROUTERLIST /****************************************************************************/