sandbox: allow reading of hidden service configuration files.

fixes part of 12064
2024-11-10 21:23:58 +01:00 · 2014-05-22 20:39:10 -04:00 · 2014-05-22 20:39:10 -04:00 · cfd0ee514c
commit cfd0ee514c
parent 85f49abfbe
4 changed files with 37 additions and 5 deletions
--- a/changes/bug12064_part2
+++ b/changes/bug12064_part2
@ -0,0 +1,5 @@
+  o Minor bugfixes (seccomp sandbox):
+    - Avoid warnings when running with sandboxing enabled at the same
+      time as cookie authentication, hidden services or directory
+      authority voting.  Fixes part of 12064; bugfix on 0.2.5.1-alpha.
+
--- a/src/or/main.c
+++ b/src/or/main.c
@ -2829,13 +2829,14 @@ sandbox_init_filter(void)
  );

  {
-    smartlist_t *logfiles = smartlist_new();
-    tor_log_get_logfile_names(logfiles);
-    SMARTLIST_FOREACH(logfiles, char *, logfile_name, {
+    smartlist_t *files = smartlist_new();
+    tor_log_get_logfile_names(files);
+    rend_services_add_filenames_to_list(files);
+    SMARTLIST_FOREACH(files, char *, file_name, {
      /* steals reference */
-      sandbox_cfg_allow_open_filename(&cfg, logfile_name);
+      sandbox_cfg_allow_open_filename(&cfg, file_name);
    });
-    smartlist_free(logfiles);
+    smartlist_free(files);
  }

  {
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@ -656,6 +656,31 @@ rend_service_load_all_keys(void)
  return 0;
 }

+/** Add to <b>lst</b> every filename used by <b>s</b>. */
+static void
+rend_service_add_filenames_to_list(smartlist_t *lst, const rend_service_t *s)
+{
+  tor_assert(lst);
+  tor_assert(s);
+  smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"private_key",
+                         s->directory);
+  smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"hostname",
+                         s->directory);
+  smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"client_keys",
+                         s->directory);
+}
+
+/** Add to <b>lst</b> every filename used by a configured hidden service */
+void
+rend_services_add_filenames_to_list(smartlist_t *lst)
+{
+  if (!rend_service_list)
+    return;
+  SMARTLIST_FOREACH_BEGIN(rend_service_list, rend_service_t *, s) {
+    rend_service_add_filenames_to_list(lst, s);
+  } SMARTLIST_FOREACH_END(s);
+}
+
 /** Load and/or generate private keys for the hidden service <b>s</b>,
 * possibly including keys for client authorization.  Return 0 on success, -1
 * on failure. */
--- a/src/or/rendservice.h
+++ b/src/or/rendservice.h
@ -71,6 +71,7 @@ struct rend_intro_cell_s {
 int num_rend_services(void);
 int rend_config_services(const or_options_t *options, int validate_only);
 int rend_service_load_all_keys(void);
+void rend_services_add_filenames_to_list(smartlist_t *lst);
 void rend_services_introduce(void);
 void rend_consider_services_upload(time_t now);
 void rend_hsdir_routers_changed(void);