Commit Graph

101 Commits

Author SHA1 Message Date
Nick Mathewson
f70cf9982a Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse
OpenSSL needs this, or RAND_poll() will kill the process.

Also, refuse with EACCESS, not errno==-1 (!).
2014-04-16 22:03:18 -04:00
Nick Mathewson
6194970765 Don't allow change to ConnLimit while sandbox is active 2014-04-16 22:03:18 -04:00
Nick Mathewson
69eb278830 Use SCMP_CMP_MASKED_EQ to allow flags, not force them
Older versions of Libevent are happy to open SOCK_DGRAM sockets
non-cloexec and non-nonblocking, and then set those flags
afterwards. It's nice to be able to allow a flag to be on or off in
the sandbox without having to enumerate all its values.

Also, permit PF_INET6 sockets. (D'oh!)
2014-04-16 22:03:10 -04:00
Nick Mathewson
e6785ee16d Get Libevent's PRNG functioning under the linux sandbox
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization.  But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}).  To make _that_ work, we
were permitting sysctl unconditionally.  That's not such a great
idea.

Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
2014-04-16 22:03:09 -04:00
Nick Mathewson
8dc6755f6d Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
       rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
           SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
           SCMP_CMP(1, SCMP_CMP_EQ, param->value),
           SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1.  This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!

This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 22:03:09 -04:00
Nick Mathewson
12028c29e6 Fix sandbox protection for rename
(We were only checking the first parameter of each rename call.)
2014-04-16 22:03:09 -04:00
Nick Mathewson
739a52592b Upgrade warning about missing interned string for sandbox 2014-04-16 22:03:09 -04:00
Nick Mathewson
5aaac938a9 Have sandbox string protection include multi-valued parmeters. 2014-04-16 22:03:09 -04:00
Nick Mathewson
f268101a61 Clean up sandbox structures a bit
Drop pindex,pindex2 as unused.

Admit a type to avoid using a void*
2014-04-16 22:03:08 -04:00
Nick Mathewson
6807b76a5e Add missing rename function for non-linux platforms 2014-04-16 22:03:08 -04:00
Nick Mathewson
71eaebd971 Drop 'fr' parameter from sandbox code.
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.

(Maybe buggy; revise when I can test.)
2014-04-16 22:03:08 -04:00
Nick Mathewson
cbfb8e703e Add 'rename' to the sandboxed syscalls
(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
2014-04-16 22:03:08 -04:00
Nick Mathewson
3802e32c7d Only intern one copy of each magic string for the sandbox
If we intern two copies of a string, later calls to
sandbox_intern_string will give the wrong one sometimes.
2014-04-16 22:03:08 -04:00
Nick Mathewson
ae9d6d73f5 Fix some initial sandbox issues.
Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
2014-04-16 22:03:07 -04:00
Nick Mathewson
cc9e86db61 Log a backtrace when the sandbox finds a failure
This involves some duplicate code between backtrace.c and sandbox.c,
but I don't see a way around it: calling more functions would mean
adding more steps to our call stack, and running clean_backtrace()
against the wrong point on the stack.
2014-04-10 15:44:52 -04:00
Nick Mathewson
196895ed7e Make the sandbox code allow the writev() syscall.
Tor doesn't use it directly, but the glibc backtrace-to-fd code does
2014-04-10 15:08:28 -04:00
Nick Mathewson
119896cd43 Fix some leaks/missed checks in the unit tests
Coverity spotted these.
2014-03-13 10:07:10 -04:00
Nick Mathewson
25f0eb4512 Add a sandbox rule to allow IP_TRANSPARENT 2014-02-02 15:47:48 -05:00
Nick Mathewson
9be105f94b whitespace fixes 2014-01-17 12:41:56 -05:00
Nick Mathewson
682c2252a5 Fix some seccomp2 issues
Fix for #10563.  This is a compatibility issue with libseccomp-2.1.
I guess you could call it a bugfix on 0.2.5.1?
2014-01-06 04:27:58 -05:00
Nick Mathewson
fbc20294aa Merge branch 'backtrace_squashed'
Conflicts:
	src/common/sandbox.c
	src/common/sandbox.h
	src/common/util.c
	src/or/main.c
	src/test/include.am
	src/test/test.c
2013-11-18 11:00:16 -05:00
Nick Mathewson
bd8ad674b9 Add a sighandler-safe logging mechanism
We had accidentially grown two fake ones: one for backtrace.c, and one
for sandbox.c.  Let's do this properly instead.

Now, when we configure logs, we keep track of fds that should get told
about bad stuff happening from signal handlers.  There's another entry
point for these that avoids using non-signal-handler-safe functions.
2013-11-18 10:43:15 -05:00
Nick Mathewson
1825674bd3 Fix a memory leak on getaddrinfo in sandbox. Found by coverity 2013-09-16 22:38:02 -04:00
Nick Mathewson
4ea9fbcdb1 Clean up malloc issues in sandbox.c
tor_malloc returns void *; in C, it is not necessary to cast a
void* to another pointer type before assigning it.

tor_malloc fails with an error rather than returning NULL; it's not
necessary to check its output. (In one case, doing so annoyed Coverity.)
2013-09-16 22:34:42 -04:00
Nick Mathewson
e0b2cd061b Merge remote-tracking branch 'ctoader/gsoc-cap-stage2'
Conflicts:
	src/common/sandbox.c
2013-09-13 12:31:41 -04:00
Cristian Toader
7cf1b9cc33 fixed compilation bug on i386 due to previous fix 2013-09-12 15:38:14 +03:00
Cristian Toader
d2836c8780 bug fix: syscalls send and recv not supported for x86_64 with libseccomp 1.0.1 2013-09-12 15:30:28 +03:00
Cristian Toader
0a3d1685ae remove debugging code 2013-09-12 14:12:56 +03:00
Cristian Toader
4702cdc99d added extra buffer and limit to mprotect not to exceed the length of that buffer 2013-09-12 13:43:06 +03:00
Cristian Toader
79f94e236b added filter protection for string parameter memory 2013-09-10 14:35:11 +03:00
Cristian Toader
8e003b1c69 fixed socket syscall bug 2013-09-10 00:42:36 +03:00
Nick Mathewson
d91c776f61 Fix check-spaces 2013-09-09 16:00:40 -04:00
Nick Mathewson
49f9c4924e Fix compilation on OSX 2013-09-09 15:59:41 -04:00
Nick Mathewson
e9ec0cb550 Do not try to add non-existent syscalls. 2013-09-09 15:37:45 -04:00
Nick Mathewson
a6ada1a50c Fix a warning related to SCMP_CMP definition in header.
SCMP_CMP(a,b,c) leaves the fourth field of the structure undefined,
giving a missing-initializer error.  All of our uses are
three-argument, so I'm overriding the default.
2013-09-09 15:16:30 -04:00
Nick Mathewson
cc35d8be84 Fix most of the --enable-gcc-warnings warnings in the sandbox code 2013-09-09 15:14:50 -04:00
Nick Mathewson
42e6ab0e14 Remove a usage of free() 2013-09-09 14:58:15 -04:00
Nick Mathewson
00fd0cc5f9 Basic compilation fixes. 2013-09-09 14:55:47 -04:00
Cristian Toader
340cca524f added missing documentation for sandbox functions 2013-09-06 21:41:45 +03:00
Cristian Toader
6a22b29641 passing hints as a const pointer to sandbox_getaddrinfo(), also one tor_free macro fails to compile.. 2013-09-06 12:39:56 +03:00
Cristian Toader
839ff0063d replaced strdup with tor_strdup 2013-09-06 12:30:01 +03:00
Cristian Toader
2a6c34750d replaced malloc/free with tor_malloc/tor_free 2013-09-06 12:29:15 +03:00
Cristian Toader
42f5737c81 switched string lengths from int to size_t in prot_strings() 2013-09-06 12:26:50 +03:00
Cristian Toader
55d8b8e578 fixed bug where sandbox_getaddrinfo() would fail when -Sandbox is 0 2013-09-03 16:37:12 +03:00
Cristian Toader
b4b0eddd29 switched to a more generic way of handling the sandbox configuration 2013-09-02 13:54:43 +03:00
Cristian Toader
fe6e2733ab added contingency message to test for sandbox_getaddrinfo 2013-09-02 12:16:02 +03:00
Cristian Toader
c584537a03 make check-spaces fix 2013-09-02 11:45:09 +03:00
Cristian Toader
1ef0b2e1a3 changed how sb getaddrinfo works such that it supports storing multiple results 2013-09-02 11:44:04 +03:00
Cristian Toader
3e803a1f18 make check-spaces fix 2013-08-29 16:53:12 +03:00
Cristian Toader
1118bd9910 switched from multiple mmap to one 2013-08-29 16:51:05 +03:00