Nick Mathewson
fcdcb377a4
Add another year to our copyright dates.
...
Because in 95 years, we or our successors will surely care about
enforcing the BSD license terms on this code. Right?
2014-10-28 15:30:16 -04:00
Nick Mathewson
2e607ff519
Merge remote-tracking branch 'origin/maint-0.2.5'
2014-09-29 13:02:50 -04:00
Nick Mathewson
09951bea7f
Don't use the getaddrinfo sandbox cache from tor-resolve
...
Fixes bug 13295; bugfix on 0.2.5.3-alpha.
The alternative here is to call crypto_global_init() from tor-resolve,
but let's avoid linking openssl into tor-resolve for as long as we
can.
2014-09-29 12:57:07 -04:00
Nick Mathewson
7c1143e11f
Terser ways to sandbox-allow related filenames
...
Using the *_array() functions here confused coverity, and was actually
a bit longer than we needed. Now we just use macros for the repeated
bits, so that we can mention a file and a suffix-appended version in
one line.
2014-08-24 13:30:55 -04:00
Nick Mathewson
35b2e11755
Store sandbox params as char *, since that's what they are.
...
This allows coverity to infer that we aren't leaking them.
[Fixes a lot of CIDs]
2014-08-21 11:22:42 -04:00
Nick Mathewson
6f20dd7bfc
Merge remote-tracking branch 'public/bug11970'
2014-06-11 11:01:52 -04:00
Nick Mathewson
b0c1c70011
Make sandbox.c compile on arm
...
This is a minimal set of changes for compilation; I need a more
recent kernel to test this stuff.
2014-05-27 17:34:52 -04:00
Nick Mathewson
e425fc7804
sandbox: revamp sandbox_getaddrinfo cacheing
...
The old cache had problems:
* It needed to be manually preloaded. (It didn't remember any
address you didn't tell it to remember)
* It was AF_INET only.
* It looked at its cache even if the sandbox wasn't turned on.
* It couldn't remember errors.
* It had some memory management problems. (You can't use memcpy
to copy an addrinfo safely; it has pointers in.)
This patch fixes those issues, and moves to a hash table.
Fixes bug 11970; bugfix on 0.2.5.1-alpha.
2014-05-22 17:39:36 -04:00
Nick Mathewson
465982012c
sandbox: Disallow options which would make us call exec()
...
None of the things we might exec() can possibly run under the
sanbox, so rather than crash later, we have to refuse to accept the
configuration nice and early.
The longer-term solution is to have an exec() helper, but wow is
that risky.
fixes 12043; bugfix on 0.2.5.1-alpha
2014-05-20 12:21:31 -04:00
Nick Mathewson
6194970765
Don't allow change to ConnLimit while sandbox is active
2014-04-16 22:03:18 -04:00
Nick Mathewson
f268101a61
Clean up sandbox structures a bit
...
Drop pindex,pindex2 as unused.
Admit a type to avoid using a void*
2014-04-16 22:03:08 -04:00
Nick Mathewson
71eaebd971
Drop 'fr' parameter from sandbox code.
...
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.
(Maybe buggy; revise when I can test.)
2014-04-16 22:03:08 -04:00
Nick Mathewson
cbfb8e703e
Add 'rename' to the sandboxed syscalls
...
(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
2014-04-16 22:03:08 -04:00
Nick Mathewson
fbc20294aa
Merge branch 'backtrace_squashed'
...
Conflicts:
src/common/sandbox.c
src/common/sandbox.h
src/common/util.c
src/or/main.c
src/test/include.am
src/test/test.c
2013-11-18 11:00:16 -05:00
Nick Mathewson
bd8ad674b9
Add a sighandler-safe logging mechanism
...
We had accidentially grown two fake ones: one for backtrace.c, and one
for sandbox.c. Let's do this properly instead.
Now, when we configure logs, we keep track of fds that should get told
about bad stuff happening from signal handlers. There's another entry
point for these that avoids using non-signal-handler-safe functions.
2013-11-18 10:43:15 -05:00
Nick Mathewson
6a11b6f97d
Fix osx compilation again, hopefully better this time.
2013-09-11 13:53:33 -04:00
Cristian Toader
3802cae959
fixed compilation error on i386 linux by moving sandbox_cfg_t definition
2013-09-10 00:04:43 +03:00
Nick Mathewson
d91c776f61
Fix check-spaces
2013-09-09 16:00:40 -04:00
Nick Mathewson
49f9c4924e
Fix compilation on OSX
2013-09-09 15:59:41 -04:00
Nick Mathewson
cc35d8be84
Fix most of the --enable-gcc-warnings warnings in the sandbox code
2013-09-09 15:14:50 -04:00
Nick Mathewson
00fd0cc5f9
Basic compilation fixes.
2013-09-09 14:55:47 -04:00
Cristian Toader
6a22b29641
passing hints as a const pointer to sandbox_getaddrinfo(), also one tor_free macro fails to compile..
2013-09-06 12:39:56 +03:00
Cristian Toader
55d8b8e578
fixed bug where sandbox_getaddrinfo() would fail when -Sandbox is 0
2013-09-03 16:37:12 +03:00
Cristian Toader
b4b0eddd29
switched to a more generic way of handling the sandbox configuration
2013-09-02 13:54:43 +03:00
Cristian Toader
1ef0b2e1a3
changed how sb getaddrinfo works such that it supports storing multiple results
2013-09-02 11:44:04 +03:00
Cristian Toader
f93ba9a2ef
documentation update for _array functions
2013-08-29 15:44:01 +03:00
Cristian Toader
d5f43b5254
_array filter functions now rely on final NULL parameter
2013-08-29 15:42:30 +03:00
Cristian Toader
ce04d2a622
replaced boolean char with int
2013-08-29 15:19:49 +03:00
Cristian Toader
8e2b9d2844
small fixes in documentation and sandbox_getaddrinfo()
2013-08-29 12:41:17 +03:00
Cristian Toader
6cae5d706c
Added doxygen struct doc and replaced func() with funct(void)
2013-08-28 20:01:52 +03:00
Cristian Toader
8b8f87a06a
removed PARAM_LEN
2013-08-28 19:56:42 +03:00
Cristian Toader
36aeca0ecf
fix for getaddrinfo open syscall
2013-08-19 13:56:50 +03:00
Cristian Toader
372e0f91fd
added comments for sandbox.h
2013-08-15 00:09:07 +03:00
Cristian Toader
8a85a48b9d
attempt to add stat64 filename filters; failed due to getaddrinfo..
2013-08-12 21:14:43 +03:00
Cristian Toader
44a4464cf6
fixed memory leak, added array filter support
2013-08-10 18:04:48 +03:00
Cristian Toader
a960e56c68
multi-configuration support using sandbox_t struct
2013-08-05 16:01:31 +03:00
Cristian Toader
356b646976
added execve and multi-configuration support
2013-08-05 15:40:23 +03:00
Cristian Toader
442f256f25
switched to a design using filters as function pointer arrays
2013-07-30 21:23:30 +03:00
Cristian Toader
871e5b35a8
small filter changes; openat as separate function
2013-07-30 19:25:56 +03:00
Cristian Toader
8022def6f0
added openat parameter filter
2013-07-29 16:30:39 +03:00
Cristian Toader
6d5b0367f6
Changes as suggested by nickm
...
- char* to const char* and name refactoring
- workaround for accept4 syscall
2013-07-29 14:46:47 +03:00
Cristian Toader
626a2b23de
integrated context for dynamic filters
2013-07-25 14:08:02 +03:00
Cristian Toader
3dfe1c0639
initia stages of runtime dynamic filters
2013-07-25 13:25:20 +03:00
Cristian Toader
abe082e7d0
dynamic parameter filter bug fixes
2013-07-24 17:15:57 +03:00
Cristian Toader
962d814e52
dynamic parameter filter (prototype, not tested)
2013-07-24 17:06:06 +03:00
Cristian Toader
e1410f20d7
added support for multiple parameters
2013-07-23 14:22:31 +03:00
Cristian Toader
c15d09293b
added experimental support for open syscall path param
2013-07-23 14:01:53 +03:00
Cristian Toader
8b12170f23
added support for numeric parameters, tested with rt_sigaction
2013-07-23 10:49:56 +03:00
Cristian Toader
7cf1dbfd51
changed paramfilter type to intptr_t
2013-07-23 10:14:25 +03:00
Cristian Toader
e7e2efb717
Added getter for protected parameter
2013-07-18 18:21:37 +03:00