Commit Graph

185 Commits

Author SHA1 Message Date
Nick Mathewson
ab18e5e5fc Better error on failure to load seccomp2 sandbox
There are two reasons this is likeliest to happen -- no kernel
support, and some bug in Tor.  We'll ask people to check the former
before they report. Closes 23090.
2017-09-06 14:23:47 -04:00
Nick Mathewson
94352368db Remove the #if 0ed code that was supposed to let the sandbox allow exec 2017-08-09 10:36:45 -04:00
Nick Mathewson
b387dd364f Merge branch 'maint-0.3.1' 2017-07-27 08:23:37 -04:00
Nick Mathewson
ced2dd5f92 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-27 08:23:37 -04:00
Nick Mathewson
ad35e595e5 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-27 08:23:36 -04:00
Roger Dingledine
ec5b30ca0b fix whitespace issue 2017-07-23 00:57:10 -04:00
Nick Mathewson
16d2bce893 Allow setsockopt(IPV6_V6ONLY) in sandbox.
Fixes bug 20247.  We started setting V6ONLY in 0.2.3.13-alpha and
added the sandbox on 0.2.5.1-alpha.
2017-07-05 13:09:21 -04:00
cypherpunks
c79e286386 Use the proper syscall in sandbox error messages
Fixes #22750.
2017-07-05 09:56:28 -04:00
Alexander Færøy
c239b2fc9c Fix crash in LZMA module when the Sandbox is enabled.
This patch fixes a crash in our LZMA module where liblzma will allocate
slightly more data than it is allowed to by its limit, which leads to a
crash.

See: https://bugs.torproject.org/22751
2017-06-28 10:00:24 -04:00
Nick Mathewson
eff5e29404 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-06-19 13:52:19 -04:00
Nick Mathewson
71c701927a Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-19 13:52:19 -04:00
Nick Mathewson
59f29970fa Permit the fchmod system call.
Fixes bug 22516; bugfix on 0.2.5.4-alpha.
2017-06-16 14:03:02 -04:00
Nick Mathewson
35025ee51f Merge branch 'maint-0.3.0' 2017-05-08 13:40:41 -04:00
Nick Mathewson
d792d2a14d Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-08 13:40:26 -04:00
Nick Mathewson
531835f561 Increase MALLOC_MP_LIM to 16MB
Increase the maximum allowed size passed to mprotect(PROT_WRITE)
from 1MB to 16MB. This was necessary with the glibc allocator
in order to allow worker threads to allocate more memory --
which in turn is necessary because of our new use of worker
threads for compression.

Closes ticket #22096. Found while working on #21648.
2017-04-28 10:55:10 -04:00
Nick Mathewson
99e943998d Add getpid() to the seccomp2 sandbox.
We hadn't needed this before, because most getpid() callers on Linux
were looking at the vDSO version of getpid().  I don't know why at
least one version of OpenSSL seems to be ignoring the vDSO, but this
change should fix it.

Fixes bug 21943; bugfix on 0.2.5.1-alpha when the sandbox was
introduced.
2017-04-26 12:56:06 -04:00
Nick Mathewson
7505f452c8 Run the copyright update script. 2017-03-15 16:13:17 -04:00
Roger Dingledine
51ee549a90 fix typos and trivial syntax problems 2016-12-18 04:06:02 -05:00
Nick Mathewson
d6ca36defa Merge branch 'bug20710_025' into maint-0.2.9 2016-12-07 10:52:12 -05:00
Nick Mathewson
6a069959c6 Fix major errors in freeing getaddrinfo sandbox cache
Patch from cypherpunks. Fixes bug 20710; bugfix on 0.2.5.5-alpha.
2016-12-01 10:36:02 -05:00
Nick Mathewson
b9a43c8f43 For me, asan/ubsan require more syscalls.
Permit sched_yield() and sigaltstack() in the sandbox.

Closes ticket 20063
2016-09-05 14:25:58 -04:00
Nick Mathewson
40d05983c4 Fix some comments in sandbox.c
Closes ticket 19942; patch from "cypherpunks"
2016-08-23 10:02:11 -04:00
Nick Mathewson
9c87869dde Merge branch 'maint-0.2.8' 2016-07-21 14:15:19 +02:00
Nick Mathewson
f1973e70a4 Coverity hates it when we do "E1 ? E2 : E2".
It says, 'Incorrect expression (IDENTICAL_BRANCHES)'

Fix for CID 1364127. Not in any released Tor.
2016-07-21 14:14:33 +02:00
Nick Mathewson
c138c9a2be Merge branch 'maint-0.2.8' 2016-07-17 13:55:04 -04:00
Nick Mathewson
fbae15a856 Merge remote-tracking branch 'weasel/bug19660' into maint-0.2.8 2016-07-17 13:54:40 -04:00
Nick Mathewson
9932544297 Merge branch 'maint-0.2.8' 2016-07-13 09:19:35 -04:00
Nick Mathewson
bb731ca665 Merge remote-tracking branch 'Jigsaw52/seccomp-fix-18397' into maint-0.2.8 2016-07-13 09:16:59 -04:00
Peter Palfrader
36b06be738 Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist
If we did not find a non-private IPaddress by iterating over interfaces,
we would try to get one via
get_interface_address6_via_udp_socket_hack().  This opens a datagram
socket with IPPROTO_UDP.  Previously all our datagram sockets (via
libevent) used IPPROTO_IP, so we did not have that in the sandboxing
whitelist.  Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing
whitelist.  Fixes bug 19660.
2016-07-11 09:37:01 +02:00
Daniel Pinto
20e89453fd Adds missing syscalls to seccomp filter.
Fixes #18397 which prevented tor starting with Sandbox 1.
2016-07-09 00:36:37 +01:00
Nick Mathewson
8ba4ba0a74 Grammar.
I grepped and hand-inspected the "it's" instances, to see if any
were supposed to be possessive.  While doing that, I found a
"the the", so I grepped to see if there were any more.
2016-07-05 12:10:12 -04:00
cypherpunks
94762e37b9 Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS
The Autoconf macro AC_USE_SYSTEM_EXTENSIONS defines preprocessor macros
which turn on extensions to C and POSIX. The macro also makes it easier
for developers to use the extensions without needing (or forgetting) to
define them manually.

The macro can be safely used because it was introduced in Autoconf 2.60
and Tor requires Autoconf 2.63 and above.
2016-06-17 10:17:44 -04:00
Nick Mathewson
80f1a2cbbd Add the -Wextra-semi warning from clang, and fix the cases where it triggers 2016-06-11 10:11:54 -04:00
Nick Mathewson
4895d8288c Do not treat "DOCDOC" as doxygen. 2016-03-26 10:11:45 -04:00
Nick Mathewson
c0568a89d9 Whitespace fixes 2016-03-26 09:54:31 -04:00
Nick Mathewson
7123e9706e Repair build when no sandbox support is enabled. 2016-03-22 13:18:18 -04:00
Nick Mathewson
ca8423a703 Merge remote-tracking branch 'public/bug18253' 2016-03-22 10:08:50 -04:00
Nick Mathewson
4b02af452d Merge branch 'bug15221_027' 2016-03-14 14:10:47 -04:00
Nick Mathewson
dd7c999617 Make unix sockets work with the linux seccomp2 sandbox again
I didn't want to grant blanket permissions for chmod() and chown(),
so here's what I had to do:
   * Grant open() on all parent directories of a unix socket
   * Write code to allow chmod() and chown() on a given file only.
   * Grant chmod() and chown() on the unix socket.
2016-03-14 14:07:02 -04:00
Nick Mathewson
725e0c76e3 Permit setrlimit, prlimit, prlimit64 calls.
We call setrlimit under some circumstances, and it can call prlimit
and prlimit64 under the hood.

Fixes bug 15221.
2016-03-14 13:21:16 -04:00
Nick Mathewson
57699de005 Update the copyright year. 2016-02-27 18:48:19 +01:00
Nick Mathewson
7a782820e9 Make the sandbox work again with chutney.
Previously, we had a problem due to the check_private_dir() rewrite.

Bug not in any released Tor.
2016-02-24 16:01:24 -05:00
Nick Mathewson
a5da27cb35 Merge branch 'maint-0.2.7' 2015-12-16 09:07:11 -05:00
Nick Mathewson
784e9fff9b ... and fix another backtrace_symbols_fd call in sandbox.c 2015-12-16 09:05:49 -05:00
Nick Mathewson
fec5aa75f4 Merge branch 'maint-0.2.7' 2015-12-15 11:55:46 -05:00
cypherpunks
07cca627ea Fix backtrace compilation on FreeBSD
On FreeBSD backtrace(3) uses size_t instead of int (as glibc does). This
causes integer precision loss errors when we used int to store its
results.

The issue is fixed by using size_t to store the results of backtrace(3).

The manual page of glibc does not mention that backtrace(3) returns
negative values. Therefore, no unsigned integer wrapping occurs when its
result is stored in an unsigned data type.
2015-12-15 11:52:00 -05:00
Yawning Angel
353c71516e Add support for getrandom() and getentropy() when available
Implements feature #13696.
2015-12-08 12:34:53 -05:00
Nick Mathewson
a5ed8b1667 Fix compilation of sandbox.[ch] under musl-libc
Patch from jamestk; fix on 0.2.5.1-alpha. Fixes 17347.
2015-10-15 10:37:41 -04:00
Nick Mathewson
50148dc45d Fix compilation of sandbox.[ch] under musl-libc
Patch from jamestk; fix on 0.2.5.1-alpha. Fixes 17347.
2015-10-15 10:35:45 -04:00
Nick Mathewson
59fa0c2d99 Fix another seccomp2 issue
Allow pipe() and pipe2() syscalls; we need these when eventfd2()
support is missing. Fixes bug 16363; bugfix on 0.2.6.3-alpha.  Patch
from "teor".
2015-06-15 10:13:11 -04:00