Nick Mathewson
5aaac938a9
Have sandbox string protection include multi-valued parmeters.
2014-04-16 22:03:09 -04:00
Nick Mathewson
f268101a61
Clean up sandbox structures a bit
...
Drop pindex,pindex2 as unused.
Admit a type to avoid using a void*
2014-04-16 22:03:08 -04:00
Nick Mathewson
6807b76a5e
Add missing rename function for non-linux platforms
2014-04-16 22:03:08 -04:00
Nick Mathewson
71eaebd971
Drop 'fr' parameter from sandbox code.
...
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.
(Maybe buggy; revise when I can test.)
2014-04-16 22:03:08 -04:00
Nick Mathewson
cbfb8e703e
Add 'rename' to the sandboxed syscalls
...
(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
2014-04-16 22:03:08 -04:00
Nick Mathewson
3802e32c7d
Only intern one copy of each magic string for the sandbox
...
If we intern two copies of a string, later calls to
sandbox_intern_string will give the wrong one sometimes.
2014-04-16 22:03:08 -04:00
Nick Mathewson
ae9d6d73f5
Fix some initial sandbox issues.
...
Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
2014-04-16 22:03:07 -04:00
Nick Mathewson
cc9e86db61
Log a backtrace when the sandbox finds a failure
...
This involves some duplicate code between backtrace.c and sandbox.c,
but I don't see a way around it: calling more functions would mean
adding more steps to our call stack, and running clean_backtrace()
against the wrong point on the stack.
2014-04-10 15:44:52 -04:00
Nick Mathewson
196895ed7e
Make the sandbox code allow the writev() syscall.
...
Tor doesn't use it directly, but the glibc backtrace-to-fd code does
2014-04-10 15:08:28 -04:00
Nick Mathewson
119896cd43
Fix some leaks/missed checks in the unit tests
...
Coverity spotted these.
2014-03-13 10:07:10 -04:00
Nick Mathewson
25f0eb4512
Add a sandbox rule to allow IP_TRANSPARENT
2014-02-02 15:47:48 -05:00
Nick Mathewson
9be105f94b
whitespace fixes
2014-01-17 12:41:56 -05:00
Nick Mathewson
682c2252a5
Fix some seccomp2 issues
...
Fix for #10563 . This is a compatibility issue with libseccomp-2.1.
I guess you could call it a bugfix on 0.2.5.1?
2014-01-06 04:27:58 -05:00
Nick Mathewson
fbc20294aa
Merge branch 'backtrace_squashed'
...
Conflicts:
src/common/sandbox.c
src/common/sandbox.h
src/common/util.c
src/or/main.c
src/test/include.am
src/test/test.c
2013-11-18 11:00:16 -05:00
Nick Mathewson
bd8ad674b9
Add a sighandler-safe logging mechanism
...
We had accidentially grown two fake ones: one for backtrace.c, and one
for sandbox.c. Let's do this properly instead.
Now, when we configure logs, we keep track of fds that should get told
about bad stuff happening from signal handlers. There's another entry
point for these that avoids using non-signal-handler-safe functions.
2013-11-18 10:43:15 -05:00
Nick Mathewson
1825674bd3
Fix a memory leak on getaddrinfo in sandbox. Found by coverity
2013-09-16 22:38:02 -04:00
Nick Mathewson
4ea9fbcdb1
Clean up malloc issues in sandbox.c
...
tor_malloc returns void *; in C, it is not necessary to cast a
void* to another pointer type before assigning it.
tor_malloc fails with an error rather than returning NULL; it's not
necessary to check its output. (In one case, doing so annoyed Coverity.)
2013-09-16 22:34:42 -04:00
Nick Mathewson
e0b2cd061b
Merge remote-tracking branch 'ctoader/gsoc-cap-stage2'
...
Conflicts:
src/common/sandbox.c
2013-09-13 12:31:41 -04:00
Cristian Toader
7cf1b9cc33
fixed compilation bug on i386 due to previous fix
2013-09-12 15:38:14 +03:00
Cristian Toader
d2836c8780
bug fix: syscalls send and recv not supported for x86_64 with libseccomp 1.0.1
2013-09-12 15:30:28 +03:00
Cristian Toader
0a3d1685ae
remove debugging code
2013-09-12 14:12:56 +03:00
Cristian Toader
4702cdc99d
added extra buffer and limit to mprotect not to exceed the length of that buffer
2013-09-12 13:43:06 +03:00
Cristian Toader
79f94e236b
added filter protection for string parameter memory
2013-09-10 14:35:11 +03:00
Cristian Toader
8e003b1c69
fixed socket syscall bug
2013-09-10 00:42:36 +03:00
Nick Mathewson
d91c776f61
Fix check-spaces
2013-09-09 16:00:40 -04:00
Nick Mathewson
49f9c4924e
Fix compilation on OSX
2013-09-09 15:59:41 -04:00
Nick Mathewson
e9ec0cb550
Do not try to add non-existent syscalls.
2013-09-09 15:37:45 -04:00
Nick Mathewson
a6ada1a50c
Fix a warning related to SCMP_CMP definition in header.
...
SCMP_CMP(a,b,c) leaves the fourth field of the structure undefined,
giving a missing-initializer error. All of our uses are
three-argument, so I'm overriding the default.
2013-09-09 15:16:30 -04:00
Nick Mathewson
cc35d8be84
Fix most of the --enable-gcc-warnings warnings in the sandbox code
2013-09-09 15:14:50 -04:00
Nick Mathewson
42e6ab0e14
Remove a usage of free()
2013-09-09 14:58:15 -04:00
Nick Mathewson
00fd0cc5f9
Basic compilation fixes.
2013-09-09 14:55:47 -04:00
Cristian Toader
340cca524f
added missing documentation for sandbox functions
2013-09-06 21:41:45 +03:00
Cristian Toader
6a22b29641
passing hints as a const pointer to sandbox_getaddrinfo(), also one tor_free macro fails to compile..
2013-09-06 12:39:56 +03:00
Cristian Toader
839ff0063d
replaced strdup with tor_strdup
2013-09-06 12:30:01 +03:00
Cristian Toader
2a6c34750d
replaced malloc/free with tor_malloc/tor_free
2013-09-06 12:29:15 +03:00
Cristian Toader
42f5737c81
switched string lengths from int to size_t in prot_strings()
2013-09-06 12:26:50 +03:00
Cristian Toader
55d8b8e578
fixed bug where sandbox_getaddrinfo() would fail when -Sandbox is 0
2013-09-03 16:37:12 +03:00
Cristian Toader
b4b0eddd29
switched to a more generic way of handling the sandbox configuration
2013-09-02 13:54:43 +03:00
Cristian Toader
fe6e2733ab
added contingency message to test for sandbox_getaddrinfo
2013-09-02 12:16:02 +03:00
Cristian Toader
c584537a03
make check-spaces fix
2013-09-02 11:45:09 +03:00
Cristian Toader
1ef0b2e1a3
changed how sb getaddrinfo works such that it supports storing multiple results
2013-09-02 11:44:04 +03:00
Cristian Toader
3e803a1f18
make check-spaces fix
2013-08-29 16:53:12 +03:00
Cristian Toader
1118bd9910
switched from multiple mmap to one
2013-08-29 16:51:05 +03:00
Cristian Toader
d5f43b5254
_array filter functions now rely on final NULL parameter
2013-08-29 15:42:30 +03:00
Cristian Toader
ce04d2a622
replaced boolean char with int
2013-08-29 15:19:49 +03:00
Cristian Toader
8e2b9d2844
small fixes in documentation and sandbox_getaddrinfo()
2013-08-29 12:41:17 +03:00
Cristian Toader
6cae5d706c
Added doxygen struct doc and replaced func() with funct(void)
2013-08-28 20:01:52 +03:00
Cristian Toader
8b8f87a06a
removed PARAM_LEN
2013-08-28 19:56:42 +03:00
Cristian Toader
b121ca581d
make check-spaces fix
2013-08-26 21:28:30 +03:00
Cristian Toader
15d420b564
fix: accept4 for 64 bit
2013-08-26 20:06:46 +03:00
Cristian Toader
b10472f92b
small open syscall modification (just in case)
2013-08-21 19:01:01 +03:00
Cristian Toader
bc19ea100c
make check-spaces fixes
2013-08-21 17:57:15 +03:00
Cristian Toader
ed4968315e
fix: sandbox_intern_string log clean up
2013-08-21 13:43:44 +03:00
Cristian Toader
8aa5517ff6
fix: flock filter update
2013-08-21 13:38:00 +03:00
Cristian Toader
71612f00ae
fixed openssl open syscall, fixed sandbox_getaddrinfo
2013-08-20 13:10:07 +03:00
Cristian Toader
36aeca0ecf
fix for getaddrinfo open syscall
2013-08-19 13:56:50 +03:00
Cristian Toader
a9910d89f1
finalised fix on libevent open string issue
2013-08-19 11:41:46 +03:00
Cristian Toader
c09b11b6d8
updated filters
2013-08-16 01:43:09 +03:00
Cristian Toader
863dd4d4b3
received feedback and fixed (partly) the socket filters
2013-08-15 00:23:51 +03:00
Cristian Toader
372e0f91fd
added comments for sandbox.h
2013-08-15 00:09:07 +03:00
Cristian Toader
e2a7b484f4
partial libevent open fix
2013-08-14 23:03:38 +03:00
Cristian Toader
8a85a48b9d
attempt to add stat64 filename filters; failed due to getaddrinfo..
2013-08-12 21:14:43 +03:00
Cristian Toader
44a4464cf6
fixed memory leak, added array filter support
2013-08-10 18:04:48 +03:00
Cristian Toader
89b39db003
updated filters to work with orport
2013-08-09 19:07:20 +03:00
Cristian Toader
b3a8c08a92
orport progress (not functional), nickm suggested fixes
2013-08-07 13:13:12 +03:00
Cristian Toader
356b646976
added execve and multi-configuration support
2013-08-05 15:40:23 +03:00
Cristian Toader
d897690fc7
fixes suggested by nickm
2013-08-05 14:17:46 +03:00
Cristian Toader
dde3ed385b
removed access, set_robust_list, set_thread_area, set_tid_address, uname; added sb_poll
2013-07-31 12:05:10 +03:00
Cristian Toader
313cbe6e24
sigprocmask, epoll_ctl, prctl, mprotect, flock, futex, mremap
2013-07-31 11:35:25 +03:00
Cristian Toader
f0840ed4c9
epoll_ctl
2013-07-31 00:27:14 +03:00
Cristian Toader
5fc0e13db8
fcntl64
2013-07-30 23:52:54 +03:00
Cristian Toader
686cf4c0ff
clean stable version
2013-07-30 23:43:42 +03:00
Cristian Toader
c1f5f1842e
fully switched to function pointers; problems with socketcall parameters
2013-07-30 23:20:08 +03:00
Cristian Toader
442f256f25
switched to a design using filters as function pointer arrays
2013-07-30 21:23:30 +03:00
Cristian Toader
5baea85189
removed open flags (postponed), added mmap2 flags
2013-07-30 19:37:28 +03:00
Cristian Toader
871e5b35a8
small filter changes; openat as separate function
2013-07-30 19:25:56 +03:00
Cristian Toader
8022def6f0
added openat parameter filter
2013-07-29 16:30:39 +03:00
Cristian Toader
6d5b0367f6
Changes as suggested by nickm
...
- char* to const char* and name refactoring
- workaround for accept4 syscall
2013-07-29 14:46:47 +03:00
Cristian Toader
8f9d3da194
Investigated access4 syscall problem, small changes to filter.
2013-07-26 19:53:05 +03:00
Cristian Toader
626a2b23de
integrated context for dynamic filters
2013-07-25 14:08:02 +03:00
Cristian Toader
3dfe1c0639
initia stages of runtime dynamic filters
2013-07-25 13:25:20 +03:00
Cristian Toader
abe082e7d0
dynamic parameter filter bug fixes
2013-07-24 17:15:57 +03:00
Cristian Toader
962d814e52
dynamic parameter filter (prototype, not tested)
2013-07-24 17:06:06 +03:00
Cristian Toader
e1410f20d7
added support for multiple parameters
2013-07-23 14:22:31 +03:00
Cristian Toader
c15d09293b
added experimental support for open syscall path param
2013-07-23 14:01:53 +03:00
Cristian Toader
8b12170f23
added support for numeric parameters, tested with rt_sigaction
2013-07-23 10:49:56 +03:00
Cristian Toader
7cf1dbfd51
changed paramfilter type to intptr_t
2013-07-23 10:14:25 +03:00
Cristian Toader
8dfa5772e7
(undo) git test..
2013-07-18 18:28:55 +03:00
Cristian Toader
b0725c964b
git test..
2013-07-18 18:28:10 +03:00
Cristian Toader
e7e2efb717
Added getter for protected parameter
2013-07-18 18:21:37 +03:00
Cristian Toader
673349c42e
Repair of some of the lost parameter filters history
2013-07-18 18:03:10 +03:00
Nick Mathewson
85178e2e93
Use format_hex_number_sigsafe to format syscalls in sandbox.c
...
This way, we don't have to use snprintf, which is not guaranteed to
be signal-safe.
(Technically speaking, strlen() and strlcpy() are not guaranteed to
be signal-safe by the POSIX standard. But I claim that they are on
every platform that supports libseccomp2, which is what matters
here.)
2013-07-15 13:07:09 -04:00
Roger Dingledine
6848e29307
cosmetic cleanups
2013-07-14 02:49:34 -04:00
Cristian Toader
f9c1ba6493
Add a basic seccomp2 syscall filter on Linux
...
It's controlled by the new Sandbox argument. Right now, it's rather
coarse-grained, it's Linux-only, and it may break some features.
2013-07-11 09:13:13 -04:00