Fix crash introduced in #40020. On startup, tor calls
check_private_dir on the data and key directories. This function
uses open instead of opendir on the received directory. Data and
key directoryes are only opened here, so the seccomp rule added
should be for open instead of opendir, despite the fact that they
are directories.

The need for casting negative syscall arguments depends on the
glibc version. This affects the rules for the openat syscall which
uses the constant AT_FDCWD that is defined as a negative number.
This commit adds logic to only apply the cast when necessary, on
glibc versions from 2.27 onwards.

Different versions of glibc use either open or openat for the
opendir function. This commit adds logic to use the correct rule
for each glibc version, namely:
- Until 2.14 open is used
- From 2.15 to to 2.21 openat is used
- From 2.22 to 2.26 open is used
- From 2.27 onwards openat is used

The need for casting negative syscall arguments depends on the
glibc version. This affects the rules for the openat syscall which
uses the constant AT_FDCWD that is defined as a negative number.
This commit adds logic to only apply the cast when necessary, on
glibc versions from 2.27 onwards.

M_SYSCALL is used to report information about a sandbox violation,
but when we don't have a definition for it, it still makes sense to
compile.

Closes ticket 34382.

Jigsaw52 authored May 06, 2020 and Nick Mathewson committed May 12, 2020

Adds seccomp rules for socket and getpeername used by NSS

(Our fix for 33087 requires this, I believe.)

Closes ticket 33346.

Peter Gerber authored Jan 05, 2020 and Peter Gerber committed Jan 05, 2020

Allow calls to dup() which was introduced in commit a22fbab9.

From a security perspective, I don't think this should impact the
security of the sandbox significantly. As far as I can tell, there
is nothing an adversary can do with a duplicated FD that can't be
done with the original.

This is an automated commit, generated by this command:

./scripts/maint/rename_c_identifier.py \
        EXPOSE_CLEAN_BACKTRACE BACKTRACE_PRIVATE \
        TOR_CHANNEL_INTERNAL_ CHANNEL_OBJECT_PRIVATE \
        CHANNEL_PRIVATE_ CHANNEL_FILE_PRIVATE \
        EXPOSE_ROUTERDESC_TOKEN_TABLE ROUTERDESC_TOKEN_TABLE_PRIVATE \
        SCHEDULER_PRIVATE_ SCHEDULER_PRIVATE

Peter Gerber authored Jun 10, 2019 and Nick Mathewson committed Dec 17, 2019

This fixes a startup crash with libseccomp v2.4.0 if Sandbox is
set to 1.

Part of 31614.

SO_ACCEPTCONN checks whether socket listening is enabled and is
used ever since 9369152a has been merged.

Closes ticket #29150

This was trivial, and the easiest way to remove the remaining
.may_include circularities.

Fun fact: these files used to be called log.[ch] until we ran into
conflicts with systems having a log.h file.  But now that we always
include "lib/log/log.h", we should be fine.

There are some additional changes to come: those points are marked
by XXXX.

Previously we had code like this for bad things happening from
signal handlers, but it makes sense to use the same logic to handle
cases when something is happening at a level too low for log.c to be
involved.

My raw_assert*() stuff now uses this code.

Fixes bug 24969; bugfix on 0.2.5.1-alpha when the sandbox was introduced.

Apparently, sometimes getpwnam will call this.

Fixes bug 25513.

This reverts commit 9a062825.

It appears that I misunderstood how the seccomp2 filter rules
interact.  It appears that `SCMP_ACT_ERRNO()` always takes
precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that
earlier rules would override later ones.  But this change caused bug
25115 (not in any released Tor).

Previously, most disallowed open(O_RDONLY) attempts would EACCES,
but others would fail with a crash.