Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Nick Mathewson
Tor
Commits
6b392c33
Unverified
Commit
6b392c33
authored
Jan 30, 2020
by
teor
Browse files
Merge branch 'maint-0.4.0' into maint-0.4.1
parents
9b0b2aef
65825018
Changes
2
Hide whitespace changes
Inline
Side-by-side
changes/bug29819
0 → 100644
View file @
6b392c33
o Minor bugfixes (linux seccomp sandbox):
- Correct how we use libseccomp. Particularly, stop assuming that
rules are applied in a particular order or that more rules are
processed after the first match. Neither is the case! In libseccomp
<2.4.0 this lead to some rules having no effect. Libseccomp 2.4.0
changed how rules are generated leading to a different ordering
which in turn lead to a fatal crash during startup. Fixes bug
29819; bugfix on 0.2.5.1-alpha. Patch by Peter Gerber.
src/lib/sandbox/sandbox.c
View file @
6b392c33
...
...
@@ -492,24 +492,6 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
}
rc
=
seccomp_rule_add_1
(
ctx
,
SCMP_ACT_ERRNO
(
EACCES
),
SCMP_SYS
(
open
),
SCMP_CMP_MASKED
(
1
,
O_CLOEXEC
|
O_NONBLOCK
|
O_NOCTTY
|
O_NOFOLLOW
,
O_RDONLY
));
if
(
rc
!=
0
)
{
log_err
(
LD_BUG
,
"(Sandbox) failed to add open syscall, received libseccomp "
"error %d"
,
rc
);
return
rc
;
}
rc
=
seccomp_rule_add_1
(
ctx
,
SCMP_ACT_ERRNO
(
EACCES
),
SCMP_SYS
(
openat
),
SCMP_CMP_MASKED
(
2
,
O_CLOEXEC
|
O_NONBLOCK
|
O_NOCTTY
|
O_NOFOLLOW
,
O_RDONLY
));
if
(
rc
!=
0
)
{
log_err
(
LD_BUG
,
"(Sandbox) failed to add openat syscall, received "
"libseccomp error %d"
,
rc
);
return
rc
;
}
return
0
;
}
...
...
@@ -563,23 +545,6 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
return
0
;
}
static
int
sb__sysctl
(
scmp_filter_ctx
ctx
,
sandbox_cfg_t
*
filter
)
{
int
rc
;
(
void
)
filter
;
(
void
)
ctx
;
rc
=
seccomp_rule_add_0
(
ctx
,
SCMP_ACT_ERRNO
(
EPERM
),
SCMP_SYS
(
_sysctl
));
if
(
rc
!=
0
)
{
log_err
(
LD_BUG
,
"(Sandbox) failed to add _sysctl syscall, "
"received libseccomp error %d"
,
rc
);
return
rc
;
}
return
0
;
}
/**
* Function responsible for setting up the rename syscall for
* the seccomp filter sandbox.
...
...
@@ -1148,7 +1113,6 @@ static sandbox_filter_func_t filter_func[] = {
sb_chmod
,
sb_open
,
sb_openat
,
sb__sysctl
,
sb_rename
,
#ifdef __NR_fcntl64
sb_fcntl64
,
...
...
@@ -1525,14 +1489,14 @@ install_syscall_filter(sandbox_cfg_t* cfg)
int
rc
=
0
;
scmp_filter_ctx
ctx
;
ctx
=
seccomp_init
(
SCMP_ACT_
TRAP
);
ctx
=
seccomp_init
(
SCMP_ACT_
ERRNO
(
EPERM
)
);
if
(
ctx
==
NULL
)
{
log_err
(
LD_BUG
,
"(Sandbox) failed to initialise libseccomp context"
);
rc
=
-
1
;
goto
end
;
}
// protecti
g
n sandbox parameter strings
// protectin
g
sandbox parameter strings
if
((
rc
=
prot_strings
(
ctx
,
cfg
)))
{
goto
end
;
}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment