Loading changes/bug19660 0 → 100644 +8 −0 Original line number Diff line number Diff line o Minor bugfixes (sandboxing): - If we did not find a non-private IPaddress by iterating over interfaces, we would try to get one via get_interface_address6_via_udp_socket_hack(). This opens a datagram socket with IPPROTO_UDP. Previously all our datagram sockets (via libevent) used IPPROTO_IP, so we did not have that in the sandboxing whitelist. Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist. Fixes bug 19660. src/common/sandbox.c +15 −15 Original line number Diff line number Diff line Loading @@ -589,7 +589,7 @@ static int sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; int i; int i, j; (void) filter; #ifdef __i386__ Loading @@ -606,21 +606,21 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) for (i = 0; i < 2; ++i) { const int pf = i ? PF_INET : PF_INET6; rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, pf), SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP)); if (rc) return rc; for (j=0; j < 3; ++j) { const int type = (j == 0) ? SOCK_STREAM : (j == 1) ? SOCK_DGRAM : SOCK_DGRAM; const int protocol = (j == 0) ? IPPROTO_TCP : (j == 1) ? IPPROTO_IP : IPPROTO_UDP; rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, pf), SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM), SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP)); SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type), SCMP_CMP(2, SCMP_CMP_EQ, protocol)); if (rc) return rc; } } rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), Loading Loading
changes/bug19660 0 → 100644 +8 −0 Original line number Diff line number Diff line o Minor bugfixes (sandboxing): - If we did not find a non-private IPaddress by iterating over interfaces, we would try to get one via get_interface_address6_via_udp_socket_hack(). This opens a datagram socket with IPPROTO_UDP. Previously all our datagram sockets (via libevent) used IPPROTO_IP, so we did not have that in the sandboxing whitelist. Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist. Fixes bug 19660.
src/common/sandbox.c +15 −15 Original line number Diff line number Diff line Loading @@ -589,7 +589,7 @@ static int sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; int i; int i, j; (void) filter; #ifdef __i386__ Loading @@ -606,21 +606,21 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) for (i = 0; i < 2; ++i) { const int pf = i ? PF_INET : PF_INET6; rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, pf), SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP)); if (rc) return rc; for (j=0; j < 3; ++j) { const int type = (j == 0) ? SOCK_STREAM : (j == 1) ? SOCK_DGRAM : SOCK_DGRAM; const int protocol = (j == 0) ? IPPROTO_TCP : (j == 1) ? IPPROTO_IP : IPPROTO_UDP; rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, pf), SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM), SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP)); SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type), SCMP_CMP(2, SCMP_CMP_EQ, protocol)); if (rc) return rc; } } rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), Loading
