Loading changes/sandbox_fixes_11351 0 → 100644 +13 −0 Original line number Diff line number Diff line o Major features: - Refinements and improvements to the Linux seccomp2 sandbox code: the sandbox can now run a test network for multiple hours without crashing. (Previous crash reasons included: reseeding the OpenSSL PRNG, seeding the Libevent PRNG, using the wrong combination of CLOEXEC and NONBLOCK at the same place and time, having server keys, being an authority, receiving a HUP, or using IPv6.) The sandbox is still experimental, and more bugs will probably turn up. To try it, enable "Sandbox 1" on a Linux host. - Strengthen the Linux seccomp2 sandbox code: the sandbox can now test the arguments for rename(), and blocks _sysctl() entirely. configure.ac +1 −0 Original line number Diff line number Diff line Loading @@ -435,6 +435,7 @@ AC_CHECK_FUNCS([event_get_version \ event_set_log_callback \ evdns_set_outgoing_bind_address \ evutil_secure_rng_set_urandom_device_file \ evutil_secure_rng_init \ event_base_loopexit]) AC_CHECK_MEMBERS([struct event.min_heap_idx], , , [#include <event.h> Loading src/common/compat.c +12 −2 Original line number Diff line number Diff line Loading @@ -144,6 +144,7 @@ tor_open_cloexec(const char *path, int flags, unsigned mode) return -1; #endif log_debug(LD_FS, "Opening %s with flags %x", path, flags); fd = open(path, flags, mode); #ifdef FD_CLOEXEC if (fd >= 0) { Loading Loading @@ -175,6 +176,15 @@ tor_fopen_cloexec(const char *path, const char *mode) return result; } /** As rename(), but work correctly with the sandbox. */ int tor_rename(const char *path_old, const char *path_new) { log_debug(LD_FS, "Renaming %s to %s", path_old, path_new); return rename(sandbox_intern_string(path_old), sandbox_intern_string(path_new)); } #if defined(HAVE_SYS_MMAN_H) || defined(RUNNING_DOXYGEN) /** Try to create a memory mapping for <b>filename</b> and return it. On * failure, return NULL. Sets errno properly, using ERANGE to mean Loading Loading @@ -799,7 +809,7 @@ int replace_file(const char *from, const char *to) { #ifndef _WIN32 return rename(from,to); return tor_rename(from, to); #else switch (file_status(to)) { Loading @@ -814,7 +824,7 @@ replace_file(const char *from, const char *to) errno = EISDIR; return -1; } return rename(from,to); return tor_rename(from,to); #endif } Loading src/common/compat.h +1 −0 Original line number Diff line number Diff line Loading @@ -410,6 +410,7 @@ struct tm *tor_gmtime_r(const time_t *timep, struct tm *result); /* ===== File compatibility */ int tor_open_cloexec(const char *path, int flags, unsigned mode); FILE *tor_fopen_cloexec(const char *path, const char *mode); int tor_rename(const char *path_old, const char *path_new); int replace_file(const char *from, const char *to); int touch_file(const char *fname); Loading src/common/compat_libevent.c +19 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,8 @@ #include "compat.h" #include "compat_libevent.h" #include "crypto.h" #include "util.h" #include "torlog.h" Loading Loading @@ -626,6 +628,23 @@ tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev, } #endif int tor_init_libevent_rng(void) { int rv = 0; #ifdef HAVE_EVUTIL_SECURE_RNG_INIT char buf[256]; if (evutil_secure_rng_init() < 0) { rv = -1; } /* Older libevent -- manually initialize the RNG */ crypto_rand(buf, 32); evutil_secure_rng_add_bytes(buf, 32); evutil_secure_rng_get_bytes(buf, sizeof(buf)); #endif return rv; } #if defined(LIBEVENT_VERSION_NUMBER) && LIBEVENT_VERSION_NUMBER >= V(2,1,1) \ && !defined(TOR_UNIT_TESTS) void Loading Loading
changes/sandbox_fixes_11351 0 → 100644 +13 −0 Original line number Diff line number Diff line o Major features: - Refinements and improvements to the Linux seccomp2 sandbox code: the sandbox can now run a test network for multiple hours without crashing. (Previous crash reasons included: reseeding the OpenSSL PRNG, seeding the Libevent PRNG, using the wrong combination of CLOEXEC and NONBLOCK at the same place and time, having server keys, being an authority, receiving a HUP, or using IPv6.) The sandbox is still experimental, and more bugs will probably turn up. To try it, enable "Sandbox 1" on a Linux host. - Strengthen the Linux seccomp2 sandbox code: the sandbox can now test the arguments for rename(), and blocks _sysctl() entirely.
configure.ac +1 −0 Original line number Diff line number Diff line Loading @@ -435,6 +435,7 @@ AC_CHECK_FUNCS([event_get_version \ event_set_log_callback \ evdns_set_outgoing_bind_address \ evutil_secure_rng_set_urandom_device_file \ evutil_secure_rng_init \ event_base_loopexit]) AC_CHECK_MEMBERS([struct event.min_heap_idx], , , [#include <event.h> Loading
src/common/compat.c +12 −2 Original line number Diff line number Diff line Loading @@ -144,6 +144,7 @@ tor_open_cloexec(const char *path, int flags, unsigned mode) return -1; #endif log_debug(LD_FS, "Opening %s with flags %x", path, flags); fd = open(path, flags, mode); #ifdef FD_CLOEXEC if (fd >= 0) { Loading Loading @@ -175,6 +176,15 @@ tor_fopen_cloexec(const char *path, const char *mode) return result; } /** As rename(), but work correctly with the sandbox. */ int tor_rename(const char *path_old, const char *path_new) { log_debug(LD_FS, "Renaming %s to %s", path_old, path_new); return rename(sandbox_intern_string(path_old), sandbox_intern_string(path_new)); } #if defined(HAVE_SYS_MMAN_H) || defined(RUNNING_DOXYGEN) /** Try to create a memory mapping for <b>filename</b> and return it. On * failure, return NULL. Sets errno properly, using ERANGE to mean Loading Loading @@ -799,7 +809,7 @@ int replace_file(const char *from, const char *to) { #ifndef _WIN32 return rename(from,to); return tor_rename(from, to); #else switch (file_status(to)) { Loading @@ -814,7 +824,7 @@ replace_file(const char *from, const char *to) errno = EISDIR; return -1; } return rename(from,to); return tor_rename(from,to); #endif } Loading
src/common/compat.h +1 −0 Original line number Diff line number Diff line Loading @@ -410,6 +410,7 @@ struct tm *tor_gmtime_r(const time_t *timep, struct tm *result); /* ===== File compatibility */ int tor_open_cloexec(const char *path, int flags, unsigned mode); FILE *tor_fopen_cloexec(const char *path, const char *mode); int tor_rename(const char *path_old, const char *path_new); int replace_file(const char *from, const char *to); int touch_file(const char *fname); Loading
src/common/compat_libevent.c +19 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,8 @@ #include "compat.h" #include "compat_libevent.h" #include "crypto.h" #include "util.h" #include "torlog.h" Loading Loading @@ -626,6 +628,23 @@ tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev, } #endif int tor_init_libevent_rng(void) { int rv = 0; #ifdef HAVE_EVUTIL_SECURE_RNG_INIT char buf[256]; if (evutil_secure_rng_init() < 0) { rv = -1; } /* Older libevent -- manually initialize the RNG */ crypto_rand(buf, 32); evutil_secure_rng_add_bytes(buf, 32); evutil_secure_rng_get_bytes(buf, sizeof(buf)); #endif return rv; } #if defined(LIBEVENT_VERSION_NUMBER) && LIBEVENT_VERSION_NUMBER >= V(2,1,1) \ && !defined(TOR_UNIT_TESTS) void Loading
