Loading src/common/address.c +1 −1 Original line number Diff line number Diff line Loading @@ -235,7 +235,7 @@ tor_addr_lookup(const char *name, uint16_t family, tor_addr_t *addr) memset(&hints, 0, sizeof(hints)); hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; err = sandbox_getaddrinfo(name, &hints, &res); err = sandbox_getaddrinfo(name, NULL, &hints, &res); if (!err) { best = NULL; for (res_p = res; res_p; res_p = res_p->ai_next) { Loading src/common/sandbox.c +70 −7 Original line number Diff line number Diff line Loading @@ -26,10 +26,6 @@ #include "util.h" #include "tor_queue.h" #if defined(HAVE_SECCOMP_H) && defined(__linux__) #define USE_LIBSECCOMP #endif #define DEBUGGING_CLOSE #if defined(USE_LIBSECCOMP) Loading Loading @@ -1083,11 +1079,15 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...) } int sandbox_getaddrinfo(const char *name, const struct addrinfo *hints, sandbox_getaddrinfo(const char *name, const char *servname, const struct addrinfo *hints, struct addrinfo **res) { sb_addr_info_t *el; if (servname != NULL) return -1; *res = NULL; for (el = sb_addr_info; el; el = el->next) { Loading Loading @@ -1392,15 +1392,18 @@ sandbox_init(sandbox_cfg_t* cfg) return initialise_libseccomp_sandbox(cfg); #elif defined(_WIN32) (void)cfg; log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is " "currently disabled."); return 0; #elif defined(TARGET_OS_MAC) (void)cfg; log_warn(LD_BUG,"Mac OSX sandboxing is not implemented. The feature is " "currently disabled"); return 0; #else (void)cfg; log_warn(LD_BUG,"Sandboxing is not implemented for your platform. The " "feature is currently disabled"); return 0; Loading @@ -1417,3 +1420,63 @@ sandbox_set_debugging_fd(int fd) #endif } #ifndef USE_LIBSECCOMP int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr) { (void)cfg; (void)file; (void)fr; return 0; } int sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr) { (void)cfg; (void)file; (void)fr; return 0; } int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { (void)cfg; (void)com; return 0; } int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr) { (void)cfg; (void)file; (void)fr; return 0; } int sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } #endif src/common/sandbox.h +27 −7 Original line number Diff line number Diff line Loading @@ -12,6 +12,9 @@ #ifndef SANDBOX_H_ #define SANDBOX_H_ #include "orconfig.h" #include "torint.h" #ifndef SYS_SECCOMP /** Loading @@ -22,12 +25,15 @@ #endif #include "torint.h" #if defined(HAVE_SECCOMP_H) && defined(__linux__) #define USE_LIBSECCOMP #endif /** * Linux definitions */ #ifdef __linux__ #ifdef USE_LIBSECCOMP #ifndef __USE_GNU #define __USE_GNU Loading Loading @@ -80,8 +86,6 @@ struct sandbox_cfg_elem { /** Next element of the configuration*/ struct sandbox_cfg_elem *next; }; /** Typedef to structure used to manage a sandbox configuration. */ typedef struct sandbox_cfg_elem sandbox_cfg_t; /** * Structure used for keeping a linked list of getaddrinfo pre-recorded Loading Loading @@ -127,22 +131,38 @@ typedef struct { #endif #endif // __linux__ #endif // USE_LIBSECCOMP /** Typedef to structure used to manage a sandbox configuration. */ typedef struct sandbox_cfg_elem sandbox_cfg_t; #ifdef USE_LIBSECCOMP /** Pre-calls getaddrinfo in order to pre-record result. */ int sandbox_add_addrinfo(const char *addr); struct addrinfo; /** Replacement for getaddrinfo(), using pre-recorded results. */ int sandbox_getaddrinfo(const char *name, const struct addrinfo *hints, int sandbox_getaddrinfo(const char *name, const char *servname, const struct addrinfo *hints, struct addrinfo **res); #else #define sandbox_getaddrinfo(name, servname, hints, res) \ getaddrinfo((name),(servname), (hints),(res)) #define sandbox_add_addrinfo(name) \ ((void)(name)) #endif /** Use <b>fd</b> to log non-survivable sandbox violations. */ void sandbox_set_debugging_fd(int fd); #ifdef USE_LIBSECCOMP /** Returns a registered protected string used with the sandbox, given that * it matches the parameter. */ const char* sandbox_intern_string(const char *param); #else #define sandbox_intern_string(s) (s) #endif /** Creates an empty sandbox configuration file.*/ sandbox_cfg_t * sandbox_cfg_new(void); Loading Loading
src/common/address.c +1 −1 Original line number Diff line number Diff line Loading @@ -235,7 +235,7 @@ tor_addr_lookup(const char *name, uint16_t family, tor_addr_t *addr) memset(&hints, 0, sizeof(hints)); hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; err = sandbox_getaddrinfo(name, &hints, &res); err = sandbox_getaddrinfo(name, NULL, &hints, &res); if (!err) { best = NULL; for (res_p = res; res_p; res_p = res_p->ai_next) { Loading
src/common/sandbox.c +70 −7 Original line number Diff line number Diff line Loading @@ -26,10 +26,6 @@ #include "util.h" #include "tor_queue.h" #if defined(HAVE_SECCOMP_H) && defined(__linux__) #define USE_LIBSECCOMP #endif #define DEBUGGING_CLOSE #if defined(USE_LIBSECCOMP) Loading Loading @@ -1083,11 +1079,15 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...) } int sandbox_getaddrinfo(const char *name, const struct addrinfo *hints, sandbox_getaddrinfo(const char *name, const char *servname, const struct addrinfo *hints, struct addrinfo **res) { sb_addr_info_t *el; if (servname != NULL) return -1; *res = NULL; for (el = sb_addr_info; el; el = el->next) { Loading Loading @@ -1392,15 +1392,18 @@ sandbox_init(sandbox_cfg_t* cfg) return initialise_libseccomp_sandbox(cfg); #elif defined(_WIN32) (void)cfg; log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is " "currently disabled."); return 0; #elif defined(TARGET_OS_MAC) (void)cfg; log_warn(LD_BUG,"Mac OSX sandboxing is not implemented. The feature is " "currently disabled"); return 0; #else (void)cfg; log_warn(LD_BUG,"Sandboxing is not implemented for your platform. The " "feature is currently disabled"); return 0; Loading @@ -1417,3 +1420,63 @@ sandbox_set_debugging_fd(int fd) #endif } #ifndef USE_LIBSECCOMP int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr) { (void)cfg; (void)file; (void)fr; return 0; } int sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr) { (void)cfg; (void)file; (void)fr; return 0; } int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { (void)cfg; (void)com; return 0; } int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr) { (void)cfg; (void)file; (void)fr; return 0; } int sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...) { (void)cfg; return 0; } #endif
src/common/sandbox.h +27 −7 Original line number Diff line number Diff line Loading @@ -12,6 +12,9 @@ #ifndef SANDBOX_H_ #define SANDBOX_H_ #include "orconfig.h" #include "torint.h" #ifndef SYS_SECCOMP /** Loading @@ -22,12 +25,15 @@ #endif #include "torint.h" #if defined(HAVE_SECCOMP_H) && defined(__linux__) #define USE_LIBSECCOMP #endif /** * Linux definitions */ #ifdef __linux__ #ifdef USE_LIBSECCOMP #ifndef __USE_GNU #define __USE_GNU Loading Loading @@ -80,8 +86,6 @@ struct sandbox_cfg_elem { /** Next element of the configuration*/ struct sandbox_cfg_elem *next; }; /** Typedef to structure used to manage a sandbox configuration. */ typedef struct sandbox_cfg_elem sandbox_cfg_t; /** * Structure used for keeping a linked list of getaddrinfo pre-recorded Loading Loading @@ -127,22 +131,38 @@ typedef struct { #endif #endif // __linux__ #endif // USE_LIBSECCOMP /** Typedef to structure used to manage a sandbox configuration. */ typedef struct sandbox_cfg_elem sandbox_cfg_t; #ifdef USE_LIBSECCOMP /** Pre-calls getaddrinfo in order to pre-record result. */ int sandbox_add_addrinfo(const char *addr); struct addrinfo; /** Replacement for getaddrinfo(), using pre-recorded results. */ int sandbox_getaddrinfo(const char *name, const struct addrinfo *hints, int sandbox_getaddrinfo(const char *name, const char *servname, const struct addrinfo *hints, struct addrinfo **res); #else #define sandbox_getaddrinfo(name, servname, hints, res) \ getaddrinfo((name),(servname), (hints),(res)) #define sandbox_add_addrinfo(name) \ ((void)(name)) #endif /** Use <b>fd</b> to log non-survivable sandbox violations. */ void sandbox_set_debugging_fd(int fd); #ifdef USE_LIBSECCOMP /** Returns a registered protected string used with the sandbox, given that * it matches the parameter. */ const char* sandbox_intern_string(const char *param); #else #define sandbox_intern_string(s) (s) #endif /** Creates an empty sandbox configuration file.*/ sandbox_cfg_t * sandbox_cfg_new(void); Loading
