Loading changes/feature22976 0 → 100644 +8 −0 Original line number Diff line number Diff line o Minor features (integration, hardening): - Added a new NoExec option, to prevent Tor from running other programs. When this option is set to 1, Tor will never try to run another program, regardless of the settings of PortForwardingHelper, ClientTransportPlugin, or ServerTransportPlugin. Once NoExec is set, it cannot be disabled without restarting Tor. Closes ticket 22976. doc/tor.1.txt +7 −0 Original line number Diff line number Diff line Loading @@ -775,6 +775,13 @@ GENERAL OPTIONS circuits. If the option is set to "default", we obey a parameter in the consensus document. (Default: auto) [[NoExec]] **NoExec** **0**|**1**:: If this option is set to 1, then Tor will never launch another executable, regardless of the settings of PortForwardingHelper, ClientTransportPlugin, or ServerTransportPlugin. Once this option has been set to 1, it cannot be set back to 0 without restarting Tor. (Default: 0) CLIENT OPTIONS -------------- Loading src/common/sandbox.c +0 −63 Original line number Diff line number Diff line Loading @@ -289,37 +289,6 @@ sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; } #if 0 /** * Function responsible for setting up the execve syscall for * the seccomp filter sandbox. */ static int sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc; sandbox_cfg_t *elem = NULL; // for each dynamic parameter filters for (elem = filter; elem != NULL; elem = elem->next) { smp_param_t *param = elem->param; if (param != NULL && param->prot == 1 && param->syscall == SCMP_SYS(execve)) { rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received " "libseccomp error %d", rc); return rc; } } } return 0; } #endif /** * Function responsible for setting up the time syscall for * the seccomp filter sandbox. Loading Loading @@ -1063,9 +1032,6 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, sb_rt_sigprocmask, #if 0 sb_execve, #endif sb_time, sb_accept4, #ifdef __NR_mmap2 Loading Loading @@ -1417,26 +1383,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) return 0; } #if 0 int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { sandbox_cfg_t *elem = NULL; elem = new_element(SCMP_SYS(execve), com); if (!elem) { log_err(LD_BUG,"(Sandbox) failed to register parameter!"); return -1; } elem->next = *cfg; *cfg = elem; return 0; } #endif /** Cache entry for getaddrinfo results; used when sandboxing is implemented * so that we can consult the cache when the sandbox prevents us from doing * getaddrinfo. Loading Loading @@ -1910,15 +1856,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) return 0; } #if 0 int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { (void)cfg; (void)com; return 0; } #endif int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file) { Loading src/common/sandbox.h +0 −8 Original line number Diff line number Diff line Loading @@ -156,14 +156,6 @@ int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2); */ int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file); #if 0 /** * Function used to add a execve allowed filename to a supplied configuration. * The (char*) specifies the path to the allowed file; that pointer is stolen. */ int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com); #endif /** * Function used to add a stat/stat64 allowed filename to a configuration. * The (char*) specifies the path to the allowed file; that pointer is stolen. Loading src/common/util.c +20 −0 Original line number Diff line number Diff line Loading @@ -4142,6 +4142,20 @@ process_handle_waitpid_cb(int status, void *arg) #define CHILD_STATE_EXEC 8 #define CHILD_STATE_FAILEXEC 9 /** @} */ /** * Boolean. If true, then Tor may call execve or CreateProcess via * tor_spawn_background. **/ static int may_spawn_background_process = 1; /** * Turn off may_spawn_background_process, so that all future calls to * tor_spawn_background are guaranteed to fail. **/ void tor_disable_spawning_background_processes(void) { may_spawn_background_process = 0; } /** Start a program in the background. If <b>filename</b> contains a '/', then * it will be treated as an absolute or relative path. Otherwise, on * non-Windows systems, the system path will be searched for <b>filename</b>. Loading @@ -4166,6 +4180,12 @@ tor_spawn_background(const char *const filename, const char **argv, process_environment_t *env, process_handle_t **process_handle_out) { if (BUG(may_spawn_background_process == 0)) { /* We should never reach this point if we're forbidden to spawn * processes. Instead we should have caught the attempt earlier. */ return PROCESS_STATUS_ERROR; } #ifdef _WIN32 HANDLE stdout_pipe_read = NULL; HANDLE stdout_pipe_write = NULL; Loading Loading
changes/feature22976 0 → 100644 +8 −0 Original line number Diff line number Diff line o Minor features (integration, hardening): - Added a new NoExec option, to prevent Tor from running other programs. When this option is set to 1, Tor will never try to run another program, regardless of the settings of PortForwardingHelper, ClientTransportPlugin, or ServerTransportPlugin. Once NoExec is set, it cannot be disabled without restarting Tor. Closes ticket 22976.
doc/tor.1.txt +7 −0 Original line number Diff line number Diff line Loading @@ -775,6 +775,13 @@ GENERAL OPTIONS circuits. If the option is set to "default", we obey a parameter in the consensus document. (Default: auto) [[NoExec]] **NoExec** **0**|**1**:: If this option is set to 1, then Tor will never launch another executable, regardless of the settings of PortForwardingHelper, ClientTransportPlugin, or ServerTransportPlugin. Once this option has been set to 1, it cannot be set back to 0 without restarting Tor. (Default: 0) CLIENT OPTIONS -------------- Loading
src/common/sandbox.c +0 −63 Original line number Diff line number Diff line Loading @@ -289,37 +289,6 @@ sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; } #if 0 /** * Function responsible for setting up the execve syscall for * the seccomp filter sandbox. */ static int sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc; sandbox_cfg_t *elem = NULL; // for each dynamic parameter filters for (elem = filter; elem != NULL; elem = elem->next) { smp_param_t *param = elem->param; if (param != NULL && param->prot == 1 && param->syscall == SCMP_SYS(execve)) { rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received " "libseccomp error %d", rc); return rc; } } } return 0; } #endif /** * Function responsible for setting up the time syscall for * the seccomp filter sandbox. Loading Loading @@ -1063,9 +1032,6 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, sb_rt_sigprocmask, #if 0 sb_execve, #endif sb_time, sb_accept4, #ifdef __NR_mmap2 Loading Loading @@ -1417,26 +1383,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) return 0; } #if 0 int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { sandbox_cfg_t *elem = NULL; elem = new_element(SCMP_SYS(execve), com); if (!elem) { log_err(LD_BUG,"(Sandbox) failed to register parameter!"); return -1; } elem->next = *cfg; *cfg = elem; return 0; } #endif /** Cache entry for getaddrinfo results; used when sandboxing is implemented * so that we can consult the cache when the sandbox prevents us from doing * getaddrinfo. Loading Loading @@ -1910,15 +1856,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) return 0; } #if 0 int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { (void)cfg; (void)com; return 0; } #endif int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file) { Loading
src/common/sandbox.h +0 −8 Original line number Diff line number Diff line Loading @@ -156,14 +156,6 @@ int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2); */ int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file); #if 0 /** * Function used to add a execve allowed filename to a supplied configuration. * The (char*) specifies the path to the allowed file; that pointer is stolen. */ int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com); #endif /** * Function used to add a stat/stat64 allowed filename to a configuration. * The (char*) specifies the path to the allowed file; that pointer is stolen. Loading
src/common/util.c +20 −0 Original line number Diff line number Diff line Loading @@ -4142,6 +4142,20 @@ process_handle_waitpid_cb(int status, void *arg) #define CHILD_STATE_EXEC 8 #define CHILD_STATE_FAILEXEC 9 /** @} */ /** * Boolean. If true, then Tor may call execve or CreateProcess via * tor_spawn_background. **/ static int may_spawn_background_process = 1; /** * Turn off may_spawn_background_process, so that all future calls to * tor_spawn_background are guaranteed to fail. **/ void tor_disable_spawning_background_processes(void) { may_spawn_background_process = 0; } /** Start a program in the background. If <b>filename</b> contains a '/', then * it will be treated as an absolute or relative path. Otherwise, on * non-Windows systems, the system path will be searched for <b>filename</b>. Loading @@ -4166,6 +4180,12 @@ tor_spawn_background(const char *const filename, const char **argv, process_environment_t *env, process_handle_t **process_handle_out) { if (BUG(may_spawn_background_process == 0)) { /* We should never reach this point if we're forbidden to spawn * processes. Instead we should have caught the attempt earlier. */ return PROCESS_STATUS_ERROR; } #ifdef _WIN32 HANDLE stdout_pipe_read = NULL; HANDLE stdout_pipe_write = NULL; Loading
