tor
master
|
Code to enable sandboxing. More...
#include "orconfig.h"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "sandbox.h"
#include "container.h"
#include "torlog.h"
#include "torint.h"
#include "util.h"
#include "tor_queue.h"
#include "ht.h"
Macros | |
#define | _LARGEFILE64_SOURCE |
#define | MALLOC_MP_LIM (20*1024*1024) |
#define | DEBUGGING_CLOSE |
Functions | |
sandbox_cfg_t * | sandbox_cfg_new (void) |
int | sandbox_init (sandbox_cfg_t *cfg) |
int | sandbox_cfg_allow_open_filename (sandbox_cfg_t **cfg, char *file) |
int | sandbox_cfg_allow_openat_filename (sandbox_cfg_t **cfg, char *file) |
int | sandbox_cfg_allow_stat_filename (sandbox_cfg_t **cfg, char *file) |
int | sandbox_cfg_allow_chown_filename (sandbox_cfg_t **cfg, char *file) |
int | sandbox_cfg_allow_chmod_filename (sandbox_cfg_t **cfg, char *file) |
int | sandbox_cfg_allow_rename (sandbox_cfg_t **cfg, char *file1, char *file2) |
int | sandbox_is_active (void) |
void | sandbox_disable_getaddrinfo_cache (void) |
Code to enable sandboxing.
#define _LARGEFILE64_SOURCE |
Temporarily required for O_LARGEFILE flag. Needs to be removed with the libevent fix.
#define MALLOC_MP_LIM (20*1024*1024) |
Malloc mprotect limit in bytes.
28/06/2017: This value was increased from 16 MB to 20 MB after we introduced LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but liblzma have a small overhead that we need to compensate for to avoid being killed by the sandbox.
int sandbox_cfg_allow_open_filename | ( | sandbox_cfg_t ** | cfg, |
char * | file | ||
) |
Function used to add a open allowed filename to a supplied configuration. The (char*) specifies the path to the allowed file; we take ownership of the pointer.
int sandbox_cfg_allow_openat_filename | ( | sandbox_cfg_t ** | cfg, |
char * | file | ||
) |
Function used to add a openat allowed filename to a supplied configuration. The (char*) specifies the path to the allowed file; we steal the pointer to that file.
int sandbox_cfg_allow_stat_filename | ( | sandbox_cfg_t ** | cfg, |
char * | file | ||
) |
Function used to add a stat/stat64 allowed filename to a configuration. The (char*) specifies the path to the allowed file; that pointer is stolen.
sandbox_cfg_t* sandbox_cfg_new | ( | void | ) |
Creates an empty sandbox configuration file.
int sandbox_init | ( | sandbox_cfg_t * | cfg | ) |
Function used to initialise a sandbox configuration.
int sandbox_is_active | ( | void | ) |
Return true iff the sandbox is turned on.