| blob | 7c024d7e37ef16d1076b85a531a3022242b23a2f |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file sandbox.c
9 * \brief Code to enable sandboxing.
10 **/
14 #ifndef _LARGEFILE64_SOURCE
15 /**
16 * Temporarily required for O_LARGEFILE flag. Needs to be removed
17 * with the libevent fix.
18 */
19 #define _LARGEFILE64_SOURCE
22 /** Malloc mprotect limit in bytes.
23 *
24 * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced
25 * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but
26 * liblzma have a small overhead that we need to compensate for to avoid being
27 * killed by the sandbox.
28 */
29 #define MALLOC_MP_LIM (20*1024*1024)
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34 #include <errno.h>
48 #define DEBUGGING_CLOSE
50 #if defined(USE_LIBSECCOMP)
52 #include <sys/mman.h>
53 #include <sys/syscall.h>
54 #include <sys/types.h>
55 #include <sys/stat.h>
56 #include <sys/epoll.h>
57 #include <sys/prctl.h>
58 #include <linux/futex.h>
59 #include <sys/file.h>
61 #ifdef ENABLE_FRAGILE_HARDENING
62 #include <sys/ptrace.h>
63 #endif
65 #include <stdarg.h>
66 #include <seccomp.h>
67 #include <signal.h>
68 #include <unistd.h>
69 #include <fcntl.h>
70 #include <time.h>
71 #include <poll.h>
73 #ifdef HAVE_GNU_LIBC_VERSION_H
74 #include <gnu/libc-version.h>
75 #endif
76 #ifdef HAVE_LINUX_NETFILTER_IPV4_H
77 #include <linux/netfilter_ipv4.h>
78 #endif
79 #ifdef HAVE_LINUX_IF_H
80 #include <linux/if.h>
81 #endif
82 #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
83 #include <linux/netfilter_ipv6/ip6_tables.h>
84 #endif
86 #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \
87 defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION)
88 #define USE_BACKTRACE
89 #define BACKTRACE_PRIVATE
93 #ifdef USE_BACKTRACE
94 #include <execinfo.h>
95 #endif
97 /**
98 * Linux 32 bit definitions
99 */
100 #if defined(__i386__)
102 #define REG_SYSCALL REG_EAX
103 #define M_SYSCALL gregs[REG_SYSCALL]
105 /**
106 * Linux 64 bit definitions
107 */
108 #elif defined(__x86_64__)
110 #define REG_SYSCALL REG_RAX
111 #define M_SYSCALL gregs[REG_SYSCALL]
113 #elif defined(__arm__)
115 #define M_SYSCALL arm_r7
117 #elif defined(__aarch64__) && defined(__LP64__)
119 #define REG_SYSCALL 8
120 #define M_SYSCALL regs[REG_SYSCALL]
124 #ifdef M_SYSCALL
125 #define SYSCALL_NAME_DEBUGGING
126 #endif
128 /**Determines if at least one sandbox is active.*/
130 /** Holds the parameter list configuration for the sandbox.*/
133 #undef SCMP_CMP
134 #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
135 #define SCMP_CMP_STR(a,b,c) \
136 ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
137 #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
138 /* We use a wrapper here because these masked comparisons seem to be pretty
139 * verbose. Also, it's important to cast to scmp_datum_t before negating the
140 * mask, since otherwise the negation might get applied to a 32 bit value, and
141 * the high bits of the value might get masked out improperly. */
142 #define SCMP_CMP_MASKED(a,b,c) \
143 SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
144 /* Negative constants aren't consistently sign extended or zero extended.
145 * Different compilers, libc, and architectures behave differently. For cases
146 * where the kernel ABI uses a 32 bit integer, this macro can be used to
147 * mask-compare only the lower 32 bits of the value. */
148 #define SCMP_CMP_LOWER32_EQ(a,b) \
149 SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, (unsigned int)(b))
151 /** Variable used for storing all syscall numbers that will be allowed with the
152 * stage 1 general Tor sandbox.
153 */
157 #ifdef __NR_clock_gettime64
159 #else
161 #endif
165 #ifdef __NR_clone3
167 #endif
170 #ifdef __NR_epoll_pwait
172 #endif
173 #ifdef HAVE_EVENTFD
175 #endif
176 #ifdef HAVE_PIPE2
178 #endif
179 #ifdef HAVE_PIPE
181 #endif
182 #ifdef __NR_fchmod
184 #endif
187 #ifdef __NR_fstat64
189 #endif
195 #ifdef __NR_getegid32
197 #endif
199 #ifdef __NR_geteuid32
201 #endif
203 #ifdef __NR_getgid32
205 #endif
207 #ifdef ENABLE_FRAGILE_HARDENING
209 #endif
210 #ifdef __NR_getrlimit
212 #endif
216 #ifdef __NR_getuid32
218 #endif
220 #ifdef __NR__llseek
222 #endif
223 // glob uses this..
227 #ifdef __NR_mmap
228 /* XXXX restrict this in the same ways as mmap2 */
230 #endif
232 #ifdef __NR_nanosleep
234 #endif
235 #ifdef __NR_prlimit
237 #endif
238 #ifdef __NR_prlimit64
240 #endif
243 #ifdef __NR_rseq
245 #endif
247 #ifdef __NR_sched_yield
249 #endif
252 #ifdef __NR_setrlimit
254 #endif
256 #ifdef __NR_sigaltstack
258 #endif
259 #ifdef __NR_sigreturn
261 #endif
263 #if defined(__i386__) && defined(__NR_statx)
265 #endif
274 #ifdef __NR_stat64
275 // getaddrinfo uses this..
277 #endif
279 #ifdef __NR_getrandom
281 #endif
283 #ifdef __NR_sysinfo
284 // qsort uses this..
286 #endif
287 /*
288 * These socket syscalls are not required on x86_64 and not supported with
289 * some libseccomp versions (eg: 1.0.1)
290 */
291 #if defined(__i386)
294 #endif
296 // socket syscalls
301 #ifdef ENABLE_NSS
302 #ifdef __NR_getpeername
304 #endif
305 #endif
310 #ifdef __NR_unlinkat
312 #endif
314 };
316 /* opendir is not a syscall but it will use either open or openat. We do not
317 * want the decision to allow open/openat to be the callers reponsability, so
318 * we create a phony syscall number for opendir and sb_opendir will choose the
319 * correct syscall. */
320 #define PHONY_OPENDIR_SYSCALL -2
322 /* These macros help avoid the error where the number of filters we add on a
323 * single rule don't match the arg_cnt param. */
324 #define seccomp_rule_add_0(ctx,act,call) \
325 seccomp_rule_add((ctx),(act),(call),0)
326 #define seccomp_rule_add_1(ctx,act,call,f1) \
327 seccomp_rule_add((ctx),(act),(call),1,(f1))
328 #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
329 seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
330 #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
331 seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
332 #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
333 seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
337 /**
338 * Function responsible for setting up the rt_sigaction syscall for
339 * the seccomp filter sandbox.
340 */
341 static int
343 {
348 #ifdef SIGXFSZ
349 SIGXFSZ
350 #endif
351 };
359 }
362 }
364 #ifdef __NR_time
365 /**
366 * Function responsible for setting up the time syscall for
367 * the seccomp filter sandbox.
368 */
369 static int
371 {
376 }
379 /**
380 * Function responsible for setting up the accept4 syscall for
381 * the seccomp filter sandbox.
382 */
383 static int
385 {
389 #ifdef __i386__
394 }
401 }
404 }
406 #ifdef __NR_mmap2
407 /**
408 * Function responsible for setting up the mmap2 syscall for
409 * the seccomp filter sandbox.
410 */
411 static int
413 {
422 }
429 }
436 }
443 }
450 }
457 }
464 }
467 }
470 #ifdef HAVE_GNU_LIBC_VERSION_H
471 #ifdef HAVE_GNU_GET_LIBC_VERSION
472 #define CHECK_LIBC_VERSION
473 #endif
474 #endif
476 /* Return true the libc version is greater or equal than
477 * <b>major</b>.<b>minor</b>. Returns false otherwise. */
478 static int
480 {
481 #ifdef CHECK_LIBC_VERSION
494 else
501 }
503 /* Return true if we think we're running with a libc that uses openat for the
504 * open function on linux. */
505 static int
507 {
509 }
511 /* Return true if we think we're running with a libc that uses openat for the
512 * opendir function on linux. */
513 static int
515 {
516 // libc 2.27 and above or between 2.15 (inclusive) and 2.22 (exclusive)
519 }
521 /** Allow a single file to be opened. If <b>use_openat</b> is true,
522 * we're using a libc that remaps all the opens into openats. */
523 static int
525 {
533 }
534 }
536 /**
537 * Function responsible for setting up the open syscall for
538 * the seccomp filter sandbox.
539 */
540 static int
542 {
548 #ifdef ENABLE_FRAGILE_HARDENING
549 /* AddressSanitizer uses the "open" syscall to access information about the
550 * running process via the filesystem, so that call must be allowed without
551 * restriction or the sanitizer will be unable to execute normally when the
552 * process terminates. */
558 }
560 /* If glibc also uses only the "open" syscall to open files on this system
561 * there is no need to consider any additional rules. */
564 #endif
566 // for each dynamic parameter filters
577 }
578 }
579 }
582 }
584 static int
586 {
590 // for each dynamic parameter filters
602 }
603 }
604 }
607 }
609 static int
611 {
615 // for each dynamic parameter filters
628 }
629 }
630 }
633 }
635 #ifdef __i386__
636 static int
638 {
642 // for each dynamic parameter filters
654 }
655 }
656 }
659 }
660 #else
661 static int
663 {
667 // for each dynamic parameter filters
679 }
680 }
681 }
684 }
687 static int
689 {
693 // for each dynamic parameter filters
706 }
707 }
708 }
711 }
713 /**
714 * Function responsible for setting up the rename syscall for
715 * the seccomp filter sandbox.
716 */
717 static int
719 {
723 // for each dynamic parameter filters
737 }
738 }
739 }
742 }
744 /**
745 * Function responsible for setting up the renameat syscall for
746 * the seccomp filter sandbox.
747 */
748 static int
750 {
754 // for each dynamic parameter filters
770 }
771 }
772 }
775 }
777 /**
778 * Function responsible for setting up the openat syscall for
779 * the seccomp filter sandbox.
780 */
781 static int
783 {
787 // for each dynamic parameter filters
797 O_CLOEXEC));
802 }
803 }
804 }
807 }
809 static int
811 {
815 // for each dynamic parameter filters
826 }
827 }
828 }
831 }
833 #ifdef ENABLE_FRAGILE_HARDENING
834 /**
835 * Function responsible for setting up the ptrace syscall for
836 * the seccomp filter sandbox.
837 */
838 static int
840 {
858 }
859 #endif
861 /**
862 * Function responsible for setting up the socket syscall for
863 * the seccomp filter sandbox.
864 */
865 static int
867 {
872 #ifdef __i386__
876 #endif
888 SOCK_DGRAM;
891 IPPROTO_UDP;
898 }
899 }
901 #ifdef ENABLE_NSS
932 }
934 /**
935 * Function responsible for setting up the socketpair syscall for
936 * the seccomp filter sandbox.
937 */
938 static int
940 {
944 #ifdef __i386__
948 #endif
957 }
959 #ifdef HAVE_KIST_SUPPORT
961 #include <linux/sockios.h>
963 static int
965 {
974 }
978 /**
979 * Function responsible for setting up the setsockopt syscall for
980 * the seccomp filter sandbox.
981 */
982 static int
984 {
988 #ifdef __i386__
992 #endif
1012 #ifdef HAVE_SYSTEMD
1020 #ifdef IP_TRANSPARENT
1028 #ifdef IPV6_V6ONLY
1037 }
1039 /**
1040 * Function responsible for setting up the getsockopt syscall for
1041 * the seccomp filter sandbox.
1042 */
1043 static int
1045 {
1049 #ifdef __i386__
1053 #endif
1067 #ifdef HAVE_SYSTEMD
1075 #ifdef HAVE_LINUX_NETFILTER_IPV4_H
1083 #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
1091 #ifdef HAVE_KIST_SUPPORT
1092 #include <netinet/tcp.h>
1101 }
1103 #ifdef __NR_fcntl64
1104 /**
1105 * Function responsible for setting up the fcntl64 syscall for
1106 * the seccomp filter sandbox.
1107 */
1108 static int
1110 {
1137 }
1140 /**
1141 * Function responsible for setting up the epoll_ctl syscall for
1142 * the seccomp filter sandbox.
1143 *
1144 * Note: basically allows everything but will keep for now..
1145 */
1146 static int
1148 {
1168 }
1170 /**
1171 * Function responsible for setting up the prctl syscall for
1172 * the seccomp filter sandbox.
1173 *
1174 * NOTE: if multiple filters need to be added, the PR_SECCOMP parameter needs
1175 * to be allowlisted in this function.
1176 */
1177 static int
1179 {
1183 #ifdef ENABLE_FRAGILE_HARDENING
1193 #endif
1201 }
1203 /**
1204 * Function responsible for setting up the mprotect syscall for
1205 * the seccomp filter sandbox.
1206 *
1207 * NOTE: does not NEED to be here.. currently only occurs before filter; will
1208 * keep just in case for the future.
1209 */
1210 static int
1212 {
1227 }
1229 /**
1230 * Function responsible for setting up the rt_sigprocmask syscall for
1231 * the seccomp filter sandbox.
1232 */
1233 static int
1235 {
1239 #ifdef ENABLE_FRAGILE_HARDENING
1244 #endif
1257 }
1259 /**
1260 * Function responsible for setting up the flock syscall for
1261 * the seccomp filter sandbox.
1262 *
1263 * NOTE: does not need to be here, occurs before filter is applied.
1264 */
1265 static int
1267 {
1282 }
1284 /**
1285 * Function responsible for setting up the futex syscall for
1286 * the seccomp filter sandbox.
1287 */
1288 static int
1290 {
1294 // can remove
1312 }
1314 /**
1315 * Function responsible for setting up the mremap syscall for
1316 * the seccomp filter sandbox.
1317 *
1318 * NOTE: so far only occurs before filter is applied.
1319 */
1320 static int
1322 {
1332 }
1334 #ifdef __NR_stat64
1335 /**
1336 * Function responsible for setting up the stat64 syscall for
1337 * the seccomp filter sandbox.
1338 */
1339 static int
1341 {
1345 // for each dynamic parameter filters
1357 }
1358 }
1359 }
1362 }
1365 static int
1367 {
1369 #ifdef __NR_kill
1370 /* Allow killing anything with signal 0 -- it isn't really a kill. */
1373 #else
1376 }
1378 /**
1379 * Array of function pointers responsible for filtering different syscalls at
1380 * a parameter level.
1381 */
1383 sb_rt_sigaction,
1384 sb_rt_sigprocmask,
1385 #ifdef __NR_time
1386 sb_time,
1387 #endif
1388 sb_accept4,
1389 #ifdef __NR_mmap2
1390 sb_mmap2,
1391 #endif
1392 #ifdef __i386__
1393 sb_chown32,
1394 #else
1395 sb_chown,
1396 #endif
1397 sb_fchownat,
1398 sb_chmod,
1399 sb_fchmodat,
1400 sb_open,
1401 sb_openat,
1402 sb_opendir,
1403 #ifdef ENABLE_FRAGILE_HARDENING
1404 sb_ptrace,
1405 #endif
1406 sb_rename,
1407 sb_renameat,
1408 #ifdef __NR_fcntl64
1409 sb_fcntl64,
1410 #endif
1411 sb_epoll_ctl,
1412 sb_prctl,
1413 sb_mprotect,
1414 sb_flock,
1415 sb_futex,
1416 sb_mremap,
1417 #ifdef __NR_stat64
1418 sb_stat64,
1419 #endif
1421 sb_socket,
1422 sb_setsockopt,
1423 sb_getsockopt,
1424 sb_socketpair,
1425 #ifdef HAVE_KIST_SUPPORT
1426 sb_ioctl,
1427 #endif
1428 sb_kill
1429 };
1431 /**
1432 * Return the interned (and hopefully sandbox-permitted) string equal
1433 * to @a str.
1434 *
1435 * Return NULL if `str` is NULL, or `str` is not an interned string.
1436 **/
1439 {
1444 }
1447 }
1449 /**
1450 * Return true if the sandbox is running and we are missing an interned string
1451 * equal to @a str.
1452 */
1453 bool
1455 {
1457 }
1459 /**
1460 * Try to find and return the interned string equal to @a str.
1461 *
1462 * If there is no such string, return NULL.
1463 **/
1466 {
1478 }
1481 }
1482 }
1483 }
1486 }
1488 /* DOCDOC */
1489 static int
1494 {
1507 // We already interned this string.
1512 // copy to protected
1516 // re-point el parameter to protected
1522 // move next available protected memory
1529 }
1530 }
1532 /**
1533 * Protects all the strings in the sandbox's parameter list configuration. It
1534 * works by calculating the total amount of memory required by the parameter
1535 * list, allocating the memory using mmap, and protecting it from writes with
1536 * mprotect().
1537 */
1538 static int
1540 {
1547 // get total number of bytes required to mmap. (Overestimate.)
1552 }
1554 // allocate protected memory with MALLOC_MP_LIM canary
1562 }
1569 // change el value pointer to protected
1575 }
1580 }
1582 }
1584 // protecting from writes
1590 }
1592 /*
1593 * Setting sandbox restrictions so the string memory cannot be tampered with
1594 */
1595 // no mremap of the protected base address
1601 }
1603 // no munmap of the protected base address
1609 }
1611 /*
1612 * Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
1613 * never over the memory region used by the protected strings.
1614 *
1615 * PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
1616 * had to be removed due to limitation of libseccomp regarding intervals.
1617 *
1618 * There is a restriction on how much you can mprotect with R|W up to the
1619 * size of the canary.
1620 */
1628 }
1632 MALLOC_MP_LIM),
1638 }
1640 out:
1643 }
1645 /**
1646 * Auxiliary function used in order to allocate a sandbox_cfg_t element and set
1647 * its values according the parameter list. All elements are initialised
1648 * with the 'prot' field set to false, as the pointer is not protected at this
1649 * point.
1650 */
1653 {
1665 }
1669 {
1671 }
1673 #ifdef __i386__
1674 #define SCMP_chown SCMP_SYS(chown32)
1675 #elif defined(__aarch64__) && defined(__LP64__)
1676 #define SCMP_chown SCMP_SYS(fchownat)
1677 #else
1678 #define SCMP_chown SCMP_SYS(chown)
1679 #endif
1681 #if defined(__aarch64__) && defined(__LP64__)
1682 #define SCMP_chmod SCMP_SYS(fchmodat)
1683 #else
1684 #define SCMP_chmod SCMP_SYS(chmod)
1685 #endif
1687 #if defined(__aarch64__) && defined(__LP64__)
1688 #define SCMP_rename SCMP_SYS(renameat)
1689 #else
1690 #define SCMP_rename SCMP_SYS(rename)
1691 #endif
1693 #ifdef __NR_stat64
1694 #define SCMP_stat SCMP_SYS(stat64)
1695 #else
1696 #define SCMP_stat SCMP_SYS(stat)
1697 #endif
1699 int
1701 {
1710 }
1712 int
1714 {
1723 }
1725 int
1727 {
1736 }
1738 int
1740 {
1749 }
1751 int
1753 {
1762 }
1764 int
1766 {
1775 }
1777 int
1779 {
1788 }
1790 /**
1791 * Function responsible for going through the parameter syscall filters and
1792 * call each function pointer in the list.
1793 */
1794 static int
1796 {
1800 // function pointer
1807 }
1808 }
1811 }
1813 /**
1814 * Function responsible of loading the libseccomp syscall filters which do not
1815 * have parameter filtering.
1816 */
1817 static int
1819 {
1823 // add general filters
1830 }
1831 }
1834 #ifdef __NR_newfstatat
1835 // Libc 2.33 uses this syscall to implement both fstat() and stat().
1836 //
1837 // The trouble is that to implement fstat(fd, &st), it calls:
1838 // newfstatat(fs, "", &st, AT_EMPTY_PATH)
1839 // We can't detect this usage in particular, because "" is a pointer
1840 // we don't control. And we can't just look for AT_EMPTY_PATH, since
1841 // AT_EMPTY_PATH only has effect when the path string is empty.
1842 //
1843 // So our only solution seems to be allowing all fstatat calls, which
1844 // means that an attacker can stat() anything on the filesystem. That's
1845 // not a great solution, but I can't find a better one.
1851 }
1852 #endif
1853 }
1856 }
1858 /**
1859 * Function responsible for setting up and enabling a global syscall filter.
1860 * The function is a prototype developed for stage 1 of sandboxing Tor.
1861 * Returns 0 on success.
1862 */
1863 static int
1865 {
1867 scmp_filter_ctx ctx;
1874 }
1876 // protecting sandbox parameter strings
1879 }
1881 // add parameter filters
1885 }
1887 // adding filters with no parameters
1891 }
1893 // loading the seccomp2 filter
1896 "Are you sure that your kernel has seccomp2 support? The "
1900 }
1902 // marking the sandbox as active
1905 end:
1908 }
1910 #ifdef SYSCALL_NAME_DEBUGGING
1913 /** Return a string containing the name of a given syscall (if we know it) */
1916 {
1921 }
1923 {
1928 }
1929 }
1931 /** Return the syscall number from a ucontext_t that we got in a signal
1932 * handler (if we know how to do that). */
1933 static int
1935 {
1937 }
1941 {
1944 }
1945 static int
1947 {
1950 }
1953 #ifdef USE_BACKTRACE
1954 #define MAX_DEPTH 256
1956 #endif
1958 /**
1959 * Function called when a SIGSYS is caught by the application. It notifies the
1960 * user that an error has occurred and either terminates or allows the
1961 * application to continue execution, based on the DEBUGGING_CLOSE symbol.
1962 */
1963 static void
1965 {
1968 #ifdef USE_BACKTRACE
1972 #endif
1984 #ifdef USE_BACKTRACE
1986 /* Clean up the top stack frame so we get the real function
1987 * name for the most recently failing function. */
1994 syscall_name,
1996 NULL);
1998 #ifdef USE_BACKTRACE
2002 #endif
2004 #if defined(DEBUGGING_CLOSE)
2007 }
2009 /**
2010 * Function that adds a handler for SIGSYS, which is the signal thrown
2011 * when the application is issuing a syscall which is not allowed. The
2012 * main purpose of this function is to help with debugging by identifying
2013 * filtered syscalls.
2014 */
2015 static int
2017 {
2019 sigset_t mask;
2030 }
2035 }
2038 }
2040 /**
2041 * Function responsible of registering the sandbox_cfg_t list of parameter
2042 * syscall filters to the existing parameter list. This is used for incipient
2043 * multiple-sandbox support.
2044 */
2045 static int
2047 {
2053 }
2056 ;
2061 }
2065 #ifdef USE_LIBSECCOMP
2066 /**
2067 * Initialises the syscall sandbox filter for any linux architecture, taking
2068 * into account various available features for different linux flavours.
2069 */
2070 static int
2072 {
2073 /* Prevent glibc from trying to open /dev/tty on fatal error */
2086 }
2088 int
2090 {
2092 }
2095 sandbox_cfg_t*
2097 {
2099 }
2101 int
2103 {
2104 #if defined(USE_LIBSECCOMP)
2107 #elif defined(__linux__)
2110 "This version of Tor was built without support for sandboxing. To "
2111 "build with support for sandboxing on Linux, you must have "
2115 #else
2118 "Currently, sandboxing is only implemented on Linux. The feature "
2122 }
2124 #ifndef USE_LIBSECCOMP
2125 int
2127 {
2130 }
2132 int
2134 {
2137 }
2139 int
2141 {
2144 }
2146 int
2148 {
2151 }
2153 int
2155 {
2158 }
2160 int
2162 {
2165 }
2167 int
2169 {
2172 }
2174 int
2176 {
2178 }