From 910e25358a148268815a23ff2040599291100a97 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 2 Sep 2015 09:59:22 -0400
Subject: [PATCH] Let bridge authorities run under the sandbox

(found thanks to teor's chutney haxx)
---
 changes/bug16964 | 4 ++++
 src/or/main.c    | 9 +++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 changes/bug16964

diff --git a/changes/bug16964 b/changes/bug16964
new file mode 100644
index 0000000000..46ff565fc6
--- /dev/null
+++ b/changes/bug16964
@@ -0,0 +1,4 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Allow bridge authorities to run correctly under the seccomp2
+      sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
+
diff --git a/src/or/main.c b/src/or/main.c
index 0b0207b975..915b3e23ca 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -3040,6 +3040,12 @@ sandbox_init_filter(void)
   OPEN("/etc/hosts");
   OPEN("/proc/meminfo");
 
+  if (options->BridgeAuthoritativeDir)
+    OPEN_DATADIR_SUFFIX("networkstatus-bridges", ".tmp");
+
+  if (authdir_mode_handles_descs(options, -1))
+    OPEN_DATADIR("approved-routers");
+
   if (options->ServerDNSResolvConfFile)
     sandbox_cfg_allow_open_filename(&cfg,
                                 tor_strdup(options->ServerDNSResolvConfFile));
@@ -3080,6 +3086,9 @@ sandbox_init_filter(void)
   RENAME_SUFFIX("unparseable-desc", ".tmp");
   RENAME_SUFFIX("v3-status-votes", ".tmp");
 
+  if (options->BridgeAuthoritativeDir)
+    RENAME_SUFFIX("networkstatus-bridges", ".tmp");
+
 #define STAT_DATADIR(name)                      \
   sandbox_cfg_allow_stat_filename(&cfg, get_datadir_fname(name))
 
-- 
2.11.4.GIT