#18397: `Sandbox 1` in Tor 0.2.7.6 should not filter `getsockopt` syscall -------------------------------------------------+------------------------- Reporter: fowlslegs | Owner: nickm Type: defect | Status: Priority: High | needs_review Component: Core Tor/Tor | Milestone: Tor: Severity: Major | 0.2.??? Keywords: seccomp, sandbox, getsockopt, | Version: Tor: 027-backport | 0.2.7.6 Parent ID: | Resolution: Reviewer: | Actual Points: | Points: | Sponsor: -------------------------------------------------+------------------------- Changes (by Jigsaw52):
* status: needs_information => needs_review Comment: I've written the patch. It is available on github: https://github.com/Jigsaw52/tor/tree/seccomp-fix-18397 The patch changes the sandbox filter to allow the following when built with systemd: - getsockopt with SOL_SOCKET and SO_SNDBUF as arugments - setsockopt with SOL_SOCKET and SO_SNDBUFFORCE This calls are used by the systemd sd_notify function. It also allows the sysinfo syscall as the libc qsort function uses it. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18397#comment:13> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs