sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add a 'NoExec' option that causes tor_spawn_background() to fail 

Core of an implementation for 22976.
This commit is contained in:
Nick Mathewson 2017-08-09 10:42:37 -04:00
parent 94352368db
commit eb43401bfb
6 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
changes/feature22976 Normal file
View File

@ -0,0 +1,7 @@
o Minor features (integration, hardening):
- Added a new NoExec option to . When this option is set to 1,
Tor will never try to run another program, regardless of
the settings of PortForwardingHelper, ClientTransportPlugin,
or ServerTransportPlugin. Once NoExec is set, it cannot be
disabled without restarting Tor.
Closes ticket 22976.

7
doc/tor.1.txt
View File

@ -773,6 +773,13 @@ GENERAL OPTIONS
circuits. If the option is set to "default", we obey a
parameter in the consensus document. (Default: auto)
[[NoExec]] **NoExec** **0**|**1**::
If this option is set to 1, then Tor will never launch another
executable, regardless of the settings of PortForwardingHelper,
ClientTransportPlugin, or ServerTransportPlugin. Once this
option has been set to 1, it cannot be set back to 0 without
restarting Tor. (Default: 0)
CLIENT OPTIONS
--------------

17
src/common/util.c
View File

@ -4142,6 +4142,20 @@ process_handle_waitpid_cb(int status, void *arg)
#define CHILD_STATE_EXEC 8
#define CHILD_STATE_FAILEXEC 9
/** @} */
/**
* Boolean. If true, then Tor may call execve or CreateProcess via
* tor_spawn_background.
**/
static int may_spawn_background_process = 1;
/**
* Turn off may_spawn_background_process, so that all future calls to
* tor_spawn_background are guaranteed to fail.
**/
void
tor_disable_spawning_background_processes(void)
{
may_spawn_background_process = 0;
}
/** Start a program in the background. If <b>filename</b> contains a '/', then
* it will be treated as an absolute or relative path. Otherwise, on
* non-Windows systems, the system path will be searched for <b>filename</b>.
@ -4166,6 +4180,9 @@ tor_spawn_background(const char *const filename, const char **argv,
process_environment_t *env,
process_handle_t **process_handle_out)
{
if (may_spawn_background_process == 0)
return PROCESS_STATUS_ERROR;
#ifdef _WIN32
HANDLE stdout_pipe_read = NULL;
HANDLE stdout_pipe_write = NULL;

2
src/common/util.h
View File

@ -396,6 +396,8 @@ void tor_check_port_forwarding(const char *filename,
struct smartlist_t *ports_to_forward,
time_t now);
void tor_disable_spawning_background_processes(void);
typedef struct process_handle_t process_handle_t;
typedef struct process_environment_t process_environment_t;
int tor_spawn_background(const char *const filename, const char **argv,

11
src/or/config.c
View File

@ -409,6 +409,7 @@ static config_var_t option_vars_[] = {
OBSOLETE("PredictedPortsRelevanceTime"),
OBSOLETE("WarnUnsafeSocks"),
VAR("NodeFamily", LINELIST, NodeFamilies, NULL),
V(NoExec, BOOL, "0"),
V(NumCPUs, UINT, "0"),
V(NumDirectoryGuards, UINT, "0"),
V(NumEntryGuards, UINT, "0"),
@ -1595,6 +1596,10 @@ options_act(const or_options_t *old_options)
const int transition_affects_guards =
old_options && options_transition_affects_guards(old_options, options);
if (options->NoExec) {
tor_disable_spawning_background_processes();
}
/* disable ptrace and later, other basic debugging techniques */
{
/* Remember if we already disabled debugger attachment */
@ -4447,6 +4452,12 @@ options_transition_allowed(const or_options_t *old,
return -1;
}
if (old->NoExec && !new_val->NoExec) {
*msg = tor_strdup("While Tor is running, disabling "
"NoExec is not allowed.");
return -1;
}
if (sandbox_is_active()) {
#define SB_NOCHANGE_STR(opt) \
do { \

4
src/or/or.h
View File

@ -4596,6 +4596,10 @@ typedef struct {
* consensuses around so that we can generate diffs from them. If 0,
* use the default. */
int MaxConsensusAgeForDiffs;
/** Bool (default: 0). Tells Tor to never try to exec another program.
*/
int NoExec;
} or_options_t;
/** Persistent state for an onion router, as saved to disk. */