Merge branch 'maint-0.2.8' into release-0.2.8

2016-07-17 13:54:58 -04:00 · 2016-07-17 13:54:58 -04:00 · fe53f9c17d
parent 449c61f452 fbae15a856
commit fe53f9c17d
4 changed files with 30 additions and 19 deletions
--- a/changes/bug19660
+++ b/changes/bug19660
@ -0,0 +1,8 @@
+  o Minor bugfixes (sandboxing):
+    - If we did not find a non-private IPaddress by iterating over
+      interfaces, we would try to get one via
+      get_interface_address6_via_udp_socket_hack().  This opens a
+      datagram socket with IPPROTO_UDP.  Previously all our datagram
+      sockets (via libevent) used IPPROTO_IP, so we did not have that
+      in the sandboxing whitelist.  Add (SOCK_DGRAM, IPPROTO_UDP)
+      sockets to the sandboxing whitelist.  Fixes bug 19660.
--- a/changes/bug19682
+++ b/changes/bug19682
@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Fix compilation warning in the unit tests on systems where
+      char is signed. Fixes bug 19682; bugfix on 0.2.8.1-alpha.
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@ -589,7 +589,7 @@ static int
 sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
  int rc = 0;
-  int i;
+  int i, j;
  (void) filter;

 #ifdef __i386__
@ -606,20 +606,20 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)

  for (i = 0; i < 2; ++i) {
    const int pf = i ? PF_INET : PF_INET6;
-
-    rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
-      SCMP_CMP(0, SCMP_CMP_EQ, pf),
-      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
-      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
-    if (rc)
-      return rc;
-
-    rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
-      SCMP_CMP(0, SCMP_CMP_EQ, pf),
-      SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
-      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
-    if (rc)
-      return rc;
+    for (j=0; j < 3; ++j) {
+      const int type     = (j == 0) ? SOCK_STREAM :
+                           (j == 1) ? SOCK_DGRAM :
+                                      SOCK_DGRAM;
+      const int protocol = (j == 0) ? IPPROTO_TCP :
+                           (j == 1) ? IPPROTO_IP :
+                                      IPPROTO_UDP;
+      rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+        SCMP_CMP(0, SCMP_CMP_EQ, pf),
+        SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, type),
+        SCMP_CMP(2, SCMP_CMP_EQ, protocol));
+      if (rc)
+        return rc;
+    }
  }

  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
--- a/src/test/test_util_format.c
+++ b/src/test/test_util_format.c
@ -106,10 +106,10 @@ test_util_format_base64_encode(void *ignored)
  for (i = 0;i<50;i++) {
    src[i] = 0;
  }
-  src[50] = 255;
-  src[51] = 255;
-  src[52] = 255;
-  src[53] = 255;
+  src[50] = (char)255;
+  src[51] = (char)255;
+  src[52] = (char)255;
+  src[53] = (char)255;

  res = base64_encode(dst, 1000, src, 54, BASE64_ENCODE_MULTILINE);
  tt_int_op(res, OP_EQ, 74);