diff options
| -rw-r--r-- | src/init.cpp | 5 | ||||
| -rw-r--r-- | src/init.h | 2 | ||||
| -rw-r--r-- | src/node/interfaces.cpp | 2 | ||||
| -rw-r--r-- | src/util/syscall_sandbox.cpp | 3 | ||||
| -rw-r--r-- | src/util/syscall_sandbox.h | 3 |
5 files changed, 6 insertions, 9 deletions
diff --git a/src/init.cpp b/src/init.cpp index 83937c6925..86e6ec4451 100644 --- a/src/init.cpp +++ b/src/init.cpp @@ -792,7 +792,7 @@ bool AppInitBasicSetup(const ArgsManager& args) return true; } -bool AppInitParameterInteraction(const ArgsManager& args) +bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox) { const CChainParams& chainparams = Params(); // ********************************************************* Step 2: parameter interactions @@ -1058,6 +1058,9 @@ bool AppInitParameterInteraction(const ArgsManager& args) if (!SetupSyscallSandbox(log_syscall_violation_before_terminating)) { return InitError(Untranslated("Installation of the syscall sandbox failed.")); } + if (use_syscall_sandbox) { + SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION); + } LogPrintf("Experimental syscall sandbox enabled (-sandbox=%s): bitcoind will terminate if an unexpected (not allowlisted) syscall is invoked.\n", sandbox_arg); } #endif // USE_SYSCALL_SANDBOX diff --git a/src/init.h b/src/init.h index ddd439f619..2250ae20a0 100644 --- a/src/init.h +++ b/src/init.h @@ -41,7 +41,7 @@ bool AppInitBasicSetup(const ArgsManager& args); * @note This can be done before daemonization. Do not call Shutdown() if this function fails. * @pre Parameters should be parsed and config file should be read, AppInitBasicSetup should have been called. */ -bool AppInitParameterInteraction(const ArgsManager& args); +bool AppInitParameterInteraction(const ArgsManager& args, bool use_syscall_sandbox = true); /** * Initialization sanity checks: ecc init, sanity checks, dir lock. * @note This can be done before daemonization. Do not call Shutdown() if this function fails. diff --git a/src/node/interfaces.cpp b/src/node/interfaces.cpp index d71455bc37..73d15652b1 100644 --- a/src/node/interfaces.cpp +++ b/src/node/interfaces.cpp @@ -90,7 +90,7 @@ public: uint32_t getLogCategories() override { return LogInstance().GetCategoryMask(); } bool baseInitialize() override { - return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs) && AppInitSanityChecks() && + return AppInitBasicSetup(gArgs) && AppInitParameterInteraction(gArgs, /*use_syscall_sandbox=*/false) && AppInitSanityChecks() && AppInitLockDataDirectory() && AppInitInterfaces(*m_context); } bool appInitMain(interfaces::BlockAndHeaderTipInfo* tip_info) override diff --git a/src/util/syscall_sandbox.cpp b/src/util/syscall_sandbox.cpp index a05efac602..a69f815ce4 100644 --- a/src/util/syscall_sandbox.cpp +++ b/src/util/syscall_sandbox.cpp @@ -592,8 +592,6 @@ public: allowed_syscalls.insert(__NR_getcwd); // get current working directory allowed_syscalls.insert(__NR_getdents); // get directory entries allowed_syscalls.insert(__NR_getdents64); // get directory entries - allowed_syscalls.insert(__NR_inotify_rm_watch);// remove an existing watch from an inotify instance - allowed_syscalls.insert(__NR_linkat); // create relative to a directory file descriptor allowed_syscalls.insert(__NR_lstat); // get file status allowed_syscalls.insert(__NR_mkdir); // create a directory allowed_syscalls.insert(__NR_newfstatat); // get file status @@ -823,7 +821,6 @@ bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating) return false; } } - SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION); return true; } diff --git a/src/util/syscall_sandbox.h b/src/util/syscall_sandbox.h index f7a1cbdb55..dc02ce29e9 100644 --- a/src/util/syscall_sandbox.h +++ b/src/util/syscall_sandbox.h @@ -45,9 +45,6 @@ void SetSyscallSandboxPolicy(SyscallSandboxPolicy syscall_policy); #if defined(USE_SYSCALL_SANDBOX) //! Setup and enable the experimental syscall sandbox for the running process. -//! -//! SetSyscallSandboxPolicy(SyscallSandboxPolicy::INITIALIZATION) is called as part of -//! SetupSyscallSandbox(...). [[nodiscard]] bool SetupSyscallSandbox(bool log_syscall_violation_before_terminating); //! Invoke a disallowed syscall. Use for testing purposes. |