commit c84e1bad1658a43f8e9d3525e594b69b3bcce3b3 Author: Yawning Angel yawning@schwanenlied.me Date: Wed Dec 7 01:18:09 2016 +0000
Re-add socket call to the 386 whitelist.
It helps to test code involving ancient bullshit that needs to die, on systems that actually exercise said ancient bullshit. In this case, Debian stable x86 conveniently provides a kernel that actually exercises `socketcall`.
libseccomp2 is supposed to "automagically do the right thing" when generating 386 rules since I'm not adding exact, but both tor and firefox showed problems with this. --- src/cmd/gen-seccomp/seccomp_firefox.go | 2 ++ src/cmd/gen-seccomp/seccomp_tor.go | 2 ++ 2 files changed, 4 insertions(+)
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go index a1a9f0a..22e4bb5 100644 --- a/src/cmd/gen-seccomp/seccomp_firefox.go +++ b/src/cmd/gen-seccomp/seccomp_firefox.go @@ -210,6 +210,8 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error { "newselect",
"socket", // Filtered on amd64. + + "socketcall", // Fuck Debian stable.... :( } allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...) } diff --git a/src/cmd/gen-seccomp/seccomp_tor.go b/src/cmd/gen-seccomp/seccomp_tor.go index 6144548..0a1b8cc 100644 --- a/src/cmd/gen-seccomp/seccomp_tor.go +++ b/src/cmd/gen-seccomp/seccomp_tor.go @@ -118,6 +118,8 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
"ugetrlimit", "set_thread_area", + + "socketcall", // I *SHOULDN"T* need this, but Debian stable freaks out. } allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...) }