commit b8534e56ad75c4b66783c8b14fcc8cf38687a6c5 Author: Yawning Angel yawning@schwanenlied.me Date: Sat Dec 3 23:28:48 2016 +0000
Allow ugetrlimit, and remove the getrlimit hook.
I still have no idea, but at this point I'm going to write it off to:
"My system call whitelist didn't have enough things on it for i386". --- data/tor-whitelist-extras-i386.seccomp | 2 ++ ...rbrowser-launcher-whitelist-extras-i386.seccomp | 1 + src/tbb_stub/tbb_stub.c | 28 ++-------------------- 3 files changed, 5 insertions(+), 26 deletions(-)
diff --git a/data/tor-whitelist-extras-i386.seccomp b/data/tor-whitelist-extras-i386.seccomp index 03204c3..b3a13f7 100644 --- a/data/tor-whitelist-extras-i386.seccomp +++ b/data/tor-whitelist-extras-i386.seccomp @@ -13,6 +13,8 @@ mmap2: 1 fcntl64: 1 stat64: 1
+ugetrlimit: 1 + # tor's sandbox code claims that these calls are required on x86 but not on # x86_64. tor's sandbox attempts to filter socketcall's arguments as well # when it adds a rule, but seccomp on x86 does not support argument filtering, diff --git a/data/torbrowser-launcher-whitelist-extras-i386.seccomp b/data/torbrowser-launcher-whitelist-extras-i386.seccomp index 4d685b6..b859f69 100644 --- a/data/torbrowser-launcher-whitelist-extras-i386.seccomp +++ b/data/torbrowser-launcher-whitelist-extras-i386.seccomp @@ -19,6 +19,7 @@ getresgid32: 1 time: 1 getuid32: 1 getgid32: 1 +ugetrlimit: 1
recv: 1 send: 1 diff --git a/src/tbb_stub/tbb_stub.c b/src/tbb_stub/tbb_stub.c index e431222..0f714b7 100644 --- a/src/tbb_stub/tbb_stub.c +++ b/src/tbb_stub/tbb_stub.c @@ -48,10 +48,7 @@ #include <stdlib.h> #include <X11/Xlib.h>
-#ifdef __i386__ -#include <sys/time.h> -#include <sys/resource.h> -#else +#ifndef __i386__ #include <glob.h> #include <stdbool.h> #endif @@ -179,28 +176,7 @@ XQueryExtension(Display *display, _Xconst char *name, int *major, int *event, in return real_XQueryExtension(display, name, major, event, error); }
-#ifdef __i386__ - -static int (*real_getrlimit)(__rlimit_resource_t, struct rlimit *); - -int -getrlimit(__rlimit_resource_t resource, struct rlimit *rlim) -{ - /* I have no fucking idea why, on i386 systems rlimit starts failing - * randomly deep inside firefox, even with the appropriate system calls - * whitelisted. Hooking it, makes the problem go away for extra fun. - */ - if (real_getrlimit == NULL) { - if ((real_getrlimit = dlsym(RTLD_NEXT, "getrlimit")) == NULL) { - fprintf(stderr, "ERROR: Failed to find `getrlimit() symbol: %s\n", dlerror()); - abort(); - } - } - - return real_getrlimit(resource, rlim); -} - -#else +#ifndef __i386__
typedef struct pa_mutex pm; static pm* (*real_pa_mutex_new)(bool, bool);