commit 6e8ba8170dc0580c2da2f3e779ea652c2a58ff3c Author: Yawning Angel yawning@schwanenlied.me Date: Tue Dec 6 19:14:27 2016 +0000
Remove the SysV SHM calls from the seccomp whtielist. --- src/cmd/gen-seccomp/seccomp_firefox.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go index 1606d76..33a3048 100644 --- a/src/cmd/gen-seccomp/seccomp_firefox.go +++ b/src/cmd/gen-seccomp/seccomp_firefox.go @@ -121,11 +121,14 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error { "mremap", "munmap",
- // XXX: Remove these? - "shmdt", - "shmat", - "shmctl", - "shmget", + // `MIT-SHM` doesn't work, and there's workarounds to try + // to prevent firefox from making such calls. It doesn't appear + // to always ask (noticed on Ubuntu), so fail the calls entirely. + // + // "shmdt", + // "shmat", + // "shmctl", + // "shmget",
"alarm", "execve",