commit a9a3ab621ed72fb1c836d9e224be7b42f4445b90 Author: Yawning Angel yawning@schwanenlied.me Date: Wed Apr 12 22:19:26 2017 +0000
Fix e10s Web Content crash on systems with grsec kernels.
The `plugin-container` binary needs to be able to make RWX mappings, or Web Content workers get killed by the kernel. --- ChangeLog | 1 + .../internal/sandbox/application.go | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog index 3e55844..1007ae3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ Changes in version 0.0.5 - UNRELEASED: + * Fix e10s Web Content crash on systems with grsec kernels.
Changes in version 0.0.4 - 2017-04-12: * Bug 21928: Force a reinstall if an existing hardened bundle is present. diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go index 427c3b1..bf2914a 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go @@ -190,8 +190,15 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (pr // Tor Browser currently is incompatible with PaX MPROTECT, apply the // override if needed. realFirefoxPath := filepath.Join(realBrowserHome, "firefox") - if err = applyPaXAttributes(manif, realFirefoxPath); err != nil { - return nil, err + needsPaXPaths := []string{ + realFirefoxPath, + filepath.Join(realBrowserHome, "plugin-container"), + } + for _, p := range needsPaXPaths { + err := applyPaXAttributes(manif, p) + if err != nil { + log.Printf("sandbox: Failed to apply PaX attributes to `%v`: %v", p, err) + } }
extraLdLibraryPath := "" @@ -329,11 +336,12 @@ func applyPaXAttributes(manif *config.Manifest, f string) error { const paxAttr = "user.pax.flags"
sz, _ := syscall.Getxattr(f, paxAttr, nil) + _, n := filepath.Split(f)
// Strip off the attribute if this is a non-grsec kernel. if !IsGrsecKernel() { if sz > 0 { - log.Printf("sandbox: Removing Tor Browser PaX attributes.") + log.Printf("sandbox: Removing PaX attributes: %v", n) syscall.Removexattr(f, paxAttr) } return nil @@ -346,12 +354,12 @@ func applyPaXAttributes(manif *config.Manifest, f string) error { return err } if bytes.Contains(dest, paxOverride) { - log.Printf("sandbox: Tor Browser PaX attributes already set.") + log.Printf("sandbox: PaX attributes already set: %v", n) return nil } }
- log.Printf("sandbox: Applying Tor Browser PaX attributes.") + log.Printf("sandbox: Applying PaX attributes: %v", n) return syscall.Setxattr(f, paxAttr, paxOverride, 0) }