commit 4802e086043a2d3fab77a77425c607b43f20fe5b Author: Yawning Angel yawning@schwanenlied.me Date: Sun Dec 4 00:12:55 2016 +0000
Add `newselect` to the 386 whitelist.
obfs4proxy needs this, or it sits there looping on select() for a while before giving up. --- data/tor-whitelist-extras-i386.seccomp | 1 + .../internal/sandbox/seccomp_386.go | 17 +++++++++++------ 2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/data/tor-whitelist-extras-i386.seccomp b/data/tor-whitelist-extras-i386.seccomp index b3a13f7..2c33759 100644 --- a/data/tor-whitelist-extras-i386.seccomp +++ b/data/tor-whitelist-extras-i386.seccomp @@ -14,6 +14,7 @@ fcntl64: 1 stat64: 1
ugetrlimit: 1 +newselect: 1
# tor's sandbox code claims that these calls are required on x86 but not on # x86_64. tor's sandbox attempts to filter socketcall's arguments as well diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go index 0d3a069..1e6e18c 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go @@ -95,12 +95,17 @@ func installSeccomp(fd *os.File, assets []string, isBlacklist bool) error { scallName := string(bytes.TrimSpace(sp[0])) scall, err := seccomp.GetSyscallFromName(scallName) if err != nil { - // Continue instead of failing on ENOSYS. gosecco will fail - // here, but this allows whitelists to be more futureproof, - // and handles thing like Debian prehistoric^wstable missing - // system calls that we would like to allow like `getrandom`. - log.Printf("seccomp: unknown system call: %v", scallName) - continue + if scallName == "newselect" { + // The library doesn't have "NR_newselect" yet. + scall = seccomp.ScmpSyscall(142) + } else { + // Continue instead of failing on ENOSYS. gosecco will fail + // here, but this allows whitelists to be more futureproof, + // and handles thing like Debian prehistoric^wstable missing + // system calls that we would like to allow like `getrandom`. + log.Printf("seccomp: unknown system call: %v", scallName) + continue + } }
// If the system call is present, just add it. This is x86,