commit 6a43d8fd4765f0e795d281c9ac328b853f0cef4c Author: Yawning Angel yawning@schwanenlied.me Date: Fri Oct 20 08:09:19 2017 +0000
Bug 23915: 7.0.7 and later fails to work without `SECCOMP_FILTER_FLAG_TSYNC`.
This is more fallout from #20773, that only manifests on systems running kernels that pre-date 3.17 (Debian oldstable). The "better" fix might be to only engage the workaround if `SECCOMP_FILTER_FLAG_TSYNC` isn't supported. --- ChangeLog | 1 + src/cmd/sandboxed-tor-browser/internal/sandbox/application.go | 1 + src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go | 9 +++++++++ 3 files changed, 11 insertions(+)
diff --git a/ChangeLog b/ChangeLog index 36d8f22..23afbf8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ Changes in version 0.0.15 - UNRELEASED: + * Bug 23915: 7.0.7 and later fails to work without `SECCOMP_FILTER_FLAG_TSYNC`.
Changes in version 0.0.14 - 2017-09-29: * Bug 8706: Fully disable the .recently-used.xbel. diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go index bb44e39..d29df34 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go @@ -70,6 +70,7 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (pr h.seccompFn = installTorBrowserSeccompProfile h.fakeDbus = true h.mountProc = false + h.fakeProc = true
if manif.Channel == "alpha" && !manif.BundleVersionAtLeast("7.5a4") { // SelfRando prior to c619441e1ceec3599bc81bf9bbaf4d17c68b54b7 has a diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go index d477eb6..18fa69b 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go @@ -80,6 +80,7 @@ type hugbox struct { homeDir string chdir string mountProc bool + fakeProc bool unshare unshareOpts stdin io.Reader stdout io.Writer @@ -297,6 +298,14 @@ func (h *hugbox) run() (*Process, error) { } if h.mountProc { fdArgs = append(fdArgs, "--proc", "/proc") + } else if h.fakeProc { + // Firefox attempts to figure out if a given process is multithreaded + // or not by stat(2)ing `/proc/self/task` and examining `st_nlink`. + // + // This error is harmless on most systems, but as of 7.0.7, will + // totally break everything if `SECCOMP_FILTER_FLAG_TSYNC` is not + // supported (Linux < 3.17). + fdArgs = append(fdArgs, "--dir", "/proc/self/task/fakeProc") } if h.chdir != "" { fdArgs = append(fdArgs, "--chdir", h.chdir)