[sandboxed-tor-browser/master] More seccomp improvements. - tor-commits

5 Dec 2016

commit 45e252e604150054a483bde5fc43303b8dc14339
Author: Yawning Angel yawning@schwanenlied.me
Date:   Mon Dec 5 23:32:48 2016 +0000
More seccomp improvements.
* Fail with an error on ENOSYS.
     * Remove socketcall from the 286 whitelists, libseccomp should handle
       that for us.
---
 src/cmd/gen-seccomp/seccomp.go         | 8 +++-----
 src/cmd/gen-seccomp/seccomp_firefox.go | 1 -
 src/cmd/gen-seccomp/seccomp_tor.go     | 4 ++--
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/src/cmd/gen-seccomp/seccomp.go b/src/cmd/gen-seccomp/seccomp.go
index 62b286d..9ec17e8 100644
--- a/src/cmd/gen-seccomp/seccomp.go
+++ b/src/cmd/gen-seccomp/seccomp.go
@@ -17,7 +17,7 @@
 package main
import (
-	"log"
+	"fmt"
seccomp "github.com/seccomp/libseccomp-golang"
 )
@@ -98,8 +98,7 @@ func allowSyscalls(f *seccomp.ScmpFilter, calls []string, is386 bool) error {
    		if is386 && scallName == "newselect" {
    			scall = seccomp.ScmpSyscall(142)
    		} else {
-				log.Printf("seccomp: unknown system call: %v", scallName)
-				continue
+				return fmt.Errorf("seccomp: unknown system call: %v", scallName)
    		}
    	}
    	if err = f.AddRule(scall, seccomp.ActAllow); err != nil {
@@ -112,8 +111,7 @@ func allowSyscalls(f *seccomp.ScmpFilter, calls []string, is386 bool) error {
 func allowCmpEq(f *seccomp.ScmpFilter, scallName string, arg uint, values ...uint64) error {
    scall, err := seccomp.GetSyscallFromName(scallName)
    if err != nil {
-		log.Printf("seccomp: unknown system call: %v", scallName)
-		return nil
+		return fmt.Errorf("seccomp: unknown system call: %v", scallName)
    }
// Allow if the arg matches any of the values.  Implemented as multiple
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go
index 75a7dd3..1606d76 100644
--- a/src/cmd/gen-seccomp/seccomp_firefox.go
+++ b/src/cmd/gen-seccomp/seccomp_firefox.go
@@ -209,7 +209,6 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error {
    		"recv",
    		"send",
    		"newselect",
-			"socketcall",
"socket", // Filtered on amd64.
    	}
diff --git a/src/cmd/gen-seccomp/seccomp_tor.go b/src/cmd/gen-seccomp/seccomp_tor.go
index 2b01656..6144548 100644
--- a/src/cmd/gen-seccomp/seccomp_tor.go
+++ b/src/cmd/gen-seccomp/seccomp_tor.go
@@ -115,7 +115,6 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
    		"recv",
    		"send",
    		"stat64",
-			"socketcall", // Sigh...
"ugetrlimit",
    		"set_thread_area",
@@ -254,7 +253,8 @@ func torFilterAccept4(f *seccomp.ScmpFilter, is386 bool) error {
    }
    if is386 {
    	// XXX: The tor common/sandbox.c file, explcitly allows socketcall()
-		// by arg for this call, and only this call. ??????
+		// by arg for this call, and only this call, when libseccomp should
+		// do the right thing.
    	return f.AddRule(scall, seccomp.ActAllow)
    }

    