commit 1c528cc4610f4609b3df4244e9ddacb2ef2cfda0 Author: Yawning Angel yawning@schwanenlied.me Date: Sun Jun 25 05:01:58 2017 +0000

Remove the undocumented command line options that enable unsafe behavior.

"We are not believers in buttons. Knobs are for knobs." -- Theo --- ChangeLog | 1 + .../internal/sandbox/application.go | 13 +++---------- .../sandboxed-tor-browser/internal/sandbox/x11/x11.go | 19 ++++--------------- 3 files changed, 8 insertions(+), 25 deletions(-)

diff --git a/ChangeLog b/ChangeLog index 742153f..69b4a5f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ Changes in version 0.0.9 - UNRELEASED: * Fix the build being broken on Debian Jessie due to #22648. + * Remove the undocumented command line options that enable unsafe behavior.

Changes in version 0.0.8 - 2017-06-19: * Bug 20776: Remove the X11 `MIT-SHM` workaround from the stub. diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go index 61722c1..f66c1ba 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go @@ -20,7 +20,6 @@ package sandbox

import ( "bytes" - "flag" "fmt" "io/ioutil" "log" @@ -41,10 +40,7 @@ import (

const restrictedLibDir = "/usr/lib"

-var ( - distributionDependentLibSearchPath []string - allowGstreamer bool -) +var distributionDependentLibSearchPath []string

// RunTorBrowser launches sandboxed Tor Browser. func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (process *Process, err error) { @@ -322,10 +318,9 @@ func filterCodecs(fn string, allowFfmpeg bool) error { "libgstapp", "libgstvideo", } - if allowGstreamer && allowFfmpeg { + if allowFfmpeg { codecPrefixes = []string{} - } - if !allowFfmpeg { + } else if !allowFfmpeg { codecPrefixes = append(codecPrefixes, "libavcodec") }

@@ -874,6 +869,4 @@ func init() { }

distributionDependentLibSearchPath = searchPaths - - flag.BoolVar(&allowGstreamer, "allow-gstreamer", false, "Don't blacklist gstreamer libraries.") } diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go index 908bedd..15960fb 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go @@ -20,7 +20,6 @@ package x11

import ( "encoding/binary" - "flag" "fmt" "io/ioutil" "os" @@ -31,8 +30,6 @@ import ( . "cmd/sandboxed-tor-browser/internal/utils" )

-var disableX11Filter bool - const SockDir = "/tmp/.X11-unix"

func craftAuthority(hugboxHostname, realDisplay string) ([]byte, error) { @@ -186,15 +183,11 @@ func (x *SandboxedX11) Socket() string {

func (x *SandboxedX11) LaunchSurrogate() error { // Launch the surrogate unless disabled. - if !disableX11Filter { - Debugf("sandbox: X11: Launching surrogate") + Debugf("sandbox: X11: Launching surrogate")

- var err error - if x.Surrogate, err = launchSurrogate(x.hSock, x.pSock, x.hDisplay); err != nil { - return err - } - } else { - Debugf("sandbox: X11: Direct bind-mounting X11 (UNSAFE)") + var err error + if x.Surrogate, err = launchSurrogate(x.hSock, x.pSock, x.hDisplay); err != nil { + return err } x.launched = true return nil @@ -243,7 +236,3 @@ func New(display, hostname, pSock string) (*SandboxedX11, error) {

return x, nil } - -func init() { - flag.BoolVar(&disableX11Filter, "disable-X11-filter", false, "Use X11 directly (Unsafe)") -}