commit 8f671b6f5261063085fe4eccc99a03ebe0f4be26 Author: Yawning Angel <yawning@schwanenlied.me> Date: Thu Dec 8 20:37:08 2016 +0000 When running the hardened bundle, load libasan.so before the stub. Sort of silly, but it demands this of us or it dumps alarming looking warnings to the log. While I'm here, the stub living in /tmp is silly, so move/rename it and jam it in the user's home directory. --- .../internal/sandbox/application.go | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go index 4cd4ca0..6de8a5e 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go @@ -45,7 +45,7 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (cm const ( profileSubDir = "TorBrowser/Data/Browser/profile.default" cachesSubDir = "TorBrowser/Data/Browser/Caches" - stubPath = "/tmp/tbb_stub.so" + stubPath = "/home/amnesia/.tbb_stub.so" controlSocket = "control" socksSocket = "socks" ) @@ -165,13 +165,28 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (cm // supply the relevant args required for functionality. ctrlPath := filepath.Join(h.runtimeDir, controlSocket) socksPath := filepath.Join(h.runtimeDir, socksSocket) - h.setenv("LD_PRELOAD", stubPath) h.setenv("TOR_STUB_CONTROL_SOCKET", ctrlPath) h.setenv("TOR_STUB_SOCKS_SOCKET", socksPath) h.bind(tor.CtrlSurrogatePath(), ctrlPath, false) h.bind(tor.SocksSurrogatePath(), socksPath, false) h.assetFile(stubPath, "tbb_stub.so") + ldPreload := stubPath + if manif.Channel == "hardened" { + // ASAN wants to be the first entry on LD_PRELOAD, so placate it. + matches, err := filepath.Glob(filepath.Join(realBrowserHome, "TorBrowser", "Tor") + "/libasan.so*") + if err != nil { + return nil, err + } + if len(matches) < 1 { + log.Printf("sandbox: Failed to find 'libasan.so.*'") + } else { + _, f := filepath.Split(matches[0]) + ldPreload = f + ":" + ldPreload + } + } + h.setenv("LD_PRELOAD", ldPreload) + // Hardware accelerated OpenGL will not work, and never will. h.setenv("LIBGL_ALWAYS_SOFTWARE", "1")