commit ca358583844a1689b21a5cc2b419cd7172431756 Author: Yawning Angel yawning@schwanenlied.me Date: Tue Dec 6 19:31:32 2016 +0000

On second thought, SysV shm needs to be allowed.

Firefox works without this, but it's probably unhappy under the hood. If Firefox on Ubuntu uses MIT-SHM without querying the X server to see if the extension is supported, it's Firefox/Ubuntu's problem, not mine. --- src/cmd/gen-seccomp/seccomp_firefox.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go index 33a3048..a1a9f0a 100644 --- a/src/cmd/gen-seccomp/seccomp_firefox.go +++ b/src/cmd/gen-seccomp/seccomp_firefox.go @@ -121,14 +121,10 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error { "mremap", "munmap",

- // `MIT-SHM` doesn't work, and there's workarounds to try - // to prevent firefox from making such calls. It doesn't appear - // to always ask (noticed on Ubuntu), so fail the calls entirely. - // - // "shmdt", - // "shmat", - // "shmctl", - // "shmget", + "shmdt", + "shmat", + "shmctl", + "shmget",

"alarm", "execve",