[sandboxed-tor-browser/master] Bug 20940: Deprecate x86 support.
commit 194d51e8cedd1d8f4846f24c69d7da5f6d1c0018 Author: Yawning Angel <yawning@schwanenlied.me> Date: Wed Dec 28 07:15:02 2016 +0000 Bug 20940: Deprecate x86 support. This removes support for 32 bit Intel systems, but leaves the awkward two stage build process in place for now. Going back to gosecco will follow next. --- ChangeLog | 1 + README.md | 2 +- data/ui/channels.json | 3 +- src/cmd/gen-seccomp/main.go | 33 +--- src/cmd/gen-seccomp/seccomp.go | 33 +--- src/cmd/gen-seccomp/seccomp_firefox.go | 97 +----------- src/cmd/gen-seccomp/seccomp_tor.go | 166 +++++---------------- .../sandboxed-tor-browser/internal/dynlib/cache.go | 35 +---- .../sandboxed-tor-browser/internal/dynlib/hwcap.go | 31 ---- .../sandboxed-tor-browser/internal/dynlib/ldso.go | 7 +- .../internal/sandbox/application.go | 12 +- .../internal/ui/config/config.go | 2 - 12 files changed, 53 insertions(+), 369 deletions(-) diff --git a/ChangeLog b/ChangeLog index dbde25a..8bcc45b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ Changes in version 0.0.3 - UNRELEASED: + * Bug 20940: Deprecate x86 support. * Bug 20778: Check for updates in the background. * Bug 20851: If the incremental update fails, fall back to the complete update. diff --git a/README.md b/README.md index 4b70efd..badb125 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Qubes, Subgraph or Tails. Runtime dependencies: - * A modern Linux system on x86/x86_64 architecture. + * A modern Linux system on x86_64 architecture. * bubblewrap >= 0.1.3 (https://github.com/projectatomic/bubblewrap). * Gtk+ >= 3.14.0 * (Optional) PulseAudio diff --git a/data/ui/channels.json b/data/ui/channels.json index 75c237f..8e78f46 100644 --- a/data/ui/channels.json +++ b/data/ui/channels.json @@ -1,4 +1,3 @@ { - "linux64": [ "release", "alpha", "hardened" ], - "linux32": [ "release", "alpha" ] + "linux64": [ "release", "alpha", "hardened" ] } diff --git a/src/cmd/gen-seccomp/main.go b/src/cmd/gen-seccomp/main.go index 5dcbbf2..8216166 100644 --- a/src/cmd/gen-seccomp/main.go +++ b/src/cmd/gen-seccomp/main.go @@ -37,7 +37,7 @@ func main() { if err != nil { log.Fatalf("failed to create output: %v", err) } - if err = compileTorSeccompProfile(f, false, false); err != nil { + if err = compileTorSeccompProfile(f, false); err != nil { log.Fatalf("failed to create tor amd64 profile: %v", err) } @@ -46,7 +46,7 @@ func main() { if err != nil { log.Fatalf("failed to create output: %v", err) } - if err = compileTorSeccompProfile(f, true, false); err != nil { + if err = compileTorSeccompProfile(f, true); err != nil { log.Fatalf("failed to create tor-obfs4 amd64 profile: %v", err) } @@ -55,34 +55,7 @@ func main() { if err != nil { log.Fatalf("failed to create output: %v", err) } - if err = compileTorBrowserSeccompProfile(f, false); err != nil { + if err = compileTorBrowserSeccompProfile(f); err != nil { log.Fatalf("failed to create firefox amd64 profile: %v", err) } - - // Tor Browser (386) - f, err = os.Create(filepath.Join(outDir, "tor-386.bpf")) - if err != nil { - log.Fatalf("failed to create output: %v", err) - } - if err = compileTorSeccompProfile(f, false, true); err != nil { - log.Fatalf("failed to create tor 386 profile: %v", err) - } - - // Tor Browser + obfs4proxy (386) - f, err = os.Create(filepath.Join(outDir, "tor-obfs4-386.bpf")) - if err != nil { - log.Fatalf("failed to create output: %v", err) - } - if err = compileTorSeccompProfile(f, true, true); err != nil { - log.Fatalf("failed to create tor-obfs4 386 profile: %v", err) - } - - // Firefox (386) - f, err = os.Create(filepath.Join(outDir, "torbrowser-386.bpf")) - if err != nil { - log.Fatalf("failed to create output: %v", err) - } - if err = compileTorBrowserSeccompProfile(f, true); err != nil { - log.Fatalf("failed to create firefox 386 profile: %v", err) - } } diff --git a/src/cmd/gen-seccomp/seccomp.go b/src/cmd/gen-seccomp/seccomp.go index ece1e7e..b016f4c 100644 --- a/src/cmd/gen-seccomp/seccomp.go +++ b/src/cmd/gen-seccomp/seccomp.go @@ -66,43 +66,16 @@ const ( fionread = 0x541b tcgets = 0x5401 tiocgpgrp = 0x540f - - // socketcall() call numbers (linux/net.h) - sysSocket = 1 // sys_socket() - sysBind = 2 // sys_bind() - sysConnect = 3 // sys_connect() - sysListen = 4 // sys_listen() - sysAccept = 5 // sys_accept() - sysGetsockname = 6 // sys_getsockname() - sysGetpeername = 7 // sys_getpeername() - sysSocketpair = 8 // sys_socketpair() - sysSend = 9 // sys_send() - sysRecv = 10 // sys_recv() - sysSendto = 11 // sys_sendto() - sysRecvfrom = 12 // sys_recvfrom() - sysShutdown = 13 // sys_shutdown() - sysSetsockopt = 14 // sys_setsockopt() - sysGetsockopt = 15 // sys_getsockopt() - sysSendmsg = 16 // sys_sendmsg() - sysRecvmsg = 17 // sys_recvmsg() - sysAccept4 = 18 // sys_accept4() - sysRecvmmsg = 19 // sys_recvmmsg - sysSendmmsg = 20 // sys_sendmmsg ) -func newWhitelist(is386 bool) (*seccomp.ScmpFilter, error) { - arch := seccomp.ArchAMD64 - if is386 { - arch = seccomp.ArchX86 - } - +func newWhitelist() (*seccomp.ScmpFilter, error) { actENOSYS := seccomp.ActErrno.SetReturnCode(38) f, err := seccomp.NewFilter(actENOSYS) if err != nil { return nil, err } - if err = f.AddArch(arch); err != nil { + if err = f.AddArch(seccomp.ArchAMD64); err != nil { f.Release() return nil, err } @@ -113,7 +86,7 @@ func newWhitelist(is386 bool) (*seccomp.ScmpFilter, error) { return f, nil } -func allowSyscalls(f *seccomp.ScmpFilter, calls []string, is386 bool) error { +func allowSyscalls(f *seccomp.ScmpFilter, calls []string) error { for _, scallName := range calls { scall, err := seccomp.GetSyscallFromName(scallName) if err != nil { diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go index b47e35b..427c5f9 100644 --- a/src/cmd/gen-seccomp/seccomp_firefox.go +++ b/src/cmd/gen-seccomp/seccomp_firefox.go @@ -19,14 +19,12 @@ package main import ( "os" "syscall" - - seccomp "github.com/seccomp/libseccomp-golang" ) -func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error { +func compileTorBrowserSeccompProfile(fd *os.File) error { defer fd.Close() - f, err := newWhitelist(is386) + f, err := newWhitelist() if err != nil { return err } @@ -190,54 +188,10 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error { // "personality", // "mlock", } - if is386 { - allowedNoArgs386 := []string{ - "fadvise64_64", - "fcntl64", - "fstat64", - "fstatfs64", - "ftruncate64", - "lstat64", - "stat64", - "statfs64", - "_llseek", - - "mmap2", - "ugetrlimit", - "set_thread_area", - "waitpid", - - "getgid32", - "getuid32", - "getresgid32", - "getresuid32", - - "recv", - "send", - "_newselect", - } - allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...) - } - if err = allowSyscalls(f, allowedNoArgs, is386); err != nil { + if err = allowSyscalls(f, allowedNoArgs); err != nil { return err } - // Like with how I do the tor rules, handle socketcall() before everything - // else. - if is386 { - if err = ffFilterSocketcall(f); err != nil { - return err - } - - // Unrelated to sockets, only i386 needs these, and it can be filtered. - if err = allowCmpEq(f, "time", 0, 0); err != nil { - return err - } - if err = ffFilterPrlimit64(f); err != nil { - return err - } - } - // Because we patch PulseAudio's mutex creation, we can omit all PI futex // calls. if err = allowCmpEq(f, "futex", 1, futexWait, futexWaitPrivate, futexWakePrivate, futexCmpRequeuePrivate, futexWakeOpPrivate, futexWaitBitsetPrivate|futexClockRealtime, futexWake, futexWaitBitsetPrivate); err != nil { @@ -259,48 +213,3 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error { return f.ExportBPF(fd) } - -func ffFilterSocketcall(f *seccomp.ScmpFilter) error { - // This is kind of pointless because it allows basically all the things. - allowedCalls := []uint64{ - sysSocket, - sysBind, - sysConnect, - sysListen, - sysGetsockname, - sysGetpeername, - sysSocketpair, - sysSend, - sysRecv, - sysSendto, - sysRecvfrom, - sysShutdown, - sysSetsockopt, - sysGetsockopt, - sysSendmsg, - sysRecvmsg, - sysAccept4, - } - return allowCmpEq(f, "socketcall", 0, allowedCalls...) -} - -func ffFilterPrlimit64(f *seccomp.ScmpFilter) error { - scall, err := seccomp.GetSyscallFromName("prlimit64") - if err != nil { - return err - } - - // Per Mozilla's sandbox: only prlimit64(0, resource, NULL, old_limit) - // which is functionally equivalent to getrlimit(). 0 instead of the - // pid() is a glibc-ism. - - isPid0, err := seccomp.MakeCondition(0, seccomp.CompareEqual, 0) - if err != nil { - return err - } - isNoNewLimit, err := seccomp.MakeCondition(2, seccomp.CompareEqual, 9) - if err != nil { - return err - } - return f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isPid0, isNoNewLimit}) -} diff --git a/src/cmd/gen-seccomp/seccomp_tor.go b/src/cmd/gen-seccomp/seccomp_tor.go index 26b4b14..e6501e3 100644 --- a/src/cmd/gen-seccomp/seccomp_tor.go +++ b/src/cmd/gen-seccomp/seccomp_tor.go @@ -25,10 +25,10 @@ import ( var maskedCloexecNonblock = ^(uint64(syscall.SOCK_CLOEXEC | syscall.SOCK_NONBLOCK)) -func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error { +func compileTorSeccompProfile(fd *os.File, useBridges bool) error { defer fd.Close() - f, err := newWhitelist(is386) + f, err := newWhitelist() if err != nil { return err } @@ -106,34 +106,9 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error { "readlink", // ASAN needs this. } - if is386 { - allowedNoArgs386 := []string{ - "fstat64", - "getegid32", - "geteuid32", - "getgid32", - "getuid32", - "_llseek", - "sigreturn", - - "recv", - "send", - "stat64", - - "ugetrlimit", - "set_thread_area", - } - allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...) - } - if err = allowSyscalls(f, allowedNoArgs, is386); err != nil { + if err = allowSyscalls(f, allowedNoArgs); err != nil { return err } - if is386 { - // Handle socketcall() before filtering other things. - if err = torFilterSocketcall(f, useBridges); err != nil { - return err - } - } if err = allowCmpEq(f, "time", 0, 0); err != nil { return err @@ -183,10 +158,10 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error { if err = torFilterSocketpair(f); err != nil { return err } - if err = torFilterMmap(f, is386); err != nil { + if err = torFilterMmap(f); err != nil { return err } - if err = torFilterFcntl(f, is386); err != nil { + if err = torFilterFcntl(f); err != nil { return err } @@ -203,10 +178,7 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error { "getpeername", "getppid", } - if is386 { - obfsCalls = append(obfsCalls, "_newselect") - } - if err = allowSyscalls(f, obfsCalls, is386); err != nil { + if err = allowSyscalls(f, obfsCalls); err != nil { return err } @@ -223,7 +195,7 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error { if err = obfsFilterSetsockopt(f); err != nil { return err } - if err = obfsFilterMmap(f, is386); err != nil { + if err = obfsFilterMmap(f); err != nil { return err } } @@ -231,40 +203,6 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error { return f.ExportBPF(fd) } -func torFilterSocketcall(f *seccomp.ScmpFilter, useBridges bool) error { - // This interface needs to die in a fire, because it's leaving - // gaping attack surface. It kind of will assuming that things - // move on to 4.3 or later. - // - // Emperically on Fedora 25 getsockopt and setsockopt still are - // multiplexed, though that may just be my rules or libseccomp2. - // - // Re-test after Debian stable moves to a modern kernel. - - allowedCalls := []uint64{ - sysSocket, - sysBind, - sysConnect, - sysListen, - sysGetsockname, - sysSocketpair, - sysSend, - sysRecv, - sysSendto, - sysRecvfrom, - sysSetsockopt, - sysGetsockopt, - sysSendmsg, - sysRecvmsg, - sysAccept4, - } - if useBridges { - allowedCalls = append(allowedCalls, sysGetpeername) - } - - return allowCmpEq(f, "socketcall", 0, allowedCalls...) -} - func torFilterPrctl(f *seccomp.ScmpFilter) error { scall, err := seccomp.GetSyscallFromName("prctl") if err != nil { @@ -463,19 +401,11 @@ func torFilterSocketpair(f *seccomp.ScmpFilter) error { return nil } -func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error { - scallMmap, err := seccomp.GetSyscallFromName("mmap") +func torFilterMmap(f *seccomp.ScmpFilter) error { + scall, err := seccomp.GetSyscallFromName("mmap") if err != nil { return err } - scalls := []seccomp.ScmpSyscall{scallMmap} - if is386 { - scallMmap2, err := seccomp.GetSyscallFromName("mmap2") - if err != nil { - return err - } - scalls = append(scalls, scallMmap2) - } // (arg2 == PROT_READ && arg3 == MAP_PRIVATE) isProtRead, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_READ) @@ -486,10 +416,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error { if err != nil { return err } - for _, scall := range scalls { - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtRead, isPrivate}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtRead, isPrivate}); err != nil { + return err } // (arg2 == PROT_NONE && arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE) @@ -501,10 +429,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error { if err != nil { return err } - for _, scall := range scalls { - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isProtNoneFlags}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isProtNoneFlags}); err != nil { + return err } isProtReadWrite, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_READ|syscall.PROT_WRITE) @@ -523,10 +449,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error { if err != nil { return err } - for _, scall := range scalls { - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadWrite, isFlag}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadWrite, isFlag}); err != nil { + return err } } @@ -540,28 +464,18 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error { if err != nil { return err } - for _, scall := range scalls { - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadExec, isProtReadExecFlags}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadExec, isProtReadExecFlags}); err != nil { + return err } return nil } -func torFilterFcntl(f *seccomp.ScmpFilter, is386 bool) error { - scallFcntl, err := seccomp.GetSyscallFromName("fcntl") +func torFilterFcntl(f *seccomp.ScmpFilter) error { + scall, err := seccomp.GetSyscallFromName("fcntl") if err != nil { return err } - scalls := []seccomp.ScmpSyscall{scallFcntl} - if is386 { - scallFcntl64, err := seccomp.GetSyscallFromName("fcntl64") - if err != nil { - return err - } - scalls = append(scalls, scallFcntl64) - } isFGetfl, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.F_GETFL) if err != nil { @@ -590,21 +504,19 @@ func torFilterFcntl(f *seccomp.ScmpFilter, is386 bool) error { return err } - for _, scall := range scalls { - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfl}); err != nil { - return err - } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfd}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfl}); err != nil { + return err + } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfd}); err != nil { + return err + } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfl, isFSetflFlags}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfl, isFSetflFlags}); err != nil { + return err + } - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfd, isFdCloexec}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfd, isFdCloexec}); err != nil { + return err } return nil @@ -656,19 +568,11 @@ func obfsFilterSetsockopt(f *seccomp.ScmpFilter) error { } // `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)` -func obfsFilterMmap(f *seccomp.ScmpFilter, is386 bool) error { - scallMmap, err := seccomp.GetSyscallFromName("mmap") +func obfsFilterMmap(f *seccomp.ScmpFilter) error { + scall, err := seccomp.GetSyscallFromName("mmap") if err != nil { return err } - scalls := []seccomp.ScmpSyscall{scallMmap} - if is386 { - scallMmap2, err := seccomp.GetSyscallFromName("mmap2") - if err != nil { - return err - } - scalls = append(scalls, scallMmap2) - } isProtNone, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_NONE) if err != nil { @@ -683,10 +587,8 @@ func obfsFilterMmap(f *seccomp.ScmpFilter, is386 bool) error { if err != nil { return err } - for _, scall := range scalls { - if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isFlag}); err != nil { - return err - } + if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isFlag}); err != nil { + return err } } return nil diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go b/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go index ecac7b8..24dcf47 100644 --- a/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go +++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go @@ -262,9 +262,6 @@ func LoadCache() (*Cache, error) { return nil, errUnsupported } - auxvHwcap := getHwcap() - Debugf("dynlib: ELF AUXV AT_HWCAP: %016x", auxvHwcap) - ourOsVersion := getOsVersion() Debugf("dynlib: osVersion: %08x", ourOsVersion) @@ -321,41 +318,13 @@ func LoadCache() (*Cache, error) { // libs[] var flagCheckFn func(uint32) bool - var capCheckFn func(uint64) bool switch runtime.GOARCH { case "amd64": flagCheckFn = func(flags uint32) bool { const wantFlags = flagX8664Lib64 | flagElfLibc6 return flags&wantFlags == wantFlags } - capCheckFn = func(hwcap uint64) bool { - // Not used on this arch AFAIK. - return true - } - case "386": - flagCheckFn = func(flags uint32) bool { - // Reject 64 bit libraries. - if flags&flagX8664Lib64 == flagX8664Lib64 { - return false - } - return flags&flagElfLibc6 == flags - } - capCheckFn = func(hwcap uint64) bool { - // Filter out libraries we have no hope of using. - ourHwcap := auxvHwcap & hwcapMask - libHwcap := hwcap & hwcapMask - if libHwcap&ourHwcap != libHwcap { - return false - } - - ourPlatform := auxvHwcap >> x86HwcapFirstPlatform - libPlatform := hwcap >> x86HwcapFirstPlatform - if ourPlatform < libPlatform { - return false - } - - return true - } + // HWCAP is unused on amd64. default: panic(errUnsupported) } @@ -385,7 +354,7 @@ func LoadCache() (*Cache, error) { Debugf("dynlib: ignoring library: %v (osVersion: %x)", e.key, e.osVersion) } else if err = ValidateLibraryClass(e.value); err != nil { Debugf("dynlib: ignoring library %v (%v)", e.key, err) - } else if flagCheckFn(e.flags) && capCheckFn(e.hwcap) { + } else if flagCheckFn(e.flags) { vec := c.store[e.key] vec = append(vec, e) c.store[e.key] = vec diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go b/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go index 8474b0c..7c2998c 100644 --- a/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go +++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go @@ -26,40 +26,9 @@ import "C" import ( "bytes" - "runtime" "syscall" ) -const ( - x86HwcapFirstPlatform = 48 - hwcapMask = 0xffffffff -) - -func getHwcap() uint64 { - if runtime.GOARCH != "386" { - return 0 - } - - // HWCAP_I386_XMM2 = 1 << 26 - // HWCAP_I386_CMOV = 1 << 15 (Debian-ism) - important := uint32((1 << 26) | (1 << 15)) - hwcap := uint64(uint32(C.getauxval(C.AT_HWCAP)) & important) - - // On x86, glibc stores the x86 architecture family in hwcap as well. - x86Platforms := []string{"i386", "i486", "i586", "i686"} - - platform := C.GoString(C.getPlatform()) - for i, v := range x86Platforms { - if v == platform { - i += x86HwcapFirstPlatform - hwcap = hwcap | (uint64(i) << x86HwcapFirstPlatform) - break - } - } - - return hwcap -} - func getOsVersion() uint32 { var buf syscall.Utsname err := syscall.Uname(&buf) diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go b/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go index 438fb3a..874f693 100644 --- a/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go +++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go @@ -50,8 +50,6 @@ func ValidateLibraryClass(fn string) error { switch runtime.GOARCH { case "amd64": expectedClass = elf.ELFCLASS64 - case "386": - expectedClass = elf.ELFCLASS32 default: return errUnsupported } @@ -75,9 +73,6 @@ func FindLdSo(cache *Cache) (string, string, error) { case "amd64": searchPaths = append(searchPaths, "/lib64") name = "ld-linux-x86-64.so.2" - case "386": - searchPaths = append(searchPaths, "/lib32") - name = "ld-linux.so.2" default: panic("dynlib: unsupported architecture: " + runtime.GOARCH) } @@ -105,5 +100,5 @@ func FindLdSo(cache *Cache) (string, string, error) { // IsSupported returns true if the architecture/os combination has dynlib // sypport. func IsSupported() bool { - return runtime.GOOS == "linux" && (runtime.GOARCH == "amd64" || runtime.GOARCH == "386") + return runtime.GOOS == "linux" && runtime.GOARCH == "amd64" } diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go index 2d016bb..29fea85 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go @@ -819,9 +819,8 @@ func (h *hugbox) appendLibraries(cache *dynlib.Cache, binaries []string, extraLi case "amd64": h.symlink("/lib", "/lib64") h.symlink(restrictedLibDir, "/usr/lib64") - case "386": - h.symlink("/lib", "/lib32") - h.symlink(restrictedLibDir, "/usr/lib32") + default: + panic("sandbox: unsupported architecture: " + runtime.GOARCH) } h.standardLibs = false @@ -839,11 +838,8 @@ func init() { "/usr/lib64", // Fedora 25 "/usr/lib/x86_64-linux-gnu", // Debian }, searchPaths...) - case "386": - searchPaths = append([]string{ - "/usr/lib32", - "/usr/lib/i386-linux-gnu", // Debian - }, searchPaths...) + default: + panic("sandbox: unsupported architecture: " + runtime.GOARCH) } distributionDependentLibSearchPath = searchPaths diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go index bddc073..44b6633 100644 --- a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go +++ b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go @@ -462,8 +462,6 @@ func New(version string) (*Config, error) { return nil, fmt.Errorf("unsupported OS: %v", runtime.GOOS) } switch runtime.GOARCH { - case "386": - cfg.Architecture = archLinux32 case "amd64": cfg.Architecture = archLinux64 default:
participants (1)
-
yawning@torproject.org