[sandboxed-tor-browser/master] Bug 20940: Deprecate x86 support. - tor-commits

29 Dec 2016

commit 194d51e8cedd1d8f4846f24c69d7da5f6d1c0018
Author: Yawning Angel yawning@schwanenlied.me
Date:   Wed Dec 28 07:15:02 2016 +0000
Bug 20940: Deprecate x86 support.
This removes support for 32 bit Intel systems, but leaves the awkward
    two stage build process in place for now.  Going back to gosecco will
    follow next.
---
 ChangeLog                                          |   1 +
 README.md                                          |   2 +-
 data/ui/channels.json                              |   3 +-
 src/cmd/gen-seccomp/main.go                        |  33 +---
 src/cmd/gen-seccomp/seccomp.go                     |  33 +---
 src/cmd/gen-seccomp/seccomp_firefox.go             |  97 +-----------
 src/cmd/gen-seccomp/seccomp_tor.go                 | 166 +++++----------------
 .../sandboxed-tor-browser/internal/dynlib/cache.go |  35 +----
 .../sandboxed-tor-browser/internal/dynlib/hwcap.go |  31 ----
 .../sandboxed-tor-browser/internal/dynlib/ldso.go  |   7 +-
 .../internal/sandbox/application.go                |  12 +-
 .../internal/ui/config/config.go                   |   2 -
 12 files changed, 53 insertions(+), 369 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index dbde25a..8bcc45b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 Changes in version 0.0.3 - UNRELEASED:
+ * Bug 20940: Deprecate x86 support.
  * Bug 20778: Check for updates in the background.
  * Bug 20851: If the incremental update fails, fall back to the complete
    update.
diff --git a/README.md b/README.md
index 4b70efd..badb125 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Qubes, Subgraph or Tails.
Runtime dependencies:
- * A modern Linux system on x86/x86_64 architecture.
+ * A modern Linux system on x86_64 architecture.
  * bubblewrap >= 0.1.3 (https://github.com/projectatomic/bubblewrap).
  * Gtk+ >= 3.14.0
  * (Optional) PulseAudio
diff --git a/data/ui/channels.json b/data/ui/channels.json
index 75c237f..8e78f46 100644
--- a/data/ui/channels.json
+++ b/data/ui/channels.json
@@ -1,4 +1,3 @@
 {
-  "linux64": [ "release", "alpha", "hardened" ],
-  "linux32": [ "release", "alpha" ]
+  "linux64": [ "release", "alpha", "hardened" ]
 }
diff --git a/src/cmd/gen-seccomp/main.go b/src/cmd/gen-seccomp/main.go
index 5dcbbf2..8216166 100644
--- a/src/cmd/gen-seccomp/main.go
+++ b/src/cmd/gen-seccomp/main.go
@@ -37,7 +37,7 @@ func main() {
    if err != nil {
    	log.Fatalf("failed to create output: %v", err)
    }
-	if err = compileTorSeccompProfile(f, false, false); err != nil {
+	if err = compileTorSeccompProfile(f, false); err != nil {
    	log.Fatalf("failed to create tor amd64 profile: %v", err)
    }
@@ -46,7 +46,7 @@ func main() {
    if err != nil {
    	log.Fatalf("failed to create output: %v", err)
    }
-	if err = compileTorSeccompProfile(f, true, false); err != nil {
+	if err = compileTorSeccompProfile(f, true); err != nil {
    	log.Fatalf("failed to create tor-obfs4 amd64 profile: %v", err)
    }
@@ -55,34 +55,7 @@ func main() {
    if err != nil {
    	log.Fatalf("failed to create output: %v", err)
    }
-	if err = compileTorBrowserSeccompProfile(f, false); err != nil {
+	if err = compileTorBrowserSeccompProfile(f); err != nil {
    	log.Fatalf("failed to create firefox amd64 profile: %v", err)
    }
-
-	// Tor Browser (386)
-	f, err = os.Create(filepath.Join(outDir, "tor-386.bpf"))
-	if err != nil {
-		log.Fatalf("failed to create output: %v", err)
-	}
-	if err = compileTorSeccompProfile(f, false, true); err != nil {
-		log.Fatalf("failed to create tor 386 profile: %v", err)
-	}
-
-	// Tor Browser + obfs4proxy (386)
-	f, err = os.Create(filepath.Join(outDir, "tor-obfs4-386.bpf"))
-	if err != nil {
-		log.Fatalf("failed to create output: %v", err)
-	}
-	if err = compileTorSeccompProfile(f, true, true); err != nil {
-		log.Fatalf("failed to create tor-obfs4 386 profile: %v", err)
-	}
-
-	// Firefox (386)
-	f, err = os.Create(filepath.Join(outDir, "torbrowser-386.bpf"))
-	if err != nil {
-		log.Fatalf("failed to create output: %v", err)
-	}
-	if err = compileTorBrowserSeccompProfile(f, true); err != nil {
-		log.Fatalf("failed to create firefox 386 profile: %v", err)
-	}
 }
diff --git a/src/cmd/gen-seccomp/seccomp.go b/src/cmd/gen-seccomp/seccomp.go
index ece1e7e..b016f4c 100644
--- a/src/cmd/gen-seccomp/seccomp.go
+++ b/src/cmd/gen-seccomp/seccomp.go
@@ -66,43 +66,16 @@ const (
    fionread  = 0x541b
    tcgets    = 0x5401
    tiocgpgrp = 0x540f
-
-	// socketcall() call numbers (linux/net.h)
-	sysSocket      = 1  // sys_socket()
-	sysBind        = 2  // sys_bind()
-	sysConnect     = 3  // sys_connect()
-	sysListen      = 4  // sys_listen()
-	sysAccept      = 5  // sys_accept()
-	sysGetsockname = 6  // sys_getsockname()
-	sysGetpeername = 7  // sys_getpeername()
-	sysSocketpair  = 8  // sys_socketpair()
-	sysSend        = 9  // sys_send()
-	sysRecv        = 10 // sys_recv()
-	sysSendto      = 11 // sys_sendto()
-	sysRecvfrom    = 12 // sys_recvfrom()
-	sysShutdown    = 13 // sys_shutdown()
-	sysSetsockopt  = 14 // sys_setsockopt()
-	sysGetsockopt  = 15 // sys_getsockopt()
-	sysSendmsg     = 16 // sys_sendmsg()
-	sysRecvmsg     = 17 // sys_recvmsg()
-	sysAccept4     = 18 // sys_accept4()
-	sysRecvmmsg    = 19 // sys_recvmmsg
-	sysSendmmsg    = 20 // sys_sendmmsg
 )
-func newWhitelist(is386 bool) (*seccomp.ScmpFilter, error) {
-	arch := seccomp.ArchAMD64
-	if is386 {
-		arch = seccomp.ArchX86
-	}
-
+func newWhitelist() (*seccomp.ScmpFilter, error) {
    actENOSYS := seccomp.ActErrno.SetReturnCode(38)
    f, err := seccomp.NewFilter(actENOSYS)
    if err != nil {
    	return nil, err
    }
-	if err = f.AddArch(arch); err != nil {
+	if err = f.AddArch(seccomp.ArchAMD64); err != nil {
    	f.Release()
    	return nil, err
    }
@@ -113,7 +86,7 @@ func newWhitelist(is386 bool) (*seccomp.ScmpFilter, error) {
    return f, nil
 }
-func allowSyscalls(f *seccomp.ScmpFilter, calls []string, is386 bool) error {
+func allowSyscalls(f *seccomp.ScmpFilter, calls []string) error {
    for _, scallName := range calls {
    	scall, err := seccomp.GetSyscallFromName(scallName)
    	if err != nil {
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go
index b47e35b..427c5f9 100644
--- a/src/cmd/gen-seccomp/seccomp_firefox.go
+++ b/src/cmd/gen-seccomp/seccomp_firefox.go
@@ -19,14 +19,12 @@ package main
 import (
    "os"
    "syscall"
-
-	seccomp "github.com/seccomp/libseccomp-golang"
 )
-func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error {
+func compileTorBrowserSeccompProfile(fd *os.File) error {
    defer fd.Close()
-	f, err := newWhitelist(is386)
+	f, err := newWhitelist()
    if err != nil {
    	return err
    }
@@ -190,54 +188,10 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error {
    	// "personality",
    	// "mlock",
    }
-	if is386 {
-		allowedNoArgs386 := []string{
-			"fadvise64_64",
-			"fcntl64",
-			"fstat64",
-			"fstatfs64",
-			"ftruncate64",
-			"lstat64",
-			"stat64",
-			"statfs64",
-			"_llseek",
-
-			"mmap2",
-			"ugetrlimit",
-			"set_thread_area",
-			"waitpid",
-
-			"getgid32",
-			"getuid32",
-			"getresgid32",
-			"getresuid32",
-
-			"recv",
-			"send",
-			"_newselect",
-		}
-		allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...)
-	}
-	if err = allowSyscalls(f, allowedNoArgs, is386); err != nil {
+	if err = allowSyscalls(f, allowedNoArgs); err != nil {
    	return err
    }
-	// Like with how I do the tor rules, handle socketcall() before everything
-	// else.
-	if is386 {
-		if err = ffFilterSocketcall(f); err != nil {
-			return err
-		}
-
-		// Unrelated to sockets, only i386 needs these, and it can be filtered.
-		if err = allowCmpEq(f, "time", 0, 0); err != nil {
-			return err
-		}
-		if err = ffFilterPrlimit64(f); err != nil {
-			return err
-		}
-	}
-
    // Because we patch PulseAudio's mutex creation, we can omit all PI futex
    // calls.
    if err = allowCmpEq(f, "futex", 1, futexWait, futexWaitPrivate, futexWakePrivate, futexCmpRequeuePrivate, futexWakeOpPrivate, futexWaitBitsetPrivate|futexClockRealtime, futexWake, futexWaitBitsetPrivate); err != nil {
@@ -259,48 +213,3 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error {
return f.ExportBPF(fd)
 }
-
-func ffFilterSocketcall(f *seccomp.ScmpFilter) error {
-	// This is kind of pointless because it allows basically all the things.
-	allowedCalls := []uint64{
-		sysSocket,
-		sysBind,
-		sysConnect,
-		sysListen,
-		sysGetsockname,
-		sysGetpeername,
-		sysSocketpair,
-		sysSend,
-		sysRecv,
-		sysSendto,
-		sysRecvfrom,
-		sysShutdown,
-		sysSetsockopt,
-		sysGetsockopt,
-		sysSendmsg,
-		sysRecvmsg,
-		sysAccept4,
-	}
-	return allowCmpEq(f, "socketcall", 0, allowedCalls...)
-}
-
-func ffFilterPrlimit64(f *seccomp.ScmpFilter) error {
-	scall, err := seccomp.GetSyscallFromName("prlimit64")
-	if err != nil {
-		return err
-	}
-
-	// Per Mozilla's sandbox: only prlimit64(0, resource,  NULL, old_limit)
-	// which is functionally equivalent to getrlimit().  0 instead of the
-	// pid() is a glibc-ism.
-
-	isPid0, err := seccomp.MakeCondition(0, seccomp.CompareEqual, 0)
-	if err != nil {
-		return err
-	}
-	isNoNewLimit, err := seccomp.MakeCondition(2, seccomp.CompareEqual, 9)
-	if err != nil {
-		return err
-	}
-	return f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isPid0, isNoNewLimit})
-}
diff --git a/src/cmd/gen-seccomp/seccomp_tor.go b/src/cmd/gen-seccomp/seccomp_tor.go
index 26b4b14..e6501e3 100644
--- a/src/cmd/gen-seccomp/seccomp_tor.go
+++ b/src/cmd/gen-seccomp/seccomp_tor.go
@@ -25,10 +25,10 @@ import (
var maskedCloexecNonblock = ^(uint64(syscall.SOCK_CLOEXEC | syscall.SOCK_NONBLOCK))
-func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
+func compileTorSeccompProfile(fd *os.File, useBridges bool) error {
    defer fd.Close()
-	f, err := newWhitelist(is386)
+	f, err := newWhitelist()
    if err != nil {
    	return err
    }
@@ -106,34 +106,9 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
"readlink", // ASAN needs this.
    }
-	if is386 {
-		allowedNoArgs386 := []string{
-			"fstat64",
-			"getegid32",
-			"geteuid32",
-			"getgid32",
-			"getuid32",
-			"_llseek",
-			"sigreturn",
-
-			"recv",
-			"send",
-			"stat64",
-
-			"ugetrlimit",
-			"set_thread_area",
-		}
-		allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...)
-	}
-	if err = allowSyscalls(f, allowedNoArgs, is386); err != nil {
+	if err = allowSyscalls(f, allowedNoArgs); err != nil {
    	return err
    }
-	if is386 {
-		// Handle socketcall() before filtering other things.
-		if err = torFilterSocketcall(f, useBridges); err != nil {
-			return err
-		}
-	}
if err = allowCmpEq(f, "time", 0, 0); err != nil {
    	return err
@@ -183,10 +158,10 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
    if err = torFilterSocketpair(f); err != nil {
    	return err
    }
-	if err = torFilterMmap(f, is386); err != nil {
+	if err = torFilterMmap(f); err != nil {
    	return err
    }
-	if err = torFilterFcntl(f, is386); err != nil {
+	if err = torFilterFcntl(f); err != nil {
    	return err
    }
@@ -203,10 +178,7 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
    		"getpeername",
    		"getppid",
    	}
-		if is386 {
-			obfsCalls = append(obfsCalls, "_newselect")
-		}
-		if err = allowSyscalls(f, obfsCalls, is386); err != nil {
+		if err = allowSyscalls(f, obfsCalls); err != nil {
    		return err
    	}
@@ -223,7 +195,7 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
    	if err = obfsFilterSetsockopt(f); err != nil {
    		return err
    	}
-		if err = obfsFilterMmap(f, is386); err != nil {
+		if err = obfsFilterMmap(f); err != nil {
    		return err
    	}
    }
@@ -231,40 +203,6 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
    return f.ExportBPF(fd)
 }
-func torFilterSocketcall(f *seccomp.ScmpFilter, useBridges bool) error {
-	// This interface needs to die in a fire, because it's leaving
-	// gaping attack surface.  It kind of will assuming that things
-	// move on to 4.3 or later.
-	//
-	// Emperically on Fedora 25 getsockopt and setsockopt still are
-	// multiplexed, though that may just be my rules or libseccomp2.
-	//
-	// Re-test after Debian stable moves to a modern kernel.
-
-	allowedCalls := []uint64{
-		sysSocket,
-		sysBind,
-		sysConnect,
-		sysListen,
-		sysGetsockname,
-		sysSocketpair,
-		sysSend,
-		sysRecv,
-		sysSendto,
-		sysRecvfrom,
-		sysSetsockopt,
-		sysGetsockopt,
-		sysSendmsg,
-		sysRecvmsg,
-		sysAccept4,
-	}
-	if useBridges {
-		allowedCalls = append(allowedCalls, sysGetpeername)
-	}
-
-	return allowCmpEq(f, "socketcall", 0, allowedCalls...)
-}
-
 func torFilterPrctl(f *seccomp.ScmpFilter) error {
    scall, err := seccomp.GetSyscallFromName("prctl")
    if err != nil {
@@ -463,19 +401,11 @@ func torFilterSocketpair(f *seccomp.ScmpFilter) error {
    return nil
 }
-func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
-	scallMmap, err := seccomp.GetSyscallFromName("mmap")
+func torFilterMmap(f *seccomp.ScmpFilter) error {
+	scall, err := seccomp.GetSyscallFromName("mmap")
    if err != nil {
    	return err
    }
-	scalls := []seccomp.ScmpSyscall{scallMmap}
-	if is386 {
-		scallMmap2, err := seccomp.GetSyscallFromName("mmap2")
-		if err != nil {
-			return err
-		}
-		scalls = append(scalls, scallMmap2)
-	}
// (arg2 == PROT_READ && arg3 == MAP_PRIVATE)
    isProtRead, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_READ)
@@ -486,10 +416,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
    if err != nil {
    	return err
    }
-	for _, scall := range scalls {
-		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtRead, isPrivate}); err != nil {
-			return err
-		}
+	if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtRead, isPrivate}); err != nil {
+		return err
    }
// (arg2 == PROT_NONE && arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE)
@@ -501,10 +429,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
    if err != nil {
    	return err
    }
-	for _, scall := range scalls {
-		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isProtNoneFlags}); err != nil {
-			return err
-		}
+	if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isProtNoneFlags}); err != nil {
+		return err
    }
isProtReadWrite, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_READ|syscall.PROT_WRITE)
@@ -523,10 +449,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
    	if err != nil {
    		return err
    	}
-		for _, scall := range scalls {
-			if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadWrite, isFlag}); err != nil {
-				return err
-			}
+		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadWrite, isFlag}); err != nil {
+			return err
    	}
    }
@@ -540,28 +464,18 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
    if err != nil {
    	return err
    }
-	for _, scall := range scalls {
-		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadExec, isProtReadExecFlags}); err != nil {
-			return err
-		}
+	if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtReadExec, isProtReadExecFlags}); err != nil {
+		return err
    }
return nil
 }
-func torFilterFcntl(f *seccomp.ScmpFilter, is386 bool) error {
-	scallFcntl, err := seccomp.GetSyscallFromName("fcntl")
+func torFilterFcntl(f *seccomp.ScmpFilter) error {
+	scall, err := seccomp.GetSyscallFromName("fcntl")
    if err != nil {
    	return err
    }
-	scalls := []seccomp.ScmpSyscall{scallFcntl}
-	if is386 {
-		scallFcntl64, err := seccomp.GetSyscallFromName("fcntl64")
-		if err != nil {
-			return err
-		}
-		scalls = append(scalls, scallFcntl64)
-	}
isFGetfl, err := seccomp.MakeCondition(1, seccomp.CompareEqual, syscall.F_GETFL)
    if err != nil {
@@ -590,21 +504,19 @@ func torFilterFcntl(f *seccomp.ScmpFilter, is386 bool) error {
    	return err
    }
-	for _, scall := range scalls {
-		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfl}); err != nil {
-			return err
-		}
-		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfd}); err != nil {
-			return err
-		}
+	if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfl}); err != nil {
+		return err
+	}
+	if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFGetfd}); err != nil {
+		return err
+	}
-		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfl, isFSetflFlags}); err != nil {
-			return err
-		}
+	if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfl, isFSetflFlags}); err != nil {
+		return err
+	}
-		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfd, isFdCloexec}); err != nil {
-			return err
-		}
+	if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isFSetfd, isFdCloexec}); err != nil {
+		return err
    }
return nil
@@ -656,19 +568,11 @@ func obfsFilterSetsockopt(f *seccomp.ScmpFilter) error {
 }
// `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)`
-func obfsFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
-	scallMmap, err := seccomp.GetSyscallFromName("mmap")
+func obfsFilterMmap(f *seccomp.ScmpFilter) error {
+	scall, err := seccomp.GetSyscallFromName("mmap")
    if err != nil {
    	return err
    }
-	scalls := []seccomp.ScmpSyscall{scallMmap}
-	if is386 {
-		scallMmap2, err := seccomp.GetSyscallFromName("mmap2")
-		if err != nil {
-			return err
-		}
-		scalls = append(scalls, scallMmap2)
-	}
isProtNone, err := seccomp.MakeCondition(2, seccomp.CompareEqual, syscall.PROT_NONE)
    if err != nil {
@@ -683,10 +587,8 @@ func obfsFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
    	if err != nil {
    		return err
    	}
-		for _, scall := range scalls {
-			if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isFlag}); err != nil {
-				return err
-			}
+		if err = f.AddRuleConditional(scall, seccomp.ActAllow, []seccomp.ScmpCondition{isProtNone, isFlag}); err != nil {
+			return err
    	}
    }
    return nil
diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go b/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go
index ecac7b8..24dcf47 100644
--- a/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go
+++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go
@@ -262,9 +262,6 @@ func LoadCache() (*Cache, error) {
    	return nil, errUnsupported
    }
-	auxvHwcap := getHwcap()
-	Debugf("dynlib: ELF AUXV AT_HWCAP: %016x", auxvHwcap)
-
    ourOsVersion := getOsVersion()
    Debugf("dynlib: osVersion: %08x", ourOsVersion)
@@ -321,41 +318,13 @@ func LoadCache() (*Cache, error) {
// libs[]
    var flagCheckFn func(uint32) bool
-	var capCheckFn func(uint64) bool
    switch runtime.GOARCH {
    case "amd64":
    	flagCheckFn = func(flags uint32) bool {
    		const wantFlags = flagX8664Lib64 | flagElfLibc6
    		return flags&wantFlags == wantFlags
    	}
-		capCheckFn = func(hwcap uint64) bool {
-			// Not used on this arch AFAIK.
-			return true
-		}
-	case "386":
-		flagCheckFn = func(flags uint32) bool {
-			// Reject 64 bit libraries.
-			if flags&flagX8664Lib64 == flagX8664Lib64 {
-				return false
-			}
-			return flags&flagElfLibc6 == flags
-		}
-		capCheckFn = func(hwcap uint64) bool {
-			// Filter out libraries we have no hope of using.
-			ourHwcap := auxvHwcap & hwcapMask
-			libHwcap := hwcap & hwcapMask
-			if libHwcap&ourHwcap != libHwcap {
-				return false
-			}
-
-			ourPlatform := auxvHwcap >> x86HwcapFirstPlatform
-			libPlatform := hwcap >> x86HwcapFirstPlatform
-			if ourPlatform < libPlatform {
-				return false
-			}
-
-			return true
-		}
+		// HWCAP is unused on amd64.
    default:
    	panic(errUnsupported)
    }
@@ -385,7 +354,7 @@ func LoadCache() (*Cache, error) {
    		Debugf("dynlib: ignoring library: %v (osVersion: %x)", e.key, e.osVersion)
    	} else if err = ValidateLibraryClass(e.value); err != nil {
    		Debugf("dynlib: ignoring library %v (%v)", e.key, err)
-		} else if flagCheckFn(e.flags) && capCheckFn(e.hwcap) {
+		} else if flagCheckFn(e.flags) {
    		vec := c.store[e.key]
    		vec = append(vec, e)
    		c.store[e.key] = vec
diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go b/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go
index 8474b0c..7c2998c 100644
--- a/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go
+++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go
@@ -26,40 +26,9 @@ import "C"
import (
    "bytes"
-	"runtime"
    "syscall"
 )
-const (
-	x86HwcapFirstPlatform = 48
-	hwcapMask             = 0xffffffff
-)
-
-func getHwcap() uint64 {
-	if runtime.GOARCH != "386" {
-		return 0
-	}
-
-	// HWCAP_I386_XMM2  = 1 << 26
-	// HWCAP_I386_CMOV  = 1 << 15 (Debian-ism)
-	important := uint32((1 << 26) | (1 << 15))
-	hwcap := uint64(uint32(C.getauxval(C.AT_HWCAP)) & important)
-
-	// On x86, glibc stores the x86 architecture family in hwcap as well.
-	x86Platforms := []string{"i386", "i486", "i586", "i686"}
-
-	platform := C.GoString(C.getPlatform())
-	for i, v := range x86Platforms {
-		if v == platform {
-			i += x86HwcapFirstPlatform
-			hwcap = hwcap | (uint64(i) << x86HwcapFirstPlatform)
-			break
-		}
-	}
-
-	return hwcap
-}
-
 func getOsVersion() uint32 {
    var buf syscall.Utsname
    err := syscall.Uname(&buf)
diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go b/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go
index 438fb3a..874f693 100644
--- a/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go
+++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go
@@ -50,8 +50,6 @@ func ValidateLibraryClass(fn string) error {
    switch runtime.GOARCH {
    case "amd64":
    	expectedClass = elf.ELFCLASS64
-	case "386":
-		expectedClass = elf.ELFCLASS32
    default:
    	return errUnsupported
    }
@@ -75,9 +73,6 @@ func FindLdSo(cache *Cache) (string, string, error) {
    case "amd64":
    	searchPaths = append(searchPaths, "/lib64")
    	name = "ld-linux-x86-64.so.2"
-	case "386":
-		searchPaths = append(searchPaths, "/lib32")
-		name = "ld-linux.so.2"
    default:
    	panic("dynlib: unsupported architecture: " + runtime.GOARCH)
    }
@@ -105,5 +100,5 @@ func FindLdSo(cache *Cache) (string, string, error) {
 // IsSupported returns true if the architecture/os combination has dynlib
 // sypport.
 func IsSupported() bool {
-	return runtime.GOOS == "linux" && (runtime.GOARCH == "amd64" || runtime.GOARCH == "386")
+	return runtime.GOOS == "linux" && runtime.GOARCH == "amd64"
 }
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index 2d016bb..29fea85 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -819,9 +819,8 @@ func (h *hugbox) appendLibraries(cache *dynlib.Cache, binaries []string, extraLi
    case "amd64":
    	h.symlink("/lib", "/lib64")
    	h.symlink(restrictedLibDir, "/usr/lib64")
-	case "386":
-		h.symlink("/lib", "/lib32")
-		h.symlink(restrictedLibDir, "/usr/lib32")
+	default:
+		panic("sandbox: unsupported architecture: " + runtime.GOARCH)
    }
h.standardLibs = false
@@ -839,11 +838,8 @@ func init() {
    		"/usr/lib64",                // Fedora 25
    		"/usr/lib/x86_64-linux-gnu", // Debian
    	}, searchPaths...)
-	case "386":
-		searchPaths = append([]string{
-			"/usr/lib32",
-			"/usr/lib/i386-linux-gnu", // Debian
-		}, searchPaths...)
+	default:
+		panic("sandbox: unsupported architecture: " + runtime.GOARCH)
    }
distributionDependentLibSearchPath = searchPaths
diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
index bddc073..44b6633 100644
--- a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
+++ b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
@@ -462,8 +462,6 @@ func New(version string) (*Config, error) {
    	return nil, fmt.Errorf("unsupported OS: %v", runtime.GOOS)
    }
    switch runtime.GOARCH {
-	case "386":
-		cfg.Architecture = archLinux32
    case "amd64":
    	cfg.Architecture = archLinux64
    default:

    