[tor-commits] [sandboxed-tor-browser/master] Remove the old gosecco glue code.
yawning at torproject.org
yawning at torproject.org
Sun Dec 4 23:26:45 UTC 2016
commit 8aa40ffd5ce26b58d4c47d1b625ca1451c22acb8
Author: Yawning Angel <yawning at schwanenlied.me>
Date: Sun Dec 4 23:18:29 2016 +0000
Remove the old gosecco glue code.
---
data/blacklist-extras-i386.seccomp | 5 -
data/blacklist.seccomp | 95 -----------
data/tor-obfs4-whitelist.seccomp | 147 -----------------
data/tor-whitelist-extras-i386.seccomp | 29 ----
data/tor-whitelist.seccomp | 122 ---------------
...rbrowser-launcher-whitelist-extras-i386.seccomp | 28 ----
data/torbrowser-launcher-whitelist.seccomp | 173 ---------------------
.../internal/sandbox/seccomp.go | 12 --
.../internal/sandbox/seccomp_386.go | 125 ---------------
.../internal/sandbox/seccomp_amd64.go | 103 ------------
10 files changed, 839 deletions(-)
diff --git a/data/blacklist-extras-i386.seccomp b/data/blacklist-extras-i386.seccomp
deleted file mode 100644
index dc74400..0000000
--- a/data/blacklist-extras-i386.seccomp
+++ /dev/null
@@ -1,5 +0,0 @@
-# Seccomp blacklist i386 specific rules that will be installed in adition to
-# blacklist.seccomp.
-
-vm86: 1
-vm86old: 1
diff --git a/data/blacklist.seccomp b/data/blacklist.seccomp
deleted file mode 100644
index ccc508b..0000000
--- a/data/blacklist.seccomp
+++ /dev/null
@@ -1,95 +0,0 @@
-# Basic standard seccomp blacklist rules, based off a few sources.
-
-#
-# linux-user-chroot (v0 profile)
-#
-
-# Block dmesg
-syslog: 1
-# Useless old syscall
-uselib: 1
-# Don't allow you to switch to bsd emulation or whatnot
-personality: 1
-# Don't allow disabling accounting
-acct: 1
-# 16-bit code is unnecessary in the sandbox, and modify_ldt is a historic source of interesting information leaks.
-modify_ldt: 1
-# Don't allow reading current quota use
-quotactl: 1
-
-# Scary VM/NUMA ops:
-move_pages: 1
-mbind: 1
-get_mempolicy: 1
-set_mempolicy: 1
-migrate_pages: 1
-
-# Don't allow subnamespace setups:
-# XXX/yawning: The clone restriction breaks bwrap. c'est la vie. It
-# looks like Mozilla is considering using user namespaces for the
-# content process sandboxing efforts, so this may need to be enabled.
-unshare: 1
-mount: 1
-pivot_root: 1
-# {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, // Breaks bwrap.
-
-# Profiling operations; we expect these to be done by tools from
-# outside the sandbox. In particular perf has been the source of many
-# CVEs.
-perf_event_open: 1
-ptrace: 1
-
-#
-# firejail seccomp_filter_64()
-#
-
-# mount
-umount2: 1
-kexec_load: 1
-# ptrace
-open_by_handle_at: 1
-name_to_handle_at: 1
-create_module: 1
-init_module: 1
-finit_module: 1
-delete_module: 1
-iopl: 1
-ioperm: 1
-ioprio_set: 1
-swapon: 1
-swapoff: 1
-# syslog
-process_vm_readv: 1
-process_vm_writev: 1
-sysfs: 1
-_sysctl: 1
-adjtimex: 1
-clock_adjtime: 1
-lookup_dcookie: 1
-# perf_event_open
-fanotify_init: 1
-kcmp: 1
-add_key: 1
-request_key: 1
-keyctl: 1
-# uselib
-# acct
-# modify_ldt
-# pivot_root
-io_setup: 1
-io_destroy: 1
-io_getevents: 1
-io_submit: 1
-io_cancel: 1
-remap_file_pages: 1
-# mbind
-# get_mempolicy
-# set_mempolicy
-# migrate_pages
-# move_pages
-vmsplice: 1
-chroot: 1
-tuxcall: 1
-reboot: 1
-nfsservctl: 1
-get_kernel_syms: 1
diff --git a/data/tor-obfs4-whitelist.seccomp b/data/tor-obfs4-whitelist.seccomp
deleted file mode 100644
index 773c5b7..0000000
--- a/data/tor-obfs4-whitelist.seccomp
+++ /dev/null
@@ -1,147 +0,0 @@
-# tor +obfs4proxy binary seccomp rules based off the tor sandbox and the
-# subgraph tor-browser-launcher rules, along with some quality time with
-# strace.
-
-#
-# WARNING: This is a stopgap. In an ideal world, tor and obfs4proxy will
-# have separate containers, with their own seccomp rules.
-#
-
-# Constants used for argument comparisons.
-SIG_BLOCK=1
-SIG_SETMASK=2
-MREMAP_MAYMOVE=1
-PF_LOCAL=AF_LOCAL
-POLLIN=1
-
-# The tor stage 1 set.
-access: 1
-brk: 1
-clock_gettime: 1
-close: 1
-clone: 1
-epoll_create: 1
-epoll_wait: 1
-eventfd2: 1
-pipe2: 1
-pipe: 1
-fcntl: 1
-fstat: 1
-# fstat64: 1
-getdents: 1
-getdents64: 1
-getegid: 1
-# getegid32: 1
-geteuid: 1
-# geteuid32: 1
-getgid: 1
-# getgid32: 1
-getrlimit: 1
-gettimeofday: 1
-gettid: 1
-getuid: 1
-# getuid32: 1
-lseek: 1
-#_llseek: 1
-mkdir: 1
-munmap: 1
-prlimit64: 1
-read: 1
-rt_sigreturn: 1
-sched_getaffinity: 1
-sched_yield: 1
-sendmsg: 1
-set_robust_list: 1
-setrlimit: 1
-sigaltstack: 1
-# sigreturn: 1
-stat: 1
-uname: 1
-wait4: 1
-write: 1
-writev: 1
-exit_group: 1
-exit: 1
-madvise: arg2 == 8
-getrandom: 1
-sysinfo: 1
-bind: 1
-listen: 1
-connect: 1
-getsockname: 1
-recvmsg: 1
-recvfrom: 1
-sendto: 1
-unlink: 1
-
-# System calls that tor restricts by argument.
-rt_sigprocmask: arg0 == SIG_BLOCK || arg0 == SIG_SETMASK
-time: arg0 == 0
-epoll_ctl: arg1 == EPOLL_CTL_ADD || arg1 == EPOLL_CTL_MOD || arg1 == EPOLL_CTL_DEL
-prctl: (arg0 == PR_SET_DUMPABLE && arg1 == 0) || arg0 == PR_SET_PDEATHSIG
-mprotect: arg2 == PROT_READ || arg2 == PROT_NONE || arg2 == PROT_READ | PROT_WRITE
-flock: arg1 == (LOCK_EX | LOCK_NB) || arg1 == LOCK_UN
-# FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_PRIVATE
-futex: arg1 == 393 || arg1 == 128 || arg1 == 129 || arg1 == 1 || arg1 == 0
-mremap: arg3 == MREMAP_MAYMOVE
-poll: arg1 == POLLIN && arg2 == 10
-socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || arg0 == AF_NETLINK
-setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF || arg2 == SO_BROADCAST)) || (arg1 == SOL_TCP && arg2 == TCP_NODELAY) || (arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY)
-getsockopt: arg1 == SOL_SOCKET && arg2 == SO_ERROR
-# XXX: src/common/compat.c:tor_socketpair looks like it uses SOCK_CLOEXEC,
-# but according to strace, fcntl is used to actually set the flag (6.0.6).
-socketpair: arg0 == PF_LOCAL && (arg1 == SOCK_STREAM || arg1 == SOCK_STREAM | SOCK_CLOEXEC)
-# XXX/yawning: Tor doesn't have filters for this, but does for mmap2, but mmap2
-# is an x86-ism, so can't filter args.
-#
-# (PROT_READ|PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE) is needed for ld-linux.so
-mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE || arg3 == MAP_PRIVATE | MAP_ANONYMOUS || arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS)) || (arg2 == PROT_READ | PROT_WRITE && ((arg3 == MAP_PRIVATE | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_DENYWRITE))) || (arg2 == PROT_READ | PROT_EXEC && arg3 == MAP_PRIVATE | MAP_DENYWRITE)
-
-# System calls that tor has filters for, that we do not due to:
-# * Yawning being too dumb/lazy to convert the rules (accept4, mmap2,
-# rt_sigaction).
-rt_sigaction: 1
-accept4: 1
-# mmap2: 1
-# fcntl64: 1
-
-# System calls that tor restricts by argument, but that need to be done by the
-# tor binary, because the restriction is by pointer.
-chown: 1
-chmod: 1
-open: 1
-openat: 1
-rename: 1
-# stat64: 1
-
-# System calls that tor needs, but doesn't know it needs, because they are made
-# prior to Tor's sandbox enforcement, either by tor, it's dependencies, or even
-# by bubblewrap.
-arch_prctl: 1
-unshare: 1
-getpid: 1
-kill: 1
-execve: 1
-restart_syscall: 1
-set_tid_address: 1
-chdir: 1
-umask: arg0 == 022
-
-# obfs4proxy requires the following:
-#
-# Note that it also requires additional things to be allowed in the various
-# arg filters, which are made at the pre-existing locations.
-# `mprotect` -> `arg2 == PROT_READ | PROT_WRITE`
-# `futex` -> `arg1 == 1 || arg1 == 0` (FUTEX_WAKE, FUTEX_WAIT)
-# `setsockopt` -> `arg1 == SOL_TCP && arg2 == TCP_NODELAY`
-# `arg1 == SOL_SOCKET && arg2 == SO_BROADCAST`
-# `arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY`
-# `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)`
-mincore: 1
-dup2: 1
-select: 1
-mkdirat: 1
-fsync: 1
-epoll_create1: arg0 == EPOLL_CLOEXEC
-getpeername: 1
-getppid: 1
diff --git a/data/tor-whitelist-extras-i386.seccomp b/data/tor-whitelist-extras-i386.seccomp
deleted file mode 100644
index 2c33759..0000000
--- a/data/tor-whitelist-extras-i386.seccomp
+++ /dev/null
@@ -1,29 +0,0 @@
-# tor binary i386 specific seccomp rules that will be installed in addition to
-# tor-whitelist-seccomp.
-
-# 32 bit system specific system calls relocated from tor-whitelist.seccomp
-fstat64: 1
-getegid32: 1
-geteuid32: 1
-getgid32: 1
-getuid32: 1
-_llseek: 1
-sigreturn: 1
-mmap2: 1
-fcntl64: 1
-stat64: 1
-
-ugetrlimit: 1
-newselect: 1
-
-# tor's sandbox code claims that these calls are required on x86 but not on
-# x86_64. tor's sandbox attempts to filter socketcall's arguments as well
-# when it adds a rule, but seccomp on x86 does not support argument filtering,
-# and I suspect that the arg filter is incorrect.
-recv: 1
-send: 1
-socketcall: 1
-prlimit: 1
-
-# This appears to be required on x86 to initialize TLS.
-set_thread_area: 1
diff --git a/data/tor-whitelist.seccomp b/data/tor-whitelist.seccomp
deleted file mode 100644
index 8433e3f..0000000
--- a/data/tor-whitelist.seccomp
+++ /dev/null
@@ -1,122 +0,0 @@
-# tor binary seccomp rules based off the tor sandbox and the subgraph
-# tor-browser-launcher rules.
-
-# Constants used for argument comparisons.
-SIG_BLOCK=1
-SIG_SETMASK=2
-MREMAP_MAYMOVE=1
-PF_LOCAL=AF_LOCAL
-POLLIN=1
-
-# The tor stage 1 set.
-access: 1
-brk: 1
-clock_gettime: 1
-close: 1
-clone: 1
-epoll_create: 1
-epoll_wait: 1
-eventfd2: 1
-pipe2: 1
-pipe: 1
-fcntl: 1
-fstat: 1
-# fstat64: 1
-getdents: 1
-getdents64: 1
-getegid: 1
-# getegid32: 1
-geteuid: 1
-# geteuid32: 1
-getgid: 1
-# getgid32: 1
-getrlimit: 1
-gettimeofday: 1
-gettid: 1
-getuid: 1
-# getuid32: 1
-lseek: 1
-#_llseek: 1
-mkdir: 1
-munmap: 1
-prlimit64: 1
-read: 1
-rt_sigreturn: 1
-sched_getaffinity: 1
-sched_yield: 1
-sendmsg: 1
-set_robust_list: 1
-setrlimit: 1
-sigaltstack: 1
-# sigreturn: 1
-stat: 1
-uname: 1
-wait4: 1
-write: 1
-writev: 1
-exit_group: 1
-exit: 1
-madvise: arg2 == 8
-getrandom: 1
-sysinfo: 1
-bind: 1
-listen: 1
-connect: 1
-getsockname: 1
-recvmsg: 1
-recvfrom: 1
-sendto: 1
-unlink: 1
-
-# System calls that tor restricts by argument.
-rt_sigprocmask: arg0 == SIG_BLOCK || arg0 == SIG_SETMASK
-time: arg0 == 0
-epoll_ctl: arg1 == EPOLL_CTL_ADD || arg1 == EPOLL_CTL_MOD || arg1 == EPOLL_CTL_DEL
-prctl: (arg0 == PR_SET_DUMPABLE && arg1 == 0) || arg0 == PR_SET_PDEATHSIG
-mprotect: arg2 == PROT_READ || arg2 == PROT_NONE
-flock: arg1 == (LOCK_EX | LOCK_NB) || arg1 == LOCK_UN
-# FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_PRIVATE
-futex: arg1 == 393 || arg1 == 128 || arg1 == 129
-mremap: arg3 == MREMAP_MAYMOVE
-poll: arg1 == POLLIN && arg2 == 10
-socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || arg0 == AF_NETLINK
-setsockopt: arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF)
-getsockopt: arg1 == SOL_SOCKET && arg2 == SO_ERROR
-# XXX: src/common/compat.c:tor_socketpair looks like it uses SOCK_CLOEXEC,
-# but according to strace, fcntl is used to actually set the flag (6.0.6).
-socketpair: arg0 == PF_LOCAL && (arg1 == SOCK_STREAM || arg1 == SOCK_STREAM | SOCK_CLOEXEC)
-# XXX/yawning: Tor doesn't have filters for this, but does for mmap2, but mmap2
-# is an x86-ism, so can't filter args.
-#
-# (PROT_READ|PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE) is needed for ld-linux.so
-mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE) || (arg2 == PROT_READ | PROT_WRITE && ((arg3 == MAP_PRIVATE | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_DENYWRITE))) || (arg2 == PROT_READ | PROT_EXEC && arg3 == MAP_PRIVATE | MAP_DENYWRITE)
-
-# System calls that tor has filters for, that we do not due to:
-# * Yawning being too dumb/lazy to convert the rules (accept4, mmap2,
-# rt_sigaction).
-rt_sigaction: 1
-accept4: 1
-# mmap2: 1
-# fcntl64: 1
-
-# System calls that tor restricts by argument, but that need to be done by the
-# tor binary, because the restriction is by pointer.
-chown: 1
-chmod: 1
-open: 1
-openat: 1
-rename: 1
-# stat64: 1
-
-# System calls that tor needs, but doesn't know it needs, because they are made
-# prior to Tor's sandbox enforcement, either by tor, it's dependencies, or even
-# by bubblewrap.
-arch_prctl: 1
-unshare: 1
-getpid: 1
-kill: 1
-execve: 1
-restart_syscall: 1
-set_tid_address: 1
-chdir: 1
-umask: arg0 == 022
diff --git a/data/torbrowser-launcher-whitelist-extras-i386.seccomp b/data/torbrowser-launcher-whitelist-extras-i386.seccomp
deleted file mode 100644
index b859f69..0000000
--- a/data/torbrowser-launcher-whitelist-extras-i386.seccomp
+++ /dev/null
@@ -1,28 +0,0 @@
-# Tor Browser i386 specific seccomp rules that will be installed in addition to
-# torbrowser-launcher-whitelist-seccomp.
-
-fcntl64:1
-fstat64: 1
-lstat64: 1
-statfs64: 1
-stat64: 1
-prlimit64: 1
-_llseek: 1
-fstatfs64: 1
-ftruncate64: 1
-fadvise64_64: 1
-
-mmap2: 1
-set_thread_area: 1
-getresuid32: 1
-getresgid32: 1
-time: 1
-getuid32: 1
-getgid32: 1
-ugetrlimit: 1
-
-recv: 1
-send: 1
-socketcall: 1
-
-waitpid: 1
diff --git a/data/torbrowser-launcher-whitelist.seccomp b/data/torbrowser-launcher-whitelist.seccomp
deleted file mode 100644
index 7e47052..0000000
--- a/data/torbrowser-launcher-whitelist.seccomp
+++ /dev/null
@@ -1,173 +0,0 @@
-TIOCGPGRP=21519
-
-FUTEX_WAIT=0
-FUTEX_WAKE=1
-FUTEX_FD=2
-FUTEX_REQUEUE=3
-FUTEX_CMP_REQUEUE=3
-FUTEX_WAKE_OP=5
-#FUTEX_LOCK_PI=6
-#FUTEX_UNLOCK_PI=7
-FUTEX_WAIT_BITSET=9
-FUTEX_PRIVATE_FLAG=128
-FUTEX_CLOCK_REALTIME=256
-
-FUTEX_WAIT_PRIVATE=FUTEX_WAIT | FUTEX_PRIVATE_FLAG
-FUTEX_WAKE_PRIVATE=FUTEX_WAKE | FUTEX_PRIVATE_FLAG
-FUTEX_CMP_REQUEUE_PRIVATE=FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG
-FUTEX_WAKE_OP_PRIVATE=FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG
-#FUTEX_LOCK_PI_PRIVATE=FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG
-#FUTEX_UNLOCK_PI_PRIVATE=FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG
-FUTEX_WAIT_BITSET_PRIVATE=FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG
-
-# XXX/yawning: Because we patch PulseAudio's mutex creation, we can omit
-# FUTEX_LOCK_PI_PRIVATE, FUTEX_UNLOCK_PI_PRIVATE, FUTEX_UNLOCK_PI.
-#
-# This is deliberate and aims to avoid rumored scary race conditions in the
-# PI futex code.
-futex: arg1 == FUTEX_CMP_REQUEUE_PRIVATE || arg1 == FUTEX_WAIT || arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_WAIT_PRIVATE || arg1 == FUTEX_WAKE || arg1 == FUTEX_WAKE_OP_PRIVATE || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_BITSET_PRIVATE
-
-lseek: 1
-open: 1
-read: 1
-stat: 1
-close: 1
-mmap: 1
-write: 1
-access: 1
-recvmsg: 1
-poll: 1
-madvise: arg2 == 4
-munmap: 1
-mprotect: 1
-lstat: 1
-getdents: 1
-writev: 1
-rt_sigaction: 1
-fcntl: 1
-brk: 1
-# ioctl: FIONREAD || TCGETS
-ioctl: arg1 == 0x541b || arg1 == 21505 || arg1 == TIOCGPGRP
-rt_sigprocmask: 1
-pread64: 1
-seccomp:1
-unshare:1
-gettimeofday:1
-creat:1
-fchdir:1
-utimes:1
-sigaltstack:1
-sched_yield:1
-mincore: 1
-alarm: 1
-nanosleep: 1
-vfork: 1
-mlock: 1
-clock_gettime: 1
-getpgrp: 1
-getppid: 1
-getpid: 1
-fchown: 1
-prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME || arg0 == PR_GET_TIMERSLACK || arg0 == PR_SET_SECCOMP
-epoll_create1: 1
-readlinkat: 1
-getrandom: 1
-accept4: 1
-newfstatat: 1
-select: 1
-memfd_create:1
-execve: 1
-fstat: 1
-set_tid_address: 1
-set_robust_list: 1
-getrusage: 1
-readlink: 1
-readahead: 1
-arch_prctl: 1
-pwrite64: 1
-fdatasync: 1
-getpriority: 1
-gettid: 1
-exit_group: 1
-fstatfs: 1
-unlink: 1
-exit: 1
-dup2: 1
-dup: 1
-uname: 1
-getuid: 1
-geteuid: 1
-getgid: 1
-getegid: 1
-fsync: 1
-getrlimit: 1
-mkdir: 1
-connect: 1
-statfs: 1
-getsockname: 1
-getpeername: 1
-pipe: 1
-chmod: 1
-chdir: 1
-setsid: 1
-rmdir: 1
-splice: 1
-restart_syscall: 1
-recvfrom: 1
-sendto: 1
-setsockopt: 1
-quotactl: 1
-ppoll: 1
-openat: 1
-epoll_wait: 1
-clone: 1
-wait4: 1
-link: 1
-rename: 1
-setpriority: 1
-tgkill: 1
-fadvise64: 1
-fallocate: 1
-getsockopt: 1
-sysinfo: 1
-sched_getaffinity: 1
-inotify_add_watch: 1
-eventfd2: 1
-inotify_init1: 1
-shmdt: 1
-shmat: 1
-shmctl: 1
-shmget: 1
-rt_sigreturn: 1
-getcwd: 1
-sendmsg: 1
-getresuid: 1
-ftruncate: 1
-umask: 1
-getresgid: 1
-epoll_ctl: 1
-epoll_create: 1
-socketpair: 1
-symlink: 1
-utime: 1
-shutdown: 1
-mremap: 1
-bind: 1
-name_to_handle_at: 1
-pipe2: 1
-fchmod: 1
-kill: 1
-listen: 1
-setrlimit: 1
-clock_getres: 1
-sched_setscheduler: 1
-capset: 1
-# XXX/yawning: Why is this needed?
-#personality: 1
-setresuid: 1
-setresgid: 1
-capget: 1
-getdents64: 1
-inotify_rm_watch: 1
-# XXX/yawning: Only allow AF_UNIX.
-socket: arg0 == AF_UNIX
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go
index fed647e..967d5b8 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go
@@ -18,20 +18,12 @@ package sandbox
import (
"log"
- "os"
"runtime"
seccomp "github.com/seccomp/libseccomp-golang"
)
const (
- torBrowserWhitelist = "torbrowser-launcher-whitelist.seccomp"
- torWhitelist = "tor-whitelist.seccomp"
- torObfs4Whitelist = "tor-obfs4-whitelist.seccomp"
- basicBlacklist = "blacklist.seccomp"
-)
-
-const (
madvNormal = 0 // MADV_NORMAL
madvDontneed = 4 // MADV_DONTNEED
madvFree = 8 // MADV_FREE
@@ -77,10 +69,6 @@ const (
tiocgpgrp = 0x540f
)
-func installBasicSeccompBlacklist(fd *os.File) error {
- return installSeccomp(fd, blacklistSeccompAssets, true)
-}
-
func newWhitelist() (*seccomp.ScmpFilter, error) {
arch, err := seccomp.GetNativeArch()
if err != nil {
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go
deleted file mode 100644
index 1e6e18c..0000000
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go
+++ /dev/null
@@ -1,125 +0,0 @@
-// secomp_386.go - Sandbox seccomp rules (i386).
-// Copyright (C) 2016 Yawning Angel.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as
-// published by the Free Software Foundation, either version 3 of the
-// License, or (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-// +build 386
-
-package sandbox
-
-import (
- "bytes"
- "fmt"
- "log"
- "os"
-
- seccomp "github.com/seccomp/libseccomp-golang"
-
- "cmd/sandboxed-tor-browser/internal/data"
-)
-
-const (
- torBrowserExtraWhitelist = "torbrowser-launcher-whitelist-extras-i386.seccomp"
- torExtraWhitelist = "tor-whitelist-extras-i386.seccomp"
- basicExtraBlacklist = "blacklist-extras-i386.seccomp"
-)
-
-var torBrowserSeccompAssets = []string{torBrowserWhitelist, torBrowserExtraWhitelist}
-var torSeccompAssets = []string{torWhitelist, torExtraWhitelist}
-var torObfs4SeccompAssets = []string{torObfs4Whitelist, torExtraWhitelist}
-var blacklistSeccompAssets = []string{basicBlacklist, basicExtraBlacklist}
-
-// installSeccomp on i386 implements a minimal subset of the gosecco
-// description launguage sufficient to enumerate system calls listed in
-// rule files.
-//
-// When i386 gains support for filtering system call arguments via seccomp,
-// this will need to be beefed up, but hopefully gosecco will be updated
-// by then.
-func installSeccomp(fd *os.File, assets []string, isBlacklist bool) error {
- defer fd.Close()
-
- var rules []byte
- for _, asset := range assets {
- b, err := data.Asset(asset)
- if err != nil {
- return err
- }
- rules = append(rules, b...)
- rules = append(rules, '\n')
- }
-
- actENOSYS := seccomp.ActErrno.SetReturnCode(38)
- defaultAct, ruleAct := actENOSYS, seccomp.ActAllow
- if isBlacklist {
- defaultAct, ruleAct = ruleAct, defaultAct
- }
-
- f, err := seccomp.NewFilter(defaultAct)
- if err != nil {
- return err
- }
- defer f.Release()
- if err := f.AddArch(seccomp.ArchNative); err != nil {
- return err
- }
-
- // Parse the rule set and build seccomp rules.
- for ln, l := range bytes.Split(rules, []byte{'\n'}) {
- l = bytes.TrimSpace(l)
- if len(l) == 0 { // Empty line.
- continue
- }
- if idx := bytes.IndexRune(l, '#'); idx == 0 {
- continue
- }
-
- if bytes.IndexByte(l, ':') != -1 {
- // Rule
- sp := bytes.SplitN(l, []byte{':'}, 2)
- if len(sp) != 2 {
- return fmt.Errorf("seccomp: invalid rule: %d:%v", ln, string(l))
- }
-
- scallName := string(bytes.TrimSpace(sp[0]))
- scall, err := seccomp.GetSyscallFromName(scallName)
- if err != nil {
- if scallName == "newselect" {
- // The library doesn't have "NR_newselect" yet.
- scall = seccomp.ScmpSyscall(142)
- } else {
- // Continue instead of failing on ENOSYS. gosecco will fail
- // here, but this allows whitelists to be more futureproof,
- // and handles thing like Debian prehistoric^wstable missing
- // system calls that we would like to allow like `getrandom`.
- log.Printf("seccomp: unknown system call: %v", scallName)
- continue
- }
- }
-
- // If the system call is present, just add it. This is x86,
- // seccomp can't filter args on this architecture.
- if err = f.AddRule(scall, ruleAct); err != nil {
- return err
- }
- } else if bytes.IndexByte(l, '=') != -1 {
- // Skip declarations.
- continue
- } else {
- return fmt.Errorf("seccomp: syntax error in profile: %d:%v", ln, string(l))
- }
- }
-
- return f.ExportBPF(fd)
-}
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go
deleted file mode 100644
index 2ed4cf5..0000000
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go
+++ /dev/null
@@ -1,103 +0,0 @@
-// secomp_amd64.go - Sandbox seccomp rules (amd64).
-// Copyright (C) 2016 Yawning Angel.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as
-// published by the Free Software Foundation, either version 3 of the
-// License, or (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-// +build amd64
-
-package sandbox
-
-import (
- "encoding/binary"
- "fmt"
- "os"
-
- "golang.org/x/sys/unix"
-
- "github.com/twtiger/gosecco"
- "github.com/twtiger/gosecco/parser"
-
- "cmd/sandboxed-tor-browser/internal/data"
-)
-
-const (
- actAllow = "allow"
- actKill = "kill"
- actENOSYS = "ENOSYS"
-)
-
-var whitelistSettings = &gosecco.SeccompSettings{
- DefaultPositiveAction: actAllow,
- DefaultNegativeAction: actENOSYS,
- DefaultPolicyAction: actENOSYS,
- ActionOnX32: actKill,
- ActionOnAuditFailure: actKill,
-}
-
-var blacklistSettings = &gosecco.SeccompSettings{
- DefaultPositiveAction: actENOSYS,
- DefaultNegativeAction: actAllow,
- DefaultPolicyAction: actAllow,
- ActionOnX32: actKill,
- ActionOnAuditFailure: actKill,
-}
-
-var torBrowserSeccompAssets = []string{torBrowserWhitelist}
-var torSeccompAssets = []string{torWhitelist}
-var torObfs4SeccompAssets = []string{torObfs4Whitelist}
-var blacklistSeccompAssets = []string{basicBlacklist}
-
-func installSeccomp(fd *os.File, assets []string, isBlacklist bool) error {
- defer fd.Close()
-
- settings := whitelistSettings
- if isBlacklist {
- settings = blacklistSettings
- }
-
- // XXX: This really should support multile assets.
- if len(assets) != 1 {
- return fmt.Errorf("seccomp: asset vector length > 1: %d", len(assets))
- }
-
- rules, err := data.Asset(assets[0])
- if err != nil {
- return err
- }
- source := &parser.StringSource{
- Name: assets[0],
- Content: string(rules),
- }
-
- bpf, err := gosecco.PrepareSource(source, *settings)
- if err != nil {
- return err
- }
-
- return writeBpf(fd, bpf)
-}
-
-func writeBpf(fd *os.File, bpf []unix.SockFilter) error {
- if size, limit := len(bpf), 0xffff; size > limit {
- return fmt.Errorf("filter program too big: %d bpf instructions (limit = %d)", size, limit)
- }
-
- for _, rule := range bpf {
- if err := binary.Write(fd, binary.LittleEndian, rule); err != nil {
- return err
- }
- }
-
- return nil
-}
More information about the tor-commits
mailing list