[tor-commits] [sandboxed-tor-browser/master] More seccomp improvements.

yawning at torproject.org yawning at torproject.org
Mon Dec 5 23:38:13 UTC 2016 

commit 45e252e604150054a483bde5fc43303b8dc14339
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Mon Dec 5 23:32:48 2016 +0000

    More seccomp improvements.
    
     * Fail with an error on ENOSYS.
     * Remove socketcall from the 286 whitelists, libseccomp should handle
       that for us.
---
 src/cmd/gen-seccomp/seccomp.go         | 8 +++-----
 src/cmd/gen-seccomp/seccomp_firefox.go | 1 -
 src/cmd/gen-seccomp/seccomp_tor.go     | 4 ++--
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/src/cmd/gen-seccomp/seccomp.go b/src/cmd/gen-seccomp/seccomp.go
index 62b286d..9ec17e8 100644
--- a/src/cmd/gen-seccomp/seccomp.go
+++ b/src/cmd/gen-seccomp/seccomp.go
@@ -17,7 +17,7 @@
 package main
 
 import (
-	"log"
+	"fmt"
 
 	seccomp "github.com/seccomp/libseccomp-golang"
 )
@@ -98,8 +98,7 @@ func allowSyscalls(f *seccomp.ScmpFilter, calls []string, is386 bool) error {
 			if is386 && scallName == "newselect" {
 				scall = seccomp.ScmpSyscall(142)
 			} else {
-				log.Printf("seccomp: unknown system call: %v", scallName)
-				continue
+				return fmt.Errorf("seccomp: unknown system call: %v", scallName)
 			}
 		}
 		if err = f.AddRule(scall, seccomp.ActAllow); err != nil {
@@ -112,8 +111,7 @@ func allowSyscalls(f *seccomp.ScmpFilter, calls []string, is386 bool) error {
 func allowCmpEq(f *seccomp.ScmpFilter, scallName string, arg uint, values ...uint64) error {
 	scall, err := seccomp.GetSyscallFromName(scallName)
 	if err != nil {
-		log.Printf("seccomp: unknown system call: %v", scallName)
-		return nil
+		return fmt.Errorf("seccomp: unknown system call: %v", scallName)
 	}
 
 	// Allow if the arg matches any of the values.  Implemented as multiple
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go
index 75a7dd3..1606d76 100644
--- a/src/cmd/gen-seccomp/seccomp_firefox.go
+++ b/src/cmd/gen-seccomp/seccomp_firefox.go
@@ -209,7 +209,6 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error {
 			"recv",
 			"send",
 			"newselect",
-			"socketcall",
 
 			"socket", // Filtered on amd64.
 		}
diff --git a/src/cmd/gen-seccomp/seccomp_tor.go b/src/cmd/gen-seccomp/seccomp_tor.go
index 2b01656..6144548 100644
--- a/src/cmd/gen-seccomp/seccomp_tor.go
+++ b/src/cmd/gen-seccomp/seccomp_tor.go
@@ -115,7 +115,6 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
 			"recv",
 			"send",
 			"stat64",
-			"socketcall", // Sigh...
 
 			"ugetrlimit",
 			"set_thread_area",
@@ -254,7 +253,8 @@ func torFilterAccept4(f *seccomp.ScmpFilter, is386 bool) error {
 	}
 	if is386 {
 		// XXX: The tor common/sandbox.c file, explcitly allows socketcall()
-		// by arg for this call, and only this call. ??????
+		// by arg for this call, and only this call, when libseccomp should
+		// do the right thing.
 		return f.AddRule(scall, seccomp.ActAllow)
 	}

More information about the tor-commits mailing list