[tor-commits] [sandboxed-tor-browser/master] Re-add socket call to the 386 whitelist.
yawning at torproject.org
yawning at torproject.org
Wed Dec 7 01:20:47 UTC 2016
commit c84e1bad1658a43f8e9d3525e594b69b3bcce3b3
Author: Yawning Angel <yawning at schwanenlied.me>
Date: Wed Dec 7 01:18:09 2016 +0000
Re-add socket call to the 386 whitelist.
It helps to test code involving ancient bullshit that needs to die, on
systems that actually exercise said ancient bullshit. In this case,
Debian stable x86 conveniently provides a kernel that actually
exercises `socketcall`.
libseccomp2 is supposed to "automagically do the right thing" when
generating 386 rules since I'm not adding exact, but both tor and
firefox showed problems with this.
---
src/cmd/gen-seccomp/seccomp_firefox.go | 2 ++
src/cmd/gen-seccomp/seccomp_tor.go | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go b/src/cmd/gen-seccomp/seccomp_firefox.go
index a1a9f0a..22e4bb5 100644
--- a/src/cmd/gen-seccomp/seccomp_firefox.go
+++ b/src/cmd/gen-seccomp/seccomp_firefox.go
@@ -210,6 +210,8 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error {
"newselect",
"socket", // Filtered on amd64.
+
+ "socketcall", // Fuck Debian stable.... :(
}
allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...)
}
diff --git a/src/cmd/gen-seccomp/seccomp_tor.go b/src/cmd/gen-seccomp/seccomp_tor.go
index 6144548..0a1b8cc 100644
--- a/src/cmd/gen-seccomp/seccomp_tor.go
+++ b/src/cmd/gen-seccomp/seccomp_tor.go
@@ -118,6 +118,8 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
"ugetrlimit",
"set_thread_area",
+
+ "socketcall", // I *SHOULDN"T* need this, but Debian stable freaks out.
}
allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...)
}
More information about the tor-commits
mailing list