[tor-commits] [sandboxed-tor-browser/master] Bug 21093: Unbreak the Debian build, by kludging gosecco.

yawning at torproject.org yawning at torproject.org
Thu Dec 29 07:18:33 UTC 2016


commit 6abb6a299971df82f2eb481e7336c3c0122d37f9
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Thu Dec 29 01:30:00 2016 +0000

    Bug 21093: Unbreak the Debian build, by kludging gosecco.
    
    gosecco has code to load seccomp filters with the Linux 3.17 system
    call, but certain copies of the debian headers pre-date the introduction
    of this.
    
    Disabling all the calls is harmless since all gosecco is used for is
    parsing and copiling rules, and the disabled routines are for using the
    library to install the filter (which we offload to bubblewrap).
    
    Note: Why yes, this is a repeat of 3b568bda74.
---
 .../src/github.com/twtiger/gosecco/native/calls.go | 41 ++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/vendor/src/github.com/twtiger/gosecco/native/calls.go b/vendor/src/github.com/twtiger/gosecco/native/calls.go
index 2a6c66d..fb69f6b 100644
--- a/vendor/src/github.com/twtiger/gosecco/native/calls.go
+++ b/vendor/src/github.com/twtiger/gosecco/native/calls.go
@@ -1,5 +1,45 @@
 package native
 
+// XXX/Yawning: Debian still ships 3.16, and all sandboxed-tor-browser uses this
+// for is the compiler anyway.
+
+import (
+	"fmt"
+
+	"github.com/twtiger/gosecco/data"
+)
+
+// InstallSeccomp will install seccomp using native methods
+func InstallSeccomp(prog *data.SockFprog) error {
+	return fmt.Errorf("BUG: sandboxed-tor-browser called native.InstallSeccomp")
+}
+
+// NoNewPrivs will use prctl to stop new privileges using native methods
+func NoNewPrivs() error {
+	return fmt.Errorf("BUG: sandboxed-tor-browser called native.NoNewPrivs")
+}
+
+// CheckGetSeccomp will check if we have seccomp available
+func CheckGetSeccomp() error {
+	return fmt.Errorf("BUG: sandboxed-tor-browser called native.CheckGetSeccomp")
+}
+
+// CheckSetSeccompModeFilter will check if we have seccomp mode filter available
+func CheckSetSeccompModeFilter() error {
+	return fmt.Errorf("BUG: sandboxed-tor-browser called native.CheckSetSeccompModeFilter")
+}
+
+// CheckSetSeccompModeFilterWithSeccomp will check if we have the seccomp syscall available
+func CheckSetSeccompModeFilterWithSeccomp() error {
+	return fmt.Errorf("BUG: sandboxed-tor-browser called native.CheckSetSeccompModeFilterWithSeccomp")
+}
+
+// CheckSetSeccompModeTsync will check that we can set tsync
+func CheckSetSeccompModeTsync() error {
+	return fmt.Errorf("BUG: sandboxed-tor-browser called native.CheckSetSeccompModeTsync")
+}
+
+/*
 import (
 	"syscall"
 	"unsafe"
@@ -68,3 +108,4 @@ func CheckSetSeccompModeFilterWithSeccomp() error {
 func CheckSetSeccompModeTsync() error {
 	return seccomp(C.SECCOMP_SET_MODE_FILTER, C.SECCOMP_FILTER_FLAG_TSYNC, nil)
 }
+*/





More information about the tor-commits mailing list