[tor-commits] [sandboxed-tor-browser/master] Remove the undocumented command line options that enable unsafe behavior.

Sun Jun 25 05:02:45 UTC 2017

commit 1c528cc4610f4609b3df4244e9ddacb2ef2cfda0
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Sun Jun 25 05:01:58 2017 +0000

    Remove the undocumented command line options that enable unsafe behavior.
    
    "We are not believers in buttons.  Knobs are for knobs." -- Theo
---
 ChangeLog                                             |  1 +
 .../internal/sandbox/application.go                   | 13 +++----------
 .../sandboxed-tor-browser/internal/sandbox/x11/x11.go | 19 ++++---------------
 3 files changed, 8 insertions(+), 25 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 742153f..69b4a5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 Changes in version 0.0.9 - UNRELEASED:
  * Fix the build being broken on Debian Jessie due to #22648.
+ * Remove the undocumented command line options that enable unsafe behavior.
 
 Changes in version 0.0.8 - 2017-06-19:
  * Bug 20776: Remove the X11 `MIT-SHM` workaround from the stub.
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index 61722c1..f66c1ba 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -20,7 +20,6 @@ package sandbox
 
 import (
 	"bytes"
-	"flag"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -41,10 +40,7 @@ import (
 
 const restrictedLibDir = "/usr/lib"
 
-var (
-	distributionDependentLibSearchPath []string
-	allowGstreamer                     bool
-)
+var distributionDependentLibSearchPath []string
 
 // RunTorBrowser launches sandboxed Tor Browser.
 func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (process *Process, err error) {
@@ -322,10 +318,9 @@ func filterCodecs(fn string, allowFfmpeg bool) error {
 		"libgstapp",
 		"libgstvideo",
 	}
-	if allowGstreamer && allowFfmpeg {
+	if allowFfmpeg {
 		codecPrefixes = []string{}
-	}
-	if !allowFfmpeg {
+	} else if !allowFfmpeg {
 		codecPrefixes = append(codecPrefixes, "libavcodec")
 	}
 
@@ -874,6 +869,4 @@ func init() {
 	}
 
 	distributionDependentLibSearchPath = searchPaths
-
-	flag.BoolVar(&allowGstreamer, "allow-gstreamer", false, "Don't blacklist gstreamer libraries.")
 }
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go
index 908bedd..15960fb 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/x11/x11.go
@@ -20,7 +20,6 @@ package x11
 
 import (
 	"encoding/binary"
-	"flag"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -31,8 +30,6 @@ import (
 	. "cmd/sandboxed-tor-browser/internal/utils"
 )
 
-var disableX11Filter bool
-
 const SockDir = "/tmp/.X11-unix"
 
 func craftAuthority(hugboxHostname, realDisplay string) ([]byte, error) {
@@ -186,15 +183,11 @@ func (x *SandboxedX11) Socket() string {
 
 func (x *SandboxedX11) LaunchSurrogate() error {
 	// Launch the surrogate unless disabled.
-	if !disableX11Filter {
-		Debugf("sandbox: X11: Launching surrogate")
+	Debugf("sandbox: X11: Launching surrogate")
 
-		var err error
-		if x.Surrogate, err = launchSurrogate(x.hSock, x.pSock, x.hDisplay); err != nil {
-			return err
-		}
-	} else {
-		Debugf("sandbox: X11: Direct bind-mounting X11 (UNSAFE)")
+	var err error
+	if x.Surrogate, err = launchSurrogate(x.hSock, x.pSock, x.hDisplay); err != nil {
+		return err
 	}
 	x.launched = true
 	return nil
@@ -243,7 +236,3 @@ func New(display, hostname, pSock string) (*SandboxedX11, error) {
 
 	return x, nil
 }
-
-func init() {
-	flag.BoolVar(&disableX11Filter, "disable-X11-filter", false, "Use X11 directly (Unsafe)")
-}

