[tor-commits] [sandboxed-tor-browser/master] Bug 23915: 7.0.7 and later fails to work without `SECCOMP_FILTER_FLAG_TSYNC`.

Fri Oct 20 08:11:05 UTC 2017

commit 6a43d8fd4765f0e795d281c9ac328b853f0cef4c
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Fri Oct 20 08:09:19 2017 +0000

    Bug 23915: 7.0.7 and later fails to work without `SECCOMP_FILTER_FLAG_TSYNC`.
    
    This is more fallout from #20773, that only manifests on systems running
    kernels that pre-date 3.17 (Debian oldstable).  The "better" fix might
    be to only engage the workaround if `SECCOMP_FILTER_FLAG_TSYNC` isn't
    supported.
---
 ChangeLog                                                     | 1 +
 src/cmd/sandboxed-tor-browser/internal/sandbox/application.go | 1 +
 src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go      | 9 +++++++++
 3 files changed, 11 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 36d8f22..23afbf8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 Changes in version 0.0.15 - UNRELEASED:
+ * Bug 23915: 7.0.7 and later fails to work without `SECCOMP_FILTER_FLAG_TSYNC`.
 
 Changes in version 0.0.14 - 2017-09-29:
  * Bug 8706: Fully disable the .recently-used.xbel.
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index bb44e39..d29df34 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -70,6 +70,7 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (pr
 	h.seccompFn = installTorBrowserSeccompProfile
 	h.fakeDbus = true
 	h.mountProc = false
+	h.fakeProc = true
 
 	if manif.Channel == "alpha" && !manif.BundleVersionAtLeast("7.5a4") {
 		// SelfRando prior to c619441e1ceec3599bc81bf9bbaf4d17c68b54b7 has a
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
index d477eb6..18fa69b 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
@@ -80,6 +80,7 @@ type hugbox struct {
 	homeDir   string
 	chdir     string
 	mountProc bool
+	fakeProc  bool
 	unshare   unshareOpts
 	stdin     io.Reader
 	stdout    io.Writer
@@ -297,6 +298,14 @@ func (h *hugbox) run() (*Process, error) {
 	}
 	if h.mountProc {
 		fdArgs = append(fdArgs, "--proc", "/proc")
+	} else if h.fakeProc {
+		// Firefox attempts to figure out if a given process is multithreaded
+		// or not by stat(2)ing `/proc/self/task` and examining `st_nlink`.
+		//
+		// This error is harmless on most systems, but as of 7.0.7, will
+		// totally break everything if `SECCOMP_FILTER_FLAG_TSYNC` is not
+		// supported (Linux < 3.17).
+		fdArgs = append(fdArgs, "--dir", "/proc/self/task/fakeProc")
 	}
 	if h.chdir != "" {
 		fdArgs = append(fdArgs, "--chdir", h.chdir)

