[tor-commits] [sandboxed-tor-browser/master] Allow ugetrlimit, and remove the getrlimit hook.

yawning at torproject.org yawning at torproject.org
Sat Dec 3 23:29:51 UTC 2016


commit b8534e56ad75c4b66783c8b14fcc8cf38687a6c5
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Sat Dec 3 23:28:48 2016 +0000

    Allow ugetrlimit, and remove the getrlimit hook.
    
    I still have no idea, but at this point I'm going to write it off to:
    
     "My system call whitelist didn't have enough things on it for i386".
---
 data/tor-whitelist-extras-i386.seccomp             |  2 ++
 ...rbrowser-launcher-whitelist-extras-i386.seccomp |  1 +
 src/tbb_stub/tbb_stub.c                            | 28 ++--------------------
 3 files changed, 5 insertions(+), 26 deletions(-)

diff --git a/data/tor-whitelist-extras-i386.seccomp b/data/tor-whitelist-extras-i386.seccomp
index 03204c3..b3a13f7 100644
--- a/data/tor-whitelist-extras-i386.seccomp
+++ b/data/tor-whitelist-extras-i386.seccomp
@@ -13,6 +13,8 @@ mmap2: 1
 fcntl64: 1
 stat64: 1
 
+ugetrlimit: 1
+
 # tor's sandbox code claims that these calls are required on x86 but not on
 # x86_64.  tor's sandbox attempts to filter socketcall's arguments as well
 # when it adds a rule, but seccomp on x86 does not support argument filtering,
diff --git a/data/torbrowser-launcher-whitelist-extras-i386.seccomp b/data/torbrowser-launcher-whitelist-extras-i386.seccomp
index 4d685b6..b859f69 100644
--- a/data/torbrowser-launcher-whitelist-extras-i386.seccomp
+++ b/data/torbrowser-launcher-whitelist-extras-i386.seccomp
@@ -19,6 +19,7 @@ getresgid32: 1
 time: 1
 getuid32: 1
 getgid32: 1
+ugetrlimit: 1
 
 recv: 1
 send: 1
diff --git a/src/tbb_stub/tbb_stub.c b/src/tbb_stub/tbb_stub.c
index e431222..0f714b7 100644
--- a/src/tbb_stub/tbb_stub.c
+++ b/src/tbb_stub/tbb_stub.c
@@ -48,10 +48,7 @@
 #include <stdlib.h>
 #include <X11/Xlib.h>
 
-#ifdef __i386__
-#include <sys/time.h>
-#include <sys/resource.h>
-#else
+#ifndef __i386__
 #include <glob.h>
 #include <stdbool.h>
 #endif
@@ -179,28 +176,7 @@ XQueryExtension(Display *display, _Xconst char *name, int *major, int *event, in
   return real_XQueryExtension(display, name, major, event, error);
 }
 
-#ifdef __i386__
-
-static int (*real_getrlimit)(__rlimit_resource_t, struct rlimit *);
-
-int
-getrlimit(__rlimit_resource_t resource, struct rlimit *rlim)
-{
-  /* I have no fucking idea why, on i386 systems rlimit starts failing
-   * randomly deep inside firefox, even with the appropriate system calls
-   * whitelisted.  Hooking it, makes the problem go away for extra fun.
-   */
-  if (real_getrlimit == NULL) {
-    if ((real_getrlimit = dlsym(RTLD_NEXT, "getrlimit")) == NULL) {
-      fprintf(stderr, "ERROR: Failed to find `getrlimit() symbol: %s\n", dlerror());
-      abort();
-    }
-  }
-
-  return real_getrlimit(resource, rlim);
-}
-
-#else
+#ifndef __i386__
 
 typedef struct pa_mutex pm;
 static pm* (*real_pa_mutex_new)(bool, bool);



More information about the tor-commits mailing list