[tor-commits] [sandboxed-tor-browser/master] Allow ugetrlimit, and remove the getrlimit hook.
yawning at torproject.org
yawning at torproject.org
Sat Dec 3 23:29:51 UTC 2016
commit b8534e56ad75c4b66783c8b14fcc8cf38687a6c5
Author: Yawning Angel <yawning at schwanenlied.me>
Date: Sat Dec 3 23:28:48 2016 +0000
Allow ugetrlimit, and remove the getrlimit hook.
I still have no idea, but at this point I'm going to write it off to:
"My system call whitelist didn't have enough things on it for i386".
---
data/tor-whitelist-extras-i386.seccomp | 2 ++
...rbrowser-launcher-whitelist-extras-i386.seccomp | 1 +
src/tbb_stub/tbb_stub.c | 28 ++--------------------
3 files changed, 5 insertions(+), 26 deletions(-)
diff --git a/data/tor-whitelist-extras-i386.seccomp b/data/tor-whitelist-extras-i386.seccomp
index 03204c3..b3a13f7 100644
--- a/data/tor-whitelist-extras-i386.seccomp
+++ b/data/tor-whitelist-extras-i386.seccomp
@@ -13,6 +13,8 @@ mmap2: 1
fcntl64: 1
stat64: 1
+ugetrlimit: 1
+
# tor's sandbox code claims that these calls are required on x86 but not on
# x86_64. tor's sandbox attempts to filter socketcall's arguments as well
# when it adds a rule, but seccomp on x86 does not support argument filtering,
diff --git a/data/torbrowser-launcher-whitelist-extras-i386.seccomp b/data/torbrowser-launcher-whitelist-extras-i386.seccomp
index 4d685b6..b859f69 100644
--- a/data/torbrowser-launcher-whitelist-extras-i386.seccomp
+++ b/data/torbrowser-launcher-whitelist-extras-i386.seccomp
@@ -19,6 +19,7 @@ getresgid32: 1
time: 1
getuid32: 1
getgid32: 1
+ugetrlimit: 1
recv: 1
send: 1
diff --git a/src/tbb_stub/tbb_stub.c b/src/tbb_stub/tbb_stub.c
index e431222..0f714b7 100644
--- a/src/tbb_stub/tbb_stub.c
+++ b/src/tbb_stub/tbb_stub.c
@@ -48,10 +48,7 @@
#include <stdlib.h>
#include <X11/Xlib.h>
-#ifdef __i386__
-#include <sys/time.h>
-#include <sys/resource.h>
-#else
+#ifndef __i386__
#include <glob.h>
#include <stdbool.h>
#endif
@@ -179,28 +176,7 @@ XQueryExtension(Display *display, _Xconst char *name, int *major, int *event, in
return real_XQueryExtension(display, name, major, event, error);
}
-#ifdef __i386__
-
-static int (*real_getrlimit)(__rlimit_resource_t, struct rlimit *);
-
-int
-getrlimit(__rlimit_resource_t resource, struct rlimit *rlim)
-{
- /* I have no fucking idea why, on i386 systems rlimit starts failing
- * randomly deep inside firefox, even with the appropriate system calls
- * whitelisted. Hooking it, makes the problem go away for extra fun.
- */
- if (real_getrlimit == NULL) {
- if ((real_getrlimit = dlsym(RTLD_NEXT, "getrlimit")) == NULL) {
- fprintf(stderr, "ERROR: Failed to find `getrlimit() symbol: %s\n", dlerror());
- abort();
- }
- }
-
- return real_getrlimit(resource, rlim);
-}
-
-#else
+#ifndef __i386__
typedef struct pa_mutex pm;
static pm* (*real_pa_mutex_new)(bool, bool);
More information about the tor-commits
mailing list