[tor-commits] [sandboxed-tor-browser/master] Bug 21929: Remove hardened/ASAN related code.

Wed Apr 12 18:36:56 UTC 2017

commit 5d784358fcdbfad980b737824ed1565b237cc148
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Wed Apr 12 18:33:01 2017 +0000

    Bug 21929: Remove hardened/ASAN related code.
    
    The removes the bulk of the `hardened`/ASAN related code, as it is no
    longer relevant.  The tor-sans-obfs4 seccomp rules probably can tighten
    the permitted mmap arguments a bit, but that can wait till I have more
    time.
---
 ChangeLog                                          |  1 +
 data/tor-common-amd64.seccomp                      |  4 ---
 data/torbrowser-amd64.seccomp                      |  4 ---
 .../internal/sandbox/application.go                | 35 ++++++++--------------
 .../internal/sandbox/hugbox.go                     |  2 +-
 .../internal/ui/config/config.go                   |  3 +-
 .../sandboxed-tor-browser/internal/ui/launch.go    |  5 ----
 src/cmd/sandboxed-tor-browser/internal/ui/ui.go    | 18 +----------
 8 files changed, 17 insertions(+), 55 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 20cae09..e623392 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 Changes in version 0.0.4 - UNRELEASED:
+ * Bug 21929: Remove hardened/ASAN related code.
  * Bug 21927: Remove the ability to install/update the hardened bundle.
  * Bug 21244: Update the MAR signing key for 7.0.
  * Bug 21536: Remove asn's scramblesuit bridge from Tor Browser.
diff --git a/data/tor-common-amd64.seccomp b/data/tor-common-amd64.seccomp
index 5bc0428..c324843 100644
--- a/data/tor-common-amd64.seccomp
+++ b/data/tor-common-amd64.seccomp
@@ -96,10 +96,6 @@ unshare: 1
 rt_sigaction: 1
 setsid: 1
 
-# XXX: This is only required for ASAN builds, so this should be included at
-# runtime.
-readlink: 1
-
 #
 # System calls allowed with filtering.
 #
diff --git a/data/torbrowser-amd64.seccomp b/data/torbrowser-amd64.seccomp
index a2c2817..11e42e5 100644
--- a/data/torbrowser-amd64.seccomp
+++ b/data/torbrowser-amd64.seccomp
@@ -181,10 +181,6 @@ uname: 1
 unshare: 1
 wait4: 1
 
-# XXX: This is only required for ASAN builds, so this should be included at
-# runtime.
-setrlimit: 1
-
 #
 # System calls allowed with filtering.
 #
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index fa773d4..427c3b1 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -139,10 +139,16 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (pr
 	// h.setenv("LD_LIBRARY_PATH", filepath.Join(browserHome, "TorBrowser", "Tor"))
 	h.setenv("FONTCONFIG_PATH", filepath.Join(browserHome, "TorBrowser", "Data", "fontconfig"))
 	h.setenv("FONTCONFIG_FILE", "fonts.conf")
-	if manif.Channel == "hardened" {
-		h.setenv("ASAN_OPTIONS", "detect_leaks=0")
-		h.setenv("NSS_DISABLE_HW_AES", "1") // For selfrando.
-	}
+
+	// This used to be for `hardened` but may eventually be required for
+	// `alpha`, though according to trac, newer versions of selfrando fix the
+	// problem.
+	//
+	// https://trac.torproject.org/projects/tor/ticket/20683#comment:13
+	//
+	// if manif.Channel == "alpha" {
+	//	h.setenv("NSS_DISABLE_HW_AES", "1") // For selfrando.
+	// }
 
 	// GNOME systems will puke with a read-only home, so instead of setting
 	// $HOME to point to inside the browser bundle, setup a bunch of
@@ -176,19 +182,6 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (pr
 	h.assetFile(stubPath, "tbb_stub.so")
 
 	ldPreload := stubPath
-	if manif.Channel == "hardened" {
-		// ASAN wants to be the first entry on LD_PRELOAD, so placate it.
-		matches, err := filepath.Glob(filepath.Join(realBrowserHome, "TorBrowser", "Tor") + "/libasan.so*")
-		if err != nil {
-			return nil, err
-		}
-		if len(matches) < 1 {
-			log.Printf("sandbox: Failed to find 'libasan.so.*'")
-		} else {
-			_, f := filepath.Split(matches[0])
-			ldPreload = f + ":" + ldPreload
-		}
-	}
 	h.setenv("LD_PRELOAD", ldPreload)
 
 	// Hardware accelerated OpenGL will not work, and never will.
@@ -520,13 +513,11 @@ func RunTor(cfg *config.Config, manif *config.Manifest, torrc []byte) (process *
 	// `/proc/sys/net/core/somaxconn` - obfs4proxy, Go runtime uses this to
 	//    determine listener backlog, but will default to `128` on errors.
 	//
-	// Hardened builds are special cased because asan crashes the binary
-	// if it can't read `/proc/self/maps`.
+	// `/proc/self/maps` - ASAN.  If it's ever enabled again, this mandates
+	//    `/proc`.
 	//
 	// See: https://bugs.torproject.org/20773
-	if manif.Channel != "hardened" {
-		h.mountProc = false
-	}
+	h.mountProc = false
 
 	if err = os.MkdirAll(cfg.TorDataDir, DirMode); err != nil {
 		return
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
index fb51e41..118b7a7 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
@@ -166,7 +166,7 @@ func (h *hugbox) run() (*Process, error) {
 		Stdout: h.stdout,
 		Stderr: h.stderr,
 		SysProcAttr: &syscall.SysProcAttr{
-			Setsid: true,
+			Setsid:    true,
 			Pdeathsig: h.pdeathSig,
 		},
 	}
diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
index 44b6633..332c4b5 100644
--- a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
+++ b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
@@ -293,8 +293,7 @@ type Config struct {
 	// "linux64").
 	Architecture string `json:"-"`
 
-	// Channel is the Tor Browser channel to install ("release", "alpha",
-	// "hardened").
+	// Channel is the Tor Browser channel to install ("release", "alpha")
 	Channel string `json:"channel,omitempty"`
 
 	// Locale is the Tor Browser locale to install ("en-US", "ja").
diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/launch.go b/src/cmd/sandboxed-tor-browser/internal/ui/launch.go
index e929fa7..046e2b8 100644
--- a/src/cmd/sandboxed-tor-browser/internal/ui/launch.go
+++ b/src/cmd/sandboxed-tor-browser/internal/ui/launch.go
@@ -55,11 +55,6 @@ func (c *Common) DoLaunch(async *Async, checkUpdates bool) {
 		return
 	}
 
-	if c.Manif.Channel == chanHardened && sandbox.IsGrsecKernel() {
-		async.Err = fmt.Errorf("The 'hardened' release is incompatible with grsec.")
-		return
-	}
-
 	// Start tor if required.
 	log.Printf("launch: Connecting to the Tor network.")
 	async.UpdateProgress("Connecting to the Tor network.")
diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/ui.go b/src/cmd/sandboxed-tor-browser/internal/ui/ui.go
index 1de7e8c..c3882ad 100644
--- a/src/cmd/sandboxed-tor-browser/internal/ui/ui.go
+++ b/src/cmd/sandboxed-tor-browser/internal/ui/ui.go
@@ -67,7 +67,7 @@ const (
 	// bridges.
 	DefaultBridgeTransport = "obfs4"
 
-	chanHardened = "hardened"
+	// chanHardened = "hardened"
 )
 
 func usage() {
@@ -133,16 +133,6 @@ func (c *Common) Init() error {
 	}
 	c.Cfg.Sanitize()
 
-	if sandbox.IsGrsecKernel() {
-		channels := []string{}
-		for _, v := range BundleChannels[c.Cfg.Architecture] {
-			if v != "hardened" {
-				channels = append(channels, v)
-			}
-		}
-		BundleChannels[c.Cfg.Architecture] = channels
-	}
-
 	if c.Manif != nil {
 		if err = c.Manif.Sync(); err != nil {
 			return err
@@ -464,12 +454,6 @@ func init() {
 		panic(err)
 	}
 
-	// Cowardly refuse to allow the user to install the hardeened bundle on
-	// grsec kernels.
-	if sandbox.IsGrsecKernel() {
-		delete(BundleLocales, chanHardened)
-	}
-
 	Bridges = make(map[string][]string)
 	if d, err := data.Asset("bridges.json"); err != nil {
 		panic(err)

