[tor-commits] [sandboxed-tor-browser/master] Fix e10s Web Content crash on systems with grsec kernels.

Wed Apr 12 22:22:06 UTC 2017

commit a9a3ab621ed72fb1c836d9e224be7b42f4445b90
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Wed Apr 12 22:19:26 2017 +0000

    Fix e10s Web Content crash on systems with grsec kernels.
    
    The `plugin-container` binary needs to be able to make RWX mappings,
    or Web Content workers get killed by the kernel.
---
 ChangeLog                                              |  1 +
 .../internal/sandbox/application.go                    | 18 +++++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3e55844..1007ae3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 Changes in version 0.0.5 - UNRELEASED:
+ * Fix e10s Web Content crash on systems with grsec kernels.
 
 Changes in version 0.0.4 - 2017-04-12:
  * Bug 21928: Force a reinstall if an existing hardened bundle is present.
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index 427c3b1..bf2914a 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -190,8 +190,15 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (pr
 	// Tor Browser currently is incompatible with PaX MPROTECT, apply the
 	// override if needed.
 	realFirefoxPath := filepath.Join(realBrowserHome, "firefox")
-	if err = applyPaXAttributes(manif, realFirefoxPath); err != nil {
-		return nil, err
+	needsPaXPaths := []string{
+		realFirefoxPath,
+		filepath.Join(realBrowserHome, "plugin-container"),
+	}
+	for _, p := range needsPaXPaths {
+		err := applyPaXAttributes(manif, p)
+		if err != nil {
+			log.Printf("sandbox: Failed to apply PaX attributes to `%v`: %v", p, err)
+		}
 	}
 
 	extraLdLibraryPath := ""
@@ -329,11 +336,12 @@ func applyPaXAttributes(manif *config.Manifest, f string) error {
 	const paxAttr = "user.pax.flags"
 
 	sz, _ := syscall.Getxattr(f, paxAttr, nil)
+	_, n := filepath.Split(f)
 
 	// Strip off the attribute if this is a non-grsec kernel.
 	if !IsGrsecKernel() {
 		if sz > 0 {
-			log.Printf("sandbox: Removing Tor Browser PaX attributes.")
+			log.Printf("sandbox: Removing PaX attributes: %v", n)
 			syscall.Removexattr(f, paxAttr)
 		}
 		return nil
@@ -346,12 +354,12 @@ func applyPaXAttributes(manif *config.Manifest, f string) error {
 			return err
 		}
 		if bytes.Contains(dest, paxOverride) {
-			log.Printf("sandbox: Tor Browser PaX attributes already set.")
+			log.Printf("sandbox: PaX attributes already set: %v", n)
 			return nil
 		}
 	}
 
-	log.Printf("sandbox: Applying Tor Browser PaX attributes.")
+	log.Printf("sandbox: Applying PaX attributes: %v", n)
 	return syscall.Setxattr(f, paxAttr, paxOverride, 0)
 }
 



