[tor-commits] [sandboxed-tor-browser/master] Call setsid() before we exec bwrap.
yawning at torproject.org
yawning at torproject.org
Tue Jan 17 21:41:15 UTC 2017
commit eace1a33c9ba2370f3c045782cab7467093a4f05
Author: Yawning Angel <yawning at schwanenlied.me>
Date: Tue Jan 17 21:28:52 2017 +0000
Call setsid() before we exec bwrap.
This is part of a defense in depth measure to `TOCSTI` considered
harmful (CVE-2017-5226). Released versions of `sandboxed-tor-browser`
was NEVER vulnerable to the issue at all because the seccomp whitelist
does not allow `TIOCSTI`.
bubblewrap's behavior here changes a bit depending on the version and
backports. In theory if everyone shipped the latest and greatest
(master), `--new-session` is available as an option, but I can just
do this myself.
---
src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
index 9d2bba4..fb51e41 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
@@ -56,8 +56,7 @@ func (u *unshareOpts) toArgs() []string {
if u.pid {
args = append(args, "--unshare-pid")
} else {
- // Until bubblewrap > 0.1.5 when the child calls setsid(),
- // we have to rely on SIGKILL-ing the init fork for cleanup.
+ // This is basically required for cleanup.
panic("sandbox: unshare.pid is required")
}
if u.net {
@@ -167,6 +166,7 @@ func (h *hugbox) run() (*Process, error) {
Stdout: h.stdout,
Stderr: h.stderr,
SysProcAttr: &syscall.SysProcAttr{
+ Setsid: true,
Pdeathsig: h.pdeathSig,
},
}
More information about the tor-commits
mailing list