[tor-commits] [sandboxed-tor-browser/master] Add `newselect` to the 386 whitelist.

Sat, 03 Dec 2016 16:17:32 -0800 

commit 4802e086043a2d3fab77a77425c607b43f20fe5b
Author: Yawning Angel <[email protected]>
Date:   Sun Dec 4 00:12:55 2016 +0000

    Add `newselect` to the 386 whitelist.
    
    obfs4proxy needs this, or it sits there looping on select() for a while
    before giving up.
---
 data/tor-whitelist-extras-i386.seccomp                  |  1 +
 .../internal/sandbox/seccomp_386.go                     | 17 +++++++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/data/tor-whitelist-extras-i386.seccomp 
b/data/tor-whitelist-extras-i386.seccomp
index b3a13f7..2c33759 100644
--- a/data/tor-whitelist-extras-i386.seccomp
+++ b/data/tor-whitelist-extras-i386.seccomp
@@ -14,6 +14,7 @@ fcntl64: 1
 stat64: 1
 
 ugetrlimit: 1
+newselect: 1
 
 # tor's sandbox code claims that these calls are required on x86 but not on
 # x86_64.  tor's sandbox attempts to filter socketcall's arguments as well
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go 
b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go
index 0d3a069..1e6e18c 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go
@@ -95,12 +95,17 @@ func installSeccomp(fd *os.File, assets []string, 
isBlacklist bool) error {
                        scallName := string(bytes.TrimSpace(sp[0]))
                        scall, err := seccomp.GetSyscallFromName(scallName)
                        if err != nil {
-                               // Continue instead of failing on ENOSYS.  
gosecco will fail
-                               // here, but this allows whitelists to be more 
futureproof,
-                               // and handles thing like Debian 
prehistoric^wstable missing
-                               // system calls that we would like to allow 
like `getrandom`.
-                               log.Printf("seccomp: unknown system call: %v", 
scallName)
-                               continue
+                               if scallName == "newselect" {
+                                       // The library doesn't have 
"NR_newselect" yet.
+                                       scall = seccomp.ScmpSyscall(142)
+                               } else {
+                                       // Continue instead of failing on 
ENOSYS.  gosecco will fail
+                                       // here, but this allows whitelists to 
be more futureproof,
+                                       // and handles thing like Debian 
prehistoric^wstable missing
+                                       // system calls that we would like to 
allow like `getrandom`.
+                                       log.Printf("seccomp: unknown system 
call: %v", scallName)
+                                       continue
+                               }
                        }
 
                        // If the system call is present, just add it.  This is 
x86,

_______________________________________________
tor-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Reply via email to