commit 45e252e604150054a483bde5fc43303b8dc14339
Author: Yawning Angel <[email protected]>
Date: Mon Dec 5 23:32:48 2016 +0000
More seccomp improvements.
* Fail with an error on ENOSYS.
* Remove socketcall from the 286 whitelists, libseccomp should handle
that for us.
---
src/cmd/gen-seccomp/seccomp.go | 8 +++-----
src/cmd/gen-seccomp/seccomp_firefox.go | 1 -
src/cmd/gen-seccomp/seccomp_tor.go | 4 ++--
3 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/src/cmd/gen-seccomp/seccomp.go b/src/cmd/gen-seccomp/seccomp.go
index 62b286d..9ec17e8 100644
--- a/src/cmd/gen-seccomp/seccomp.go
+++ b/src/cmd/gen-seccomp/seccomp.go
@@ -17,7 +17,7 @@
package main
import (
- "log"
+ "fmt"
seccomp "github.com/seccomp/libseccomp-golang"
)
@@ -98,8 +98,7 @@ func allowSyscalls(f *seccomp.ScmpFilter, calls []string,
is386 bool) error {
if is386 && scallName == "newselect" {
scall = seccomp.ScmpSyscall(142)
} else {
- log.Printf("seccomp: unknown system call: %v",
scallName)
- continue
+ return fmt.Errorf("seccomp: unknown system
call: %v", scallName)
}
}
if err = f.AddRule(scall, seccomp.ActAllow); err != nil {
@@ -112,8 +111,7 @@ func allowSyscalls(f *seccomp.ScmpFilter, calls []string,
is386 bool) error {
func allowCmpEq(f *seccomp.ScmpFilter, scallName string, arg uint, values
...uint64) error {
scall, err := seccomp.GetSyscallFromName(scallName)
if err != nil {
- log.Printf("seccomp: unknown system call: %v", scallName)
- return nil
+ return fmt.Errorf("seccomp: unknown system call: %v", scallName)
}
// Allow if the arg matches any of the values. Implemented as multiple
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go
b/src/cmd/gen-seccomp/seccomp_firefox.go
index 75a7dd3..1606d76 100644
--- a/src/cmd/gen-seccomp/seccomp_firefox.go
+++ b/src/cmd/gen-seccomp/seccomp_firefox.go
@@ -209,7 +209,6 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386
bool) error {
"recv",
"send",
"newselect",
- "socketcall",
"socket", // Filtered on amd64.
}
diff --git a/src/cmd/gen-seccomp/seccomp_tor.go
b/src/cmd/gen-seccomp/seccomp_tor.go
index 2b01656..6144548 100644
--- a/src/cmd/gen-seccomp/seccomp_tor.go
+++ b/src/cmd/gen-seccomp/seccomp_tor.go
@@ -115,7 +115,6 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool,
is386 bool) error {
"recv",
"send",
"stat64",
- "socketcall", // Sigh...
"ugetrlimit",
"set_thread_area",
@@ -254,7 +253,8 @@ func torFilterAccept4(f *seccomp.ScmpFilter, is386 bool)
error {
}
if is386 {
// XXX: The tor common/sandbox.c file, explcitly allows
socketcall()
- // by arg for this call, and only this call. ??????
+ // by arg for this call, and only this call, when libseccomp
should
+ // do the right thing.
return f.AddRule(scall, seccomp.ActAllow)
}
_______________________________________________
tor-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
