commit 194d51e8cedd1d8f4846f24c69d7da5f6d1c0018
Author: Yawning Angel <[email protected]>
Date: Wed Dec 28 07:15:02 2016 +0000
Bug 20940: Deprecate x86 support.
This removes support for 32 bit Intel systems, but leaves the awkward
two stage build process in place for now. Going back to gosecco will
follow next.
---
ChangeLog | 1 +
README.md | 2 +-
data/ui/channels.json | 3 +-
src/cmd/gen-seccomp/main.go | 33 +---
src/cmd/gen-seccomp/seccomp.go | 33 +---
src/cmd/gen-seccomp/seccomp_firefox.go | 97 +-----------
src/cmd/gen-seccomp/seccomp_tor.go | 166 +++++----------------
.../sandboxed-tor-browser/internal/dynlib/cache.go | 35 +----
.../sandboxed-tor-browser/internal/dynlib/hwcap.go | 31 ----
.../sandboxed-tor-browser/internal/dynlib/ldso.go | 7 +-
.../internal/sandbox/application.go | 12 +-
.../internal/ui/config/config.go | 2 -
12 files changed, 53 insertions(+), 369 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index dbde25a..8bcc45b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
Changes in version 0.0.3 - UNRELEASED:
+ * Bug 20940: Deprecate x86 support.
* Bug 20778: Check for updates in the background.
* Bug 20851: If the incremental update fails, fall back to the complete
update.
diff --git a/README.md b/README.md
index 4b70efd..badb125 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Qubes, Subgraph or Tails.
Runtime dependencies:
- * A modern Linux system on x86/x86_64 architecture.
+ * A modern Linux system on x86_64 architecture.
* bubblewrap >= 0.1.3 (https://github.com/projectatomic/bubblewrap).
* Gtk+ >= 3.14.0
* (Optional) PulseAudio
diff --git a/data/ui/channels.json b/data/ui/channels.json
index 75c237f..8e78f46 100644
--- a/data/ui/channels.json
+++ b/data/ui/channels.json
@@ -1,4 +1,3 @@
{
- "linux64": [ "release", "alpha", "hardened" ],
- "linux32": [ "release", "alpha" ]
+ "linux64": [ "release", "alpha", "hardened" ]
}
diff --git a/src/cmd/gen-seccomp/main.go b/src/cmd/gen-seccomp/main.go
index 5dcbbf2..8216166 100644
--- a/src/cmd/gen-seccomp/main.go
+++ b/src/cmd/gen-seccomp/main.go
@@ -37,7 +37,7 @@ func main() {
if err != nil {
log.Fatalf("failed to create output: %v", err)
}
- if err = compileTorSeccompProfile(f, false, false); err != nil {
+ if err = compileTorSeccompProfile(f, false); err != nil {
log.Fatalf("failed to create tor amd64 profile: %v", err)
}
@@ -46,7 +46,7 @@ func main() {
if err != nil {
log.Fatalf("failed to create output: %v", err)
}
- if err = compileTorSeccompProfile(f, true, false); err != nil {
+ if err = compileTorSeccompProfile(f, true); err != nil {
log.Fatalf("failed to create tor-obfs4 amd64 profile: %v", err)
}
@@ -55,34 +55,7 @@ func main() {
if err != nil {
log.Fatalf("failed to create output: %v", err)
}
- if err = compileTorBrowserSeccompProfile(f, false); err != nil {
+ if err = compileTorBrowserSeccompProfile(f); err != nil {
log.Fatalf("failed to create firefox amd64 profile: %v", err)
}
-
- // Tor Browser (386)
- f, err = os.Create(filepath.Join(outDir, "tor-386.bpf"))
- if err != nil {
- log.Fatalf("failed to create output: %v", err)
- }
- if err = compileTorSeccompProfile(f, false, true); err != nil {
- log.Fatalf("failed to create tor 386 profile: %v", err)
- }
-
- // Tor Browser + obfs4proxy (386)
- f, err = os.Create(filepath.Join(outDir, "tor-obfs4-386.bpf"))
- if err != nil {
- log.Fatalf("failed to create output: %v", err)
- }
- if err = compileTorSeccompProfile(f, true, true); err != nil {
- log.Fatalf("failed to create tor-obfs4 386 profile: %v", err)
- }
-
- // Firefox (386)
- f, err = os.Create(filepath.Join(outDir, "torbrowser-386.bpf"))
- if err != nil {
- log.Fatalf("failed to create output: %v", err)
- }
- if err = compileTorBrowserSeccompProfile(f, true); err != nil {
- log.Fatalf("failed to create firefox 386 profile: %v", err)
- }
}
diff --git a/src/cmd/gen-seccomp/seccomp.go b/src/cmd/gen-seccomp/seccomp.go
index ece1e7e..b016f4c 100644
--- a/src/cmd/gen-seccomp/seccomp.go
+++ b/src/cmd/gen-seccomp/seccomp.go
@@ -66,43 +66,16 @@ const (
fionread = 0x541b
tcgets = 0x5401
tiocgpgrp = 0x540f
-
- // socketcall() call numbers (linux/net.h)
- sysSocket = 1 // sys_socket()
- sysBind = 2 // sys_bind()
- sysConnect = 3 // sys_connect()
- sysListen = 4 // sys_listen()
- sysAccept = 5 // sys_accept()
- sysGetsockname = 6 // sys_getsockname()
- sysGetpeername = 7 // sys_getpeername()
- sysSocketpair = 8 // sys_socketpair()
- sysSend = 9 // sys_send()
- sysRecv = 10 // sys_recv()
- sysSendto = 11 // sys_sendto()
- sysRecvfrom = 12 // sys_recvfrom()
- sysShutdown = 13 // sys_shutdown()
- sysSetsockopt = 14 // sys_setsockopt()
- sysGetsockopt = 15 // sys_getsockopt()
- sysSendmsg = 16 // sys_sendmsg()
- sysRecvmsg = 17 // sys_recvmsg()
- sysAccept4 = 18 // sys_accept4()
- sysRecvmmsg = 19 // sys_recvmmsg
- sysSendmmsg = 20 // sys_sendmmsg
)
-func newWhitelist(is386 bool) (*seccomp.ScmpFilter, error) {
- arch := seccomp.ArchAMD64
- if is386 {
- arch = seccomp.ArchX86
- }
-
+func newWhitelist() (*seccomp.ScmpFilter, error) {
actENOSYS := seccomp.ActErrno.SetReturnCode(38)
f, err := seccomp.NewFilter(actENOSYS)
if err != nil {
return nil, err
}
- if err = f.AddArch(arch); err != nil {
+ if err = f.AddArch(seccomp.ArchAMD64); err != nil {
f.Release()
return nil, err
}
@@ -113,7 +86,7 @@ func newWhitelist(is386 bool) (*seccomp.ScmpFilter, error) {
return f, nil
}
-func allowSyscalls(f *seccomp.ScmpFilter, calls []string, is386 bool) error {
+func allowSyscalls(f *seccomp.ScmpFilter, calls []string) error {
for _, scallName := range calls {
scall, err := seccomp.GetSyscallFromName(scallName)
if err != nil {
diff --git a/src/cmd/gen-seccomp/seccomp_firefox.go
b/src/cmd/gen-seccomp/seccomp_firefox.go
index b47e35b..427c5f9 100644
--- a/src/cmd/gen-seccomp/seccomp_firefox.go
+++ b/src/cmd/gen-seccomp/seccomp_firefox.go
@@ -19,14 +19,12 @@ package main
import (
"os"
"syscall"
-
- seccomp "github.com/seccomp/libseccomp-golang"
)
-func compileTorBrowserSeccompProfile(fd *os.File, is386 bool) error {
+func compileTorBrowserSeccompProfile(fd *os.File) error {
defer fd.Close()
- f, err := newWhitelist(is386)
+ f, err := newWhitelist()
if err != nil {
return err
}
@@ -190,54 +188,10 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386
bool) error {
// "personality",
// "mlock",
}
- if is386 {
- allowedNoArgs386 := []string{
- "fadvise64_64",
- "fcntl64",
- "fstat64",
- "fstatfs64",
- "ftruncate64",
- "lstat64",
- "stat64",
- "statfs64",
- "_llseek",
-
- "mmap2",
- "ugetrlimit",
- "set_thread_area",
- "waitpid",
-
- "getgid32",
- "getuid32",
- "getresgid32",
- "getresuid32",
-
- "recv",
- "send",
- "_newselect",
- }
- allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...)
- }
- if err = allowSyscalls(f, allowedNoArgs, is386); err != nil {
+ if err = allowSyscalls(f, allowedNoArgs); err != nil {
return err
}
- // Like with how I do the tor rules, handle socketcall() before
everything
- // else.
- if is386 {
- if err = ffFilterSocketcall(f); err != nil {
- return err
- }
-
- // Unrelated to sockets, only i386 needs these, and it can be
filtered.
- if err = allowCmpEq(f, "time", 0, 0); err != nil {
- return err
- }
- if err = ffFilterPrlimit64(f); err != nil {
- return err
- }
- }
-
// Because we patch PulseAudio's mutex creation, we can omit all PI
futex
// calls.
if err = allowCmpEq(f, "futex", 1, futexWait, futexWaitPrivate,
futexWakePrivate, futexCmpRequeuePrivate, futexWakeOpPrivate,
futexWaitBitsetPrivate|futexClockRealtime, futexWake, futexWaitBitsetPrivate);
err != nil {
@@ -259,48 +213,3 @@ func compileTorBrowserSeccompProfile(fd *os.File, is386
bool) error {
return f.ExportBPF(fd)
}
-
-func ffFilterSocketcall(f *seccomp.ScmpFilter) error {
- // This is kind of pointless because it allows basically all the things.
- allowedCalls := []uint64{
- sysSocket,
- sysBind,
- sysConnect,
- sysListen,
- sysGetsockname,
- sysGetpeername,
- sysSocketpair,
- sysSend,
- sysRecv,
- sysSendto,
- sysRecvfrom,
- sysShutdown,
- sysSetsockopt,
- sysGetsockopt,
- sysSendmsg,
- sysRecvmsg,
- sysAccept4,
- }
- return allowCmpEq(f, "socketcall", 0, allowedCalls...)
-}
-
-func ffFilterPrlimit64(f *seccomp.ScmpFilter) error {
- scall, err := seccomp.GetSyscallFromName("prlimit64")
- if err != nil {
- return err
- }
-
- // Per Mozilla's sandbox: only prlimit64(0, resource, NULL, old_limit)
- // which is functionally equivalent to getrlimit(). 0 instead of the
- // pid() is a glibc-ism.
-
- isPid0, err := seccomp.MakeCondition(0, seccomp.CompareEqual, 0)
- if err != nil {
- return err
- }
- isNoNewLimit, err := seccomp.MakeCondition(2, seccomp.CompareEqual, 9)
- if err != nil {
- return err
- }
- return f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isPid0, isNoNewLimit})
-}
diff --git a/src/cmd/gen-seccomp/seccomp_tor.go
b/src/cmd/gen-seccomp/seccomp_tor.go
index 26b4b14..e6501e3 100644
--- a/src/cmd/gen-seccomp/seccomp_tor.go
+++ b/src/cmd/gen-seccomp/seccomp_tor.go
@@ -25,10 +25,10 @@ import (
var maskedCloexecNonblock = ^(uint64(syscall.SOCK_CLOEXEC |
syscall.SOCK_NONBLOCK))
-func compileTorSeccompProfile(fd *os.File, useBridges bool, is386 bool) error {
+func compileTorSeccompProfile(fd *os.File, useBridges bool) error {
defer fd.Close()
- f, err := newWhitelist(is386)
+ f, err := newWhitelist()
if err != nil {
return err
}
@@ -106,34 +106,9 @@ func compileTorSeccompProfile(fd *os.File, useBridges
bool, is386 bool) error {
"readlink", // ASAN needs this.
}
- if is386 {
- allowedNoArgs386 := []string{
- "fstat64",
- "getegid32",
- "geteuid32",
- "getgid32",
- "getuid32",
- "_llseek",
- "sigreturn",
-
- "recv",
- "send",
- "stat64",
-
- "ugetrlimit",
- "set_thread_area",
- }
- allowedNoArgs = append(allowedNoArgs, allowedNoArgs386...)
- }
- if err = allowSyscalls(f, allowedNoArgs, is386); err != nil {
+ if err = allowSyscalls(f, allowedNoArgs); err != nil {
return err
}
- if is386 {
- // Handle socketcall() before filtering other things.
- if err = torFilterSocketcall(f, useBridges); err != nil {
- return err
- }
- }
if err = allowCmpEq(f, "time", 0, 0); err != nil {
return err
@@ -183,10 +158,10 @@ func compileTorSeccompProfile(fd *os.File, useBridges
bool, is386 bool) error {
if err = torFilterSocketpair(f); err != nil {
return err
}
- if err = torFilterMmap(f, is386); err != nil {
+ if err = torFilterMmap(f); err != nil {
return err
}
- if err = torFilterFcntl(f, is386); err != nil {
+ if err = torFilterFcntl(f); err != nil {
return err
}
@@ -203,10 +178,7 @@ func compileTorSeccompProfile(fd *os.File, useBridges
bool, is386 bool) error {
"getpeername",
"getppid",
}
- if is386 {
- obfsCalls = append(obfsCalls, "_newselect")
- }
- if err = allowSyscalls(f, obfsCalls, is386); err != nil {
+ if err = allowSyscalls(f, obfsCalls); err != nil {
return err
}
@@ -223,7 +195,7 @@ func compileTorSeccompProfile(fd *os.File, useBridges bool,
is386 bool) error {
if err = obfsFilterSetsockopt(f); err != nil {
return err
}
- if err = obfsFilterMmap(f, is386); err != nil {
+ if err = obfsFilterMmap(f); err != nil {
return err
}
}
@@ -231,40 +203,6 @@ func compileTorSeccompProfile(fd *os.File, useBridges
bool, is386 bool) error {
return f.ExportBPF(fd)
}
-func torFilterSocketcall(f *seccomp.ScmpFilter, useBridges bool) error {
- // This interface needs to die in a fire, because it's leaving
- // gaping attack surface. It kind of will assuming that things
- // move on to 4.3 or later.
- //
- // Emperically on Fedora 25 getsockopt and setsockopt still are
- // multiplexed, though that may just be my rules or libseccomp2.
- //
- // Re-test after Debian stable moves to a modern kernel.
-
- allowedCalls := []uint64{
- sysSocket,
- sysBind,
- sysConnect,
- sysListen,
- sysGetsockname,
- sysSocketpair,
- sysSend,
- sysRecv,
- sysSendto,
- sysRecvfrom,
- sysSetsockopt,
- sysGetsockopt,
- sysSendmsg,
- sysRecvmsg,
- sysAccept4,
- }
- if useBridges {
- allowedCalls = append(allowedCalls, sysGetpeername)
- }
-
- return allowCmpEq(f, "socketcall", 0, allowedCalls...)
-}
-
func torFilterPrctl(f *seccomp.ScmpFilter) error {
scall, err := seccomp.GetSyscallFromName("prctl")
if err != nil {
@@ -463,19 +401,11 @@ func torFilterSocketpair(f *seccomp.ScmpFilter) error {
return nil
}
-func torFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
- scallMmap, err := seccomp.GetSyscallFromName("mmap")
+func torFilterMmap(f *seccomp.ScmpFilter) error {
+ scall, err := seccomp.GetSyscallFromName("mmap")
if err != nil {
return err
}
- scalls := []seccomp.ScmpSyscall{scallMmap}
- if is386 {
- scallMmap2, err := seccomp.GetSyscallFromName("mmap2")
- if err != nil {
- return err
- }
- scalls = append(scalls, scallMmap2)
- }
// (arg2 == PROT_READ && arg3 == MAP_PRIVATE)
isProtRead, err := seccomp.MakeCondition(2, seccomp.CompareEqual,
syscall.PROT_READ)
@@ -486,10 +416,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool)
error {
if err != nil {
return err
}
- for _, scall := range scalls {
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtRead, isPrivate}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtRead, isPrivate}); err != nil {
+ return err
}
// (arg2 == PROT_NONE && arg3 == MAP_PRIVATE | MAP_ANONYMOUS |
MAP_NORESERVE)
@@ -501,10 +429,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool)
error {
if err != nil {
return err
}
- for _, scall := range scalls {
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtNone, isProtNoneFlags}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtNone, isProtNoneFlags}); err != nil {
+ return err
}
isProtReadWrite, err := seccomp.MakeCondition(2, seccomp.CompareEqual,
syscall.PROT_READ|syscall.PROT_WRITE)
@@ -523,10 +449,8 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool)
error {
if err != nil {
return err
}
- for _, scall := range scalls {
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtReadWrite, isFlag}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtReadWrite, isFlag}); err != nil {
+ return err
}
}
@@ -540,28 +464,18 @@ func torFilterMmap(f *seccomp.ScmpFilter, is386 bool)
error {
if err != nil {
return err
}
- for _, scall := range scalls {
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtReadExec, isProtReadExecFlags}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtReadExec, isProtReadExecFlags}); err != nil {
+ return err
}
return nil
}
-func torFilterFcntl(f *seccomp.ScmpFilter, is386 bool) error {
- scallFcntl, err := seccomp.GetSyscallFromName("fcntl")
+func torFilterFcntl(f *seccomp.ScmpFilter) error {
+ scall, err := seccomp.GetSyscallFromName("fcntl")
if err != nil {
return err
}
- scalls := []seccomp.ScmpSyscall{scallFcntl}
- if is386 {
- scallFcntl64, err := seccomp.GetSyscallFromName("fcntl64")
- if err != nil {
- return err
- }
- scalls = append(scalls, scallFcntl64)
- }
isFGetfl, err := seccomp.MakeCondition(1, seccomp.CompareEqual,
syscall.F_GETFL)
if err != nil {
@@ -590,21 +504,19 @@ func torFilterFcntl(f *seccomp.ScmpFilter, is386 bool)
error {
return err
}
- for _, scall := range scalls {
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFGetfl}); err != nil {
- return err
- }
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFGetfd}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFGetfl}); err != nil {
+ return err
+ }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFGetfd}); err != nil {
+ return err
+ }
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFSetfl, isFSetflFlags}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFSetfl, isFSetflFlags}); err != nil {
+ return err
+ }
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFSetfd, isFdCloexec}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isFSetfd, isFdCloexec}); err != nil {
+ return err
}
return nil
@@ -656,19 +568,11 @@ func obfsFilterSetsockopt(f *seccomp.ScmpFilter) error {
}
// `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3
== MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)`
-func obfsFilterMmap(f *seccomp.ScmpFilter, is386 bool) error {
- scallMmap, err := seccomp.GetSyscallFromName("mmap")
+func obfsFilterMmap(f *seccomp.ScmpFilter) error {
+ scall, err := seccomp.GetSyscallFromName("mmap")
if err != nil {
return err
}
- scalls := []seccomp.ScmpSyscall{scallMmap}
- if is386 {
- scallMmap2, err := seccomp.GetSyscallFromName("mmap2")
- if err != nil {
- return err
- }
- scalls = append(scalls, scallMmap2)
- }
isProtNone, err := seccomp.MakeCondition(2, seccomp.CompareEqual,
syscall.PROT_NONE)
if err != nil {
@@ -683,10 +587,8 @@ func obfsFilterMmap(f *seccomp.ScmpFilter, is386 bool)
error {
if err != nil {
return err
}
- for _, scall := range scalls {
- if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtNone, isFlag}); err != nil {
- return err
- }
+ if err = f.AddRuleConditional(scall, seccomp.ActAllow,
[]seccomp.ScmpCondition{isProtNone, isFlag}); err != nil {
+ return err
}
}
return nil
diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go
b/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go
index ecac7b8..24dcf47 100644
--- a/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go
+++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/cache.go
@@ -262,9 +262,6 @@ func LoadCache() (*Cache, error) {
return nil, errUnsupported
}
- auxvHwcap := getHwcap()
- Debugf("dynlib: ELF AUXV AT_HWCAP: %016x", auxvHwcap)
-
ourOsVersion := getOsVersion()
Debugf("dynlib: osVersion: %08x", ourOsVersion)
@@ -321,41 +318,13 @@ func LoadCache() (*Cache, error) {
// libs[]
var flagCheckFn func(uint32) bool
- var capCheckFn func(uint64) bool
switch runtime.GOARCH {
case "amd64":
flagCheckFn = func(flags uint32) bool {
const wantFlags = flagX8664Lib64 | flagElfLibc6
return flags&wantFlags == wantFlags
}
- capCheckFn = func(hwcap uint64) bool {
- // Not used on this arch AFAIK.
- return true
- }
- case "386":
- flagCheckFn = func(flags uint32) bool {
- // Reject 64 bit libraries.
- if flags&flagX8664Lib64 == flagX8664Lib64 {
- return false
- }
- return flags&flagElfLibc6 == flags
- }
- capCheckFn = func(hwcap uint64) bool {
- // Filter out libraries we have no hope of using.
- ourHwcap := auxvHwcap & hwcapMask
- libHwcap := hwcap & hwcapMask
- if libHwcap&ourHwcap != libHwcap {
- return false
- }
-
- ourPlatform := auxvHwcap >> x86HwcapFirstPlatform
- libPlatform := hwcap >> x86HwcapFirstPlatform
- if ourPlatform < libPlatform {
- return false
- }
-
- return true
- }
+ // HWCAP is unused on amd64.
default:
panic(errUnsupported)
}
@@ -385,7 +354,7 @@ func LoadCache() (*Cache, error) {
Debugf("dynlib: ignoring library: %v (osVersion: %x)",
e.key, e.osVersion)
} else if err = ValidateLibraryClass(e.value); err != nil {
Debugf("dynlib: ignoring library %v (%v)", e.key, err)
- } else if flagCheckFn(e.flags) && capCheckFn(e.hwcap) {
+ } else if flagCheckFn(e.flags) {
vec := c.store[e.key]
vec = append(vec, e)
c.store[e.key] = vec
diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go
b/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go
index 8474b0c..7c2998c 100644
--- a/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go
+++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/hwcap.go
@@ -26,40 +26,9 @@ import "C"
import (
"bytes"
- "runtime"
"syscall"
)
-const (
- x86HwcapFirstPlatform = 48
- hwcapMask = 0xffffffff
-)
-
-func getHwcap() uint64 {
- if runtime.GOARCH != "386" {
- return 0
- }
-
- // HWCAP_I386_XMM2 = 1 << 26
- // HWCAP_I386_CMOV = 1 << 15 (Debian-ism)
- important := uint32((1 << 26) | (1 << 15))
- hwcap := uint64(uint32(C.getauxval(C.AT_HWCAP)) & important)
-
- // On x86, glibc stores the x86 architecture family in hwcap as well.
- x86Platforms := []string{"i386", "i486", "i586", "i686"}
-
- platform := C.GoString(C.getPlatform())
- for i, v := range x86Platforms {
- if v == platform {
- i += x86HwcapFirstPlatform
- hwcap = hwcap | (uint64(i) << x86HwcapFirstPlatform)
- break
- }
- }
-
- return hwcap
-}
-
func getOsVersion() uint32 {
var buf syscall.Utsname
err := syscall.Uname(&buf)
diff --git a/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go
b/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go
index 438fb3a..874f693 100644
--- a/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go
+++ b/src/cmd/sandboxed-tor-browser/internal/dynlib/ldso.go
@@ -50,8 +50,6 @@ func ValidateLibraryClass(fn string) error {
switch runtime.GOARCH {
case "amd64":
expectedClass = elf.ELFCLASS64
- case "386":
- expectedClass = elf.ELFCLASS32
default:
return errUnsupported
}
@@ -75,9 +73,6 @@ func FindLdSo(cache *Cache) (string, string, error) {
case "amd64":
searchPaths = append(searchPaths, "/lib64")
name = "ld-linux-x86-64.so.2"
- case "386":
- searchPaths = append(searchPaths, "/lib32")
- name = "ld-linux.so.2"
default:
panic("dynlib: unsupported architecture: " + runtime.GOARCH)
}
@@ -105,5 +100,5 @@ func FindLdSo(cache *Cache) (string, string, error) {
// IsSupported returns true if the architecture/os combination has dynlib
// sypport.
func IsSupported() bool {
- return runtime.GOOS == "linux" && (runtime.GOARCH == "amd64" ||
runtime.GOARCH == "386")
+ return runtime.GOOS == "linux" && runtime.GOARCH == "amd64"
}
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index 2d016bb..29fea85 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -819,9 +819,8 @@ func (h *hugbox) appendLibraries(cache *dynlib.Cache,
binaries []string, extraLi
case "amd64":
h.symlink("/lib", "/lib64")
h.symlink(restrictedLibDir, "/usr/lib64")
- case "386":
- h.symlink("/lib", "/lib32")
- h.symlink(restrictedLibDir, "/usr/lib32")
+ default:
+ panic("sandbox: unsupported architecture: " + runtime.GOARCH)
}
h.standardLibs = false
@@ -839,11 +838,8 @@ func init() {
"/usr/lib64", // Fedora 25
"/usr/lib/x86_64-linux-gnu", // Debian
}, searchPaths...)
- case "386":
- searchPaths = append([]string{
- "/usr/lib32",
- "/usr/lib/i386-linux-gnu", // Debian
- }, searchPaths...)
+ default:
+ panic("sandbox: unsupported architecture: " + runtime.GOARCH)
}
distributionDependentLibSearchPath = searchPaths
diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
index bddc073..44b6633 100644
--- a/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
+++ b/src/cmd/sandboxed-tor-browser/internal/ui/config/config.go
@@ -462,8 +462,6 @@ func New(version string) (*Config, error) {
return nil, fmt.Errorf("unsupported OS: %v", runtime.GOOS)
}
switch runtime.GOARCH {
- case "386":
- cfg.Architecture = archLinux32
case "amd64":
cfg.Architecture = archLinux64
default:
_______________________________________________
tor-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
