[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [sandboxed-tor-browser/master] Remove the old gosecco glue code.



commit 8aa40ffd5ce26b58d4c47d1b625ca1451c22acb8
Author: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
Date:   Sun Dec 4 23:18:29 2016 +0000

    Remove the old gosecco glue code.
---
 data/blacklist-extras-i386.seccomp                 |   5 -
 data/blacklist.seccomp                             |  95 -----------
 data/tor-obfs4-whitelist.seccomp                   | 147 -----------------
 data/tor-whitelist-extras-i386.seccomp             |  29 ----
 data/tor-whitelist.seccomp                         | 122 ---------------
 ...rbrowser-launcher-whitelist-extras-i386.seccomp |  28 ----
 data/torbrowser-launcher-whitelist.seccomp         | 173 ---------------------
 .../internal/sandbox/seccomp.go                    |  12 --
 .../internal/sandbox/seccomp_386.go                | 125 ---------------
 .../internal/sandbox/seccomp_amd64.go              | 103 ------------
 10 files changed, 839 deletions(-)

diff --git a/data/blacklist-extras-i386.seccomp b/data/blacklist-extras-i386.seccomp
deleted file mode 100644
index dc74400..0000000
--- a/data/blacklist-extras-i386.seccomp
+++ /dev/null
@@ -1,5 +0,0 @@
-# Seccomp blacklist i386 specific rules  that will be installed in adition to
-# blacklist.seccomp.
-
-vm86: 1 
-vm86old: 1
diff --git a/data/blacklist.seccomp b/data/blacklist.seccomp
deleted file mode 100644
index ccc508b..0000000
--- a/data/blacklist.seccomp
+++ /dev/null
@@ -1,95 +0,0 @@
-# Basic standard seccomp blacklist rules, based off a few sources.
-
-#
-# linux-user-chroot (v0 profile)
-#
-
-# Block dmesg
-syslog: 1
-# Useless old syscall
-uselib: 1
-# Don't allow you to switch to bsd emulation or whatnot
-personality: 1
-# Don't allow disabling accounting
-acct: 1
-# 16-bit code is unnecessary in the sandbox, and modify_ldt is a historic source of interesting information leaks.
-modify_ldt: 1
-# Don't allow reading current quota use
-quotactl: 1
-
-# Scary VM/NUMA ops:
-move_pages: 1
-mbind: 1
-get_mempolicy: 1
-set_mempolicy: 1
-migrate_pages: 1
-
-# Don't allow subnamespace setups:
-# XXX/yawning: The clone restriction breaks bwrap.  c'est la vie.  It
-# looks like Mozilla is considering using user namespaces for the
-# content process sandboxing efforts, so this may need to be enabled.
-unshare: 1
-mount: 1
-pivot_root: 1
-# {SCMP_SYS(clone), &SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, // Breaks bwrap.
-
-# Profiling operations; we expect these to be done by tools from
-# outside the sandbox.  In particular perf has been the source of many
-# CVEs.
-perf_event_open: 1
-ptrace: 1
-
-#
-# firejail seccomp_filter_64()
-#
-
-# mount
-umount2: 1
-kexec_load: 1
-# ptrace
-open_by_handle_at: 1
-name_to_handle_at: 1
-create_module: 1
-init_module: 1
-finit_module: 1
-delete_module: 1
-iopl: 1
-ioperm: 1
-ioprio_set: 1
-swapon: 1
-swapoff: 1
-# syslog
-process_vm_readv: 1
-process_vm_writev: 1
-sysfs: 1
-_sysctl: 1
-adjtimex: 1
-clock_adjtime: 1
-lookup_dcookie: 1
-# perf_event_open
-fanotify_init: 1
-kcmp: 1
-add_key: 1
-request_key: 1
-keyctl: 1
-# uselib
-# acct
-# modify_ldt
-# pivot_root
-io_setup: 1
-io_destroy: 1
-io_getevents: 1
-io_submit: 1
-io_cancel: 1
-remap_file_pages: 1
-# mbind
-# get_mempolicy
-# set_mempolicy
-# migrate_pages
-# move_pages
-vmsplice: 1
-chroot: 1
-tuxcall: 1
-reboot: 1
-nfsservctl: 1
-get_kernel_syms: 1
diff --git a/data/tor-obfs4-whitelist.seccomp b/data/tor-obfs4-whitelist.seccomp
deleted file mode 100644
index 773c5b7..0000000
--- a/data/tor-obfs4-whitelist.seccomp
+++ /dev/null
@@ -1,147 +0,0 @@
-# tor +obfs4proxy binary seccomp rules based off the tor sandbox and the
-# subgraph tor-browser-launcher rules, along with some quality time with
-# strace.
-
-#
-# WARNING: This is a stopgap.  In an ideal world, tor and obfs4proxy will
-# have separate containers, with their own seccomp rules.
-#
-
-# Constants used for argument comparisons.
-SIG_BLOCK=1
-SIG_SETMASK=2
-MREMAP_MAYMOVE=1
-PF_LOCAL=AF_LOCAL
-POLLIN=1
-
-# The tor stage 1 set.
-access: 1
-brk: 1
-clock_gettime: 1
-close: 1
-clone: 1
-epoll_create: 1
-epoll_wait: 1
-eventfd2: 1
-pipe2: 1
-pipe: 1
-fcntl: 1
-fstat: 1
-# fstat64: 1
-getdents: 1
-getdents64: 1
-getegid: 1
-# getegid32: 1
-geteuid: 1
-# geteuid32: 1
-getgid: 1
-# getgid32: 1
-getrlimit: 1
-gettimeofday: 1
-gettid: 1
-getuid: 1
-# getuid32: 1
-lseek: 1
-#_llseek: 1
-mkdir: 1
-munmap: 1
-prlimit64: 1
-read: 1
-rt_sigreturn: 1
-sched_getaffinity: 1
-sched_yield: 1
-sendmsg: 1
-set_robust_list: 1
-setrlimit: 1
-sigaltstack: 1
-# sigreturn: 1
-stat: 1
-uname: 1
-wait4: 1
-write: 1
-writev: 1
-exit_group: 1
-exit: 1
-madvise: arg2 == 8
-getrandom: 1
-sysinfo: 1
-bind: 1
-listen: 1
-connect: 1
-getsockname: 1
-recvmsg: 1
-recvfrom: 1
-sendto: 1
-unlink: 1
-
-# System calls that tor restricts by argument.
-rt_sigprocmask: arg0 == SIG_BLOCK || arg0 == SIG_SETMASK
-time: arg0 == 0
-epoll_ctl: arg1 == EPOLL_CTL_ADD || arg1 == EPOLL_CTL_MOD || arg1 == EPOLL_CTL_DEL
-prctl: (arg0 == PR_SET_DUMPABLE && arg1 == 0) || arg0 == PR_SET_PDEATHSIG
-mprotect: arg2 == PROT_READ || arg2 == PROT_NONE || arg2 == PROT_READ | PROT_WRITE
-flock: arg1 == (LOCK_EX | LOCK_NB) || arg1 == LOCK_UN
-# FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_PRIVATE
-futex: arg1 == 393 || arg1 == 128 || arg1 == 129 || arg1 == 1 || arg1 == 0
-mremap: arg3 == MREMAP_MAYMOVE
-poll: arg1 == POLLIN && arg2 == 10
-socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || arg0 == AF_NETLINK
-setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF || arg2 == SO_BROADCAST)) || (arg1 == SOL_TCP && arg2 == TCP_NODELAY) || (arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY)
-getsockopt: arg1 == SOL_SOCKET && arg2 == SO_ERROR
-# XXX: src/common/compat.c:tor_socketpair looks like it uses SOCK_CLOEXEC,
-# but according to strace, fcntl is used to actually set the flag (6.0.6).
-socketpair: arg0 == PF_LOCAL && (arg1 == SOCK_STREAM || arg1 == SOCK_STREAM | SOCK_CLOEXEC)
-# XXX/yawning: Tor doesn't have filters for this, but does for mmap2, but mmap2
-# is an x86-ism, so can't filter args.
-#
-# (PROT_READ|PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE) is needed for ld-linux.so
-mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE || arg3 == MAP_PRIVATE | MAP_ANONYMOUS || arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS)) || (arg2 == PROT_READ | PROT_WRITE && ((arg3 == MAP_PRIVATE | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_DENYWRITE))) || (arg2 == PROT_READ | PROT_EXEC && arg3 == MAP_PRIVATE | MAP_DENYWRITE)
-
-# System calls that tor has filters for, that we do not due to:
-#  * Yawning being too dumb/lazy to convert the rules (accept4, mmap2,
-#    rt_sigaction).
-rt_sigaction: 1
-accept4: 1
-# mmap2: 1
-# fcntl64: 1
-
-# System calls that tor restricts by argument, but that need to be done by the
-# tor binary, because the restriction is by pointer.
-chown: 1
-chmod: 1
-open: 1
-openat: 1
-rename: 1
-# stat64: 1
-
-# System calls that tor needs, but doesn't know it needs, because they are made
-# prior to Tor's sandbox enforcement, either by tor, it's dependencies, or even
-# by bubblewrap.
-arch_prctl: 1
-unshare: 1
-getpid: 1
-kill: 1
-execve: 1
-restart_syscall: 1
-set_tid_address: 1
-chdir: 1
-umask: arg0 == 022
-
-# obfs4proxy requires the following:
-#
-# Note that it also requires additional things to be allowed in the various
-# arg filters, which are made at the pre-existing locations.
-# `mprotect` -> `arg2 == PROT_READ | PROT_WRITE`
-# `futex` -> `arg1 == 1 || arg1 == 0` (FUTEX_WAKE, FUTEX_WAIT)
-# `setsockopt` -> `arg1 == SOL_TCP && arg2 == TCP_NODELAY`
-#                 `arg1 == SOL_SOCKET && arg2 == SO_BROADCAST`
-#                 `arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY`
-# `mmap` -> `arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)`
-mincore: 1
-dup2: 1
-select: 1
-mkdirat: 1
-fsync: 1
-epoll_create1: arg0 == EPOLL_CLOEXEC
-getpeername: 1
-getppid: 1
diff --git a/data/tor-whitelist-extras-i386.seccomp b/data/tor-whitelist-extras-i386.seccomp
deleted file mode 100644
index 2c33759..0000000
--- a/data/tor-whitelist-extras-i386.seccomp
+++ /dev/null
@@ -1,29 +0,0 @@
-# tor binary i386 specific seccomp rules that will be installed in addition to
-# tor-whitelist-seccomp.
-
-# 32 bit system specific system calls relocated from tor-whitelist.seccomp
-fstat64: 1
-getegid32: 1
-geteuid32: 1
-getgid32: 1
-getuid32: 1
-_llseek: 1
-sigreturn: 1
-mmap2: 1
-fcntl64: 1
-stat64: 1
-
-ugetrlimit: 1
-newselect: 1
-
-# tor's sandbox code claims that these calls are required on x86 but not on
-# x86_64.  tor's sandbox attempts to filter socketcall's arguments as well
-# when it adds a rule, but seccomp on x86 does not support argument filtering,
-# and I suspect that the arg filter is incorrect.
-recv: 1
-send: 1
-socketcall: 1
-prlimit: 1
-
-# This appears to be required on x86 to initialize TLS.
-set_thread_area: 1
diff --git a/data/tor-whitelist.seccomp b/data/tor-whitelist.seccomp
deleted file mode 100644
index 8433e3f..0000000
--- a/data/tor-whitelist.seccomp
+++ /dev/null
@@ -1,122 +0,0 @@
-# tor binary seccomp rules based off the tor sandbox and the subgraph
-# tor-browser-launcher rules.
-
-# Constants used for argument comparisons.
-SIG_BLOCK=1
-SIG_SETMASK=2
-MREMAP_MAYMOVE=1
-PF_LOCAL=AF_LOCAL
-POLLIN=1
-
-# The tor stage 1 set.
-access: 1
-brk: 1
-clock_gettime: 1
-close: 1
-clone: 1
-epoll_create: 1
-epoll_wait: 1
-eventfd2: 1
-pipe2: 1
-pipe: 1
-fcntl: 1
-fstat: 1
-# fstat64: 1
-getdents: 1
-getdents64: 1
-getegid: 1
-# getegid32: 1
-geteuid: 1
-# geteuid32: 1
-getgid: 1
-# getgid32: 1
-getrlimit: 1
-gettimeofday: 1
-gettid: 1
-getuid: 1
-# getuid32: 1
-lseek: 1
-#_llseek: 1
-mkdir: 1
-munmap: 1
-prlimit64: 1
-read: 1
-rt_sigreturn: 1
-sched_getaffinity: 1
-sched_yield: 1
-sendmsg: 1
-set_robust_list: 1
-setrlimit: 1
-sigaltstack: 1
-# sigreturn: 1
-stat: 1
-uname: 1
-wait4: 1
-write: 1
-writev: 1
-exit_group: 1
-exit: 1
-madvise: arg2 == 8
-getrandom: 1
-sysinfo: 1
-bind: 1
-listen: 1
-connect: 1
-getsockname: 1
-recvmsg: 1
-recvfrom: 1
-sendto: 1
-unlink: 1
-
-# System calls that tor restricts by argument.
-rt_sigprocmask: arg0 == SIG_BLOCK || arg0 == SIG_SETMASK
-time: arg0 == 0
-epoll_ctl: arg1 == EPOLL_CTL_ADD || arg1 == EPOLL_CTL_MOD || arg1 == EPOLL_CTL_DEL
-prctl: (arg0 == PR_SET_DUMPABLE && arg1 == 0) || arg0 == PR_SET_PDEATHSIG
-mprotect: arg2 == PROT_READ || arg2 == PROT_NONE
-flock: arg1 == (LOCK_EX | LOCK_NB) || arg1 == LOCK_UN
-# FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_PRIVATE
-futex: arg1 == 393 || arg1 == 128 || arg1 == 129
-mremap: arg3 == MREMAP_MAYMOVE
-poll: arg1 == POLLIN && arg2 == 10
-socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || arg0 == AF_NETLINK
-setsockopt: arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_SNDBUF || arg2 == SO_RCVBUF)
-getsockopt: arg1 == SOL_SOCKET && arg2 == SO_ERROR
-# XXX: src/common/compat.c:tor_socketpair looks like it uses SOCK_CLOEXEC,
-# but according to strace, fcntl is used to actually set the flag (6.0.6).
-socketpair: arg0 == PF_LOCAL && (arg1 == SOCK_STREAM || arg1 == SOCK_STREAM | SOCK_CLOEXEC)
-# XXX/yawning: Tor doesn't have filters for this, but does for mmap2, but mmap2
-# is an x86-ism, so can't filter args.
-#
-# (PROT_READ|PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE) is needed for ld-linux.so
-mmap: (arg2 == PROT_READ && arg3 == MAP_PRIVATE) || (arg2 == PROT_NONE && arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE) || (arg2 == PROT_READ | PROT_WRITE && ((arg3 == MAP_PRIVATE | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE) || (arg3 == MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS) || (arg3 == MAP_PRIVATE | MAP_DENYWRITE))) || (arg2 == PROT_READ | PROT_EXEC && arg3 == MAP_PRIVATE | MAP_DENYWRITE)
-
-# System calls that tor has filters for, that we do not due to:
-#  * Yawning being too dumb/lazy to convert the rules (accept4, mmap2,
-#    rt_sigaction).
-rt_sigaction: 1
-accept4: 1
-# mmap2: 1
-# fcntl64: 1
-
-# System calls that tor restricts by argument, but that need to be done by the
-# tor binary, because the restriction is by pointer.
-chown: 1
-chmod: 1
-open: 1
-openat: 1
-rename: 1
-# stat64: 1
-
-# System calls that tor needs, but doesn't know it needs, because they are made
-# prior to Tor's sandbox enforcement, either by tor, it's dependencies, or even
-# by bubblewrap.
-arch_prctl: 1
-unshare: 1
-getpid: 1
-kill: 1
-execve: 1
-restart_syscall: 1
-set_tid_address: 1
-chdir: 1
-umask: arg0 == 022
diff --git a/data/torbrowser-launcher-whitelist-extras-i386.seccomp b/data/torbrowser-launcher-whitelist-extras-i386.seccomp
deleted file mode 100644
index b859f69..0000000
--- a/data/torbrowser-launcher-whitelist-extras-i386.seccomp
+++ /dev/null
@@ -1,28 +0,0 @@
-# Tor Browser  i386 specific seccomp rules that will be installed in addition to
-# torbrowser-launcher-whitelist-seccomp.
-
-fcntl64:1
-fstat64: 1
-lstat64: 1
-statfs64: 1
-stat64: 1
-prlimit64: 1
-_llseek: 1
-fstatfs64: 1
-ftruncate64: 1
-fadvise64_64: 1
-
-mmap2: 1
-set_thread_area: 1
-getresuid32: 1
-getresgid32: 1
-time: 1
-getuid32: 1
-getgid32: 1
-ugetrlimit: 1
-
-recv: 1
-send: 1
-socketcall: 1
-
-waitpid: 1
diff --git a/data/torbrowser-launcher-whitelist.seccomp b/data/torbrowser-launcher-whitelist.seccomp
deleted file mode 100644
index 7e47052..0000000
--- a/data/torbrowser-launcher-whitelist.seccomp
+++ /dev/null
@@ -1,173 +0,0 @@
-TIOCGPGRP=21519
-
-FUTEX_WAIT=0
-FUTEX_WAKE=1
-FUTEX_FD=2
-FUTEX_REQUEUE=3
-FUTEX_CMP_REQUEUE=3
-FUTEX_WAKE_OP=5
-#FUTEX_LOCK_PI=6
-#FUTEX_UNLOCK_PI=7
-FUTEX_WAIT_BITSET=9
-FUTEX_PRIVATE_FLAG=128
-FUTEX_CLOCK_REALTIME=256
-
-FUTEX_WAIT_PRIVATE=FUTEX_WAIT | FUTEX_PRIVATE_FLAG
-FUTEX_WAKE_PRIVATE=FUTEX_WAKE | FUTEX_PRIVATE_FLAG
-FUTEX_CMP_REQUEUE_PRIVATE=FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG
-FUTEX_WAKE_OP_PRIVATE=FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG
-#FUTEX_LOCK_PI_PRIVATE=FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG
-#FUTEX_UNLOCK_PI_PRIVATE=FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG
-FUTEX_WAIT_BITSET_PRIVATE=FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG
-
-# XXX/yawning: Because we patch PulseAudio's mutex creation, we can omit
-# FUTEX_LOCK_PI_PRIVATE, FUTEX_UNLOCK_PI_PRIVATE, FUTEX_UNLOCK_PI.
-#
-# This is deliberate and aims to avoid rumored scary race conditions in the
-# PI futex code.
-futex: arg1 == FUTEX_CMP_REQUEUE_PRIVATE || arg1 == FUTEX_WAIT || arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_WAIT_PRIVATE || arg1 == FUTEX_WAKE || arg1 == FUTEX_WAKE_OP_PRIVATE || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_BITSET_PRIVATE
-
-lseek: 1
-open: 1
-read: 1
-stat: 1
-close: 1
-mmap: 1
-write: 1
-access: 1
-recvmsg: 1
-poll: 1
-madvise: arg2 == 4
-munmap: 1
-mprotect: 1
-lstat: 1
-getdents: 1
-writev: 1
-rt_sigaction: 1
-fcntl: 1
-brk: 1
-# ioctl: FIONREAD || TCGETS
-ioctl: arg1 == 0x541b || arg1 == 21505 || arg1 == TIOCGPGRP
-rt_sigprocmask: 1
-pread64: 1
-seccomp:1
-unshare:1
-gettimeofday:1
-creat:1
-fchdir:1
-utimes:1
-sigaltstack:1
-sched_yield:1
-mincore: 1
-alarm: 1
-nanosleep: 1
-vfork: 1
-mlock: 1
-clock_gettime: 1
-getpgrp: 1
-getppid: 1
-getpid: 1
-fchown: 1
-prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME || arg0 == PR_GET_TIMERSLACK || arg0 == PR_SET_SECCOMP
-epoll_create1: 1
-readlinkat: 1
-getrandom: 1
-accept4: 1
-newfstatat: 1
-select: 1
-memfd_create:1
-execve: 1
-fstat: 1
-set_tid_address: 1
-set_robust_list: 1
-getrusage: 1
-readlink: 1
-readahead: 1
-arch_prctl: 1
-pwrite64: 1
-fdatasync: 1
-getpriority: 1
-gettid: 1
-exit_group: 1
-fstatfs: 1
-unlink: 1
-exit: 1
-dup2: 1
-dup: 1
-uname: 1
-getuid: 1
-geteuid: 1
-getgid: 1
-getegid: 1
-fsync: 1
-getrlimit: 1
-mkdir: 1
-connect: 1
-statfs: 1
-getsockname: 1
-getpeername: 1
-pipe: 1
-chmod: 1
-chdir: 1
-setsid: 1
-rmdir: 1
-splice: 1
-restart_syscall: 1
-recvfrom: 1
-sendto: 1
-setsockopt: 1
-quotactl: 1
-ppoll: 1
-openat: 1
-epoll_wait: 1
-clone: 1
-wait4: 1
-link: 1
-rename: 1
-setpriority: 1
-tgkill: 1
-fadvise64: 1
-fallocate: 1
-getsockopt: 1
-sysinfo: 1
-sched_getaffinity: 1
-inotify_add_watch: 1
-eventfd2: 1
-inotify_init1: 1
-shmdt: 1
-shmat: 1
-shmctl: 1
-shmget: 1
-rt_sigreturn: 1
-getcwd: 1
-sendmsg: 1
-getresuid: 1
-ftruncate: 1
-umask: 1
-getresgid: 1
-epoll_ctl: 1
-epoll_create: 1
-socketpair: 1
-symlink: 1
-utime: 1
-shutdown: 1
-mremap: 1
-bind: 1
-name_to_handle_at: 1
-pipe2: 1
-fchmod: 1
-kill: 1
-listen: 1
-setrlimit: 1
-clock_getres: 1
-sched_setscheduler: 1
-capset: 1
-# XXX/yawning: Why is this needed?
-#personality: 1
-setresuid: 1
-setresgid: 1
-capget: 1
-getdents64: 1
-inotify_rm_watch: 1
-# XXX/yawning: Only allow AF_UNIX.
-socket: arg0 == AF_UNIX
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go
index fed647e..967d5b8 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp.go
@@ -18,20 +18,12 @@ package sandbox
 
 import (
 	"log"
-	"os"
 	"runtime"
 
 	seccomp "github.com/seccomp/libseccomp-golang"
 )
 
 const (
-	torBrowserWhitelist = "torbrowser-launcher-whitelist.seccomp"
-	torWhitelist        = "tor-whitelist.seccomp"
-	torObfs4Whitelist   = "tor-obfs4-whitelist.seccomp"
-	basicBlacklist      = "blacklist.seccomp"
-)
-
-const (
 	madvNormal    = 0 // MADV_NORMAL
 	madvDontneed  = 4 // MADV_DONTNEED
 	madvFree      = 8 // MADV_FREE
@@ -77,10 +69,6 @@ const (
 	tiocgpgrp = 0x540f
 )
 
-func installBasicSeccompBlacklist(fd *os.File) error {
-	return installSeccomp(fd, blacklistSeccompAssets, true)
-}
-
 func newWhitelist() (*seccomp.ScmpFilter, error) {
 	arch, err := seccomp.GetNativeArch()
 	if err != nil {
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go
deleted file mode 100644
index 1e6e18c..0000000
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_386.go
+++ /dev/null
@@ -1,125 +0,0 @@
-// secomp_386.go - Sandbox seccomp rules (i386).
-// Copyright (C) 2016  Yawning Angel.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as
-// published by the Free Software Foundation, either version 3 of the
-// License, or (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-// +build 386
-
-package sandbox
-
-import (
-	"bytes"
-	"fmt"
-	"log"
-	"os"
-
-	seccomp "github.com/seccomp/libseccomp-golang"
-
-	"cmd/sandboxed-tor-browser/internal/data"
-)
-
-const (
-	torBrowserExtraWhitelist = "torbrowser-launcher-whitelist-extras-i386.seccomp"
-	torExtraWhitelist        = "tor-whitelist-extras-i386.seccomp"
-	basicExtraBlacklist      = "blacklist-extras-i386.seccomp"
-)
-
-var torBrowserSeccompAssets = []string{torBrowserWhitelist, torBrowserExtraWhitelist}
-var torSeccompAssets = []string{torWhitelist, torExtraWhitelist}
-var torObfs4SeccompAssets = []string{torObfs4Whitelist, torExtraWhitelist}
-var blacklistSeccompAssets = []string{basicBlacklist, basicExtraBlacklist}
-
-// installSeccomp on i386 implements a minimal subset of the gosecco
-// description launguage sufficient to enumerate system calls listed in
-// rule files.
-//
-// When i386 gains support for filtering system call arguments via seccomp,
-// this will need to be beefed up, but hopefully gosecco will be updated
-// by then.
-func installSeccomp(fd *os.File, assets []string, isBlacklist bool) error {
-	defer fd.Close()
-
-	var rules []byte
-	for _, asset := range assets {
-		b, err := data.Asset(asset)
-		if err != nil {
-			return err
-		}
-		rules = append(rules, b...)
-		rules = append(rules, '\n')
-	}
-
-	actENOSYS := seccomp.ActErrno.SetReturnCode(38)
-	defaultAct, ruleAct := actENOSYS, seccomp.ActAllow
-	if isBlacklist {
-		defaultAct, ruleAct = ruleAct, defaultAct
-	}
-
-	f, err := seccomp.NewFilter(defaultAct)
-	if err != nil {
-		return err
-	}
-	defer f.Release()
-	if err := f.AddArch(seccomp.ArchNative); err != nil {
-		return err
-	}
-
-	// Parse the rule set and build seccomp rules.
-	for ln, l := range bytes.Split(rules, []byte{'\n'}) {
-		l = bytes.TrimSpace(l)
-		if len(l) == 0 { // Empty line.
-			continue
-		}
-		if idx := bytes.IndexRune(l, '#'); idx == 0 {
-			continue
-		}
-
-		if bytes.IndexByte(l, ':') != -1 {
-			// Rule
-			sp := bytes.SplitN(l, []byte{':'}, 2)
-			if len(sp) != 2 {
-				return fmt.Errorf("seccomp: invalid rule: %d:%v", ln, string(l))
-			}
-
-			scallName := string(bytes.TrimSpace(sp[0]))
-			scall, err := seccomp.GetSyscallFromName(scallName)
-			if err != nil {
-				if scallName == "newselect" {
-					// The library doesn't have "NR_newselect" yet.
-					scall = seccomp.ScmpSyscall(142)
-				} else {
-					// Continue instead of failing on ENOSYS.  gosecco will fail
-					// here, but this allows whitelists to be more futureproof,
-					// and handles thing like Debian prehistoric^wstable missing
-					// system calls that we would like to allow like `getrandom`.
-					log.Printf("seccomp: unknown system call: %v", scallName)
-					continue
-				}
-			}
-
-			// If the system call is present, just add it.  This is x86,
-			// seccomp can't filter args on this architecture.
-			if err = f.AddRule(scall, ruleAct); err != nil {
-				return err
-			}
-		} else if bytes.IndexByte(l, '=') != -1 {
-			// Skip declarations.
-			continue
-		} else {
-			return fmt.Errorf("seccomp: syntax error in profile: %d:%v", ln, string(l))
-		}
-	}
-
-	return f.ExportBPF(fd)
-}
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go
deleted file mode 100644
index 2ed4cf5..0000000
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/seccomp_amd64.go
+++ /dev/null
@@ -1,103 +0,0 @@
-// secomp_amd64.go - Sandbox seccomp rules (amd64).
-// Copyright (C) 2016  Yawning Angel.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as
-// published by the Free Software Foundation, either version 3 of the
-// License, or (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-// +build amd64
-
-package sandbox
-
-import (
-	"encoding/binary"
-	"fmt"
-	"os"
-
-	"golang.org/x/sys/unix"
-
-	"github.com/twtiger/gosecco"
-	"github.com/twtiger/gosecco/parser"
-
-	"cmd/sandboxed-tor-browser/internal/data"
-)
-
-const (
-	actAllow  = "allow"
-	actKill   = "kill"
-	actENOSYS = "ENOSYS"
-)
-
-var whitelistSettings = &gosecco.SeccompSettings{
-	DefaultPositiveAction: actAllow,
-	DefaultNegativeAction: actENOSYS,
-	DefaultPolicyAction:   actENOSYS,
-	ActionOnX32:           actKill,
-	ActionOnAuditFailure:  actKill,
-}
-
-var blacklistSettings = &gosecco.SeccompSettings{
-	DefaultPositiveAction: actENOSYS,
-	DefaultNegativeAction: actAllow,
-	DefaultPolicyAction:   actAllow,
-	ActionOnX32:           actKill,
-	ActionOnAuditFailure:  actKill,
-}
-
-var torBrowserSeccompAssets = []string{torBrowserWhitelist}
-var torSeccompAssets = []string{torWhitelist}
-var torObfs4SeccompAssets = []string{torObfs4Whitelist}
-var blacklistSeccompAssets = []string{basicBlacklist}
-
-func installSeccomp(fd *os.File, assets []string, isBlacklist bool) error {
-	defer fd.Close()
-
-	settings := whitelistSettings
-	if isBlacklist {
-		settings = blacklistSettings
-	}
-
-	// XXX: This really should support multile assets.
-	if len(assets) != 1 {
-		return fmt.Errorf("seccomp: asset vector length > 1: %d", len(assets))
-	}
-
-	rules, err := data.Asset(assets[0])
-	if err != nil {
-		return err
-	}
-	source := &parser.StringSource{
-		Name:    assets[0],
-		Content: string(rules),
-	}
-
-	bpf, err := gosecco.PrepareSource(source, *settings)
-	if err != nil {
-		return err
-	}
-
-	return writeBpf(fd, bpf)
-}
-
-func writeBpf(fd *os.File, bpf []unix.SockFilter) error {
-	if size, limit := len(bpf), 0xffff; size > limit {
-		return fmt.Errorf("filter program too big: %d bpf instructions (limit = %d)", size, limit)
-	}
-
-	for _, rule := range bpf {
-		if err := binary.Write(fd, binary.LittleEndian, rule); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits