Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#23915 closed defect (fixed)

7.0.7 and later fails to work without `SECCOMP_FILTER_FLAG_TSYNC`.

Reported by: yawning Owned by: yawning
Priority: Medium Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

2017/10/20 03:16:42 firefox: Sandbox: opendir /proc/self/task: No such file or directory
2017/10/20 03:16:42 firefox: [Parent 3] WARNING: pipe error (59): Connection reset by peer: file /home/debian/build/tor-browser/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 322
2017/10/20 03:16:42 firefox: [Parent 3] WARNING: pipe error (57): Connection reset by peer: file /home/debian/build/tor-browser/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 322
2017/10/20 03:16:42 firefox: ###!!! [Parent][RunMessage] Error: Channel error: cannot send/recv
2017/10/20 03:16:42 firefox: ###!!! [Parent][MessageChannel] Error: (msgtype=0x2C0086,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

This only affects systems running kernels that pre-date 3.17, which annoyingly enough currently includes Debian oldstable. It's an artifact of "the sandbox doesn't mount /proc", and "firefox wants to use /proc/self/task to see if a process has threads or not". The need for the latter goes away with the seccomp() flag, which is why I never saw the issue.

Child Tickets

Change History (3)

comment:2 Changed 22 months ago by yawning

In an ideal world the workaround here will be selectively enabled base on support for SECCOMP_FILTER_FLAG_TSYNC. I am opting to defer doing the "better" thing for now because:

  • Solving the "bad" case completely is likely intractable on old kernels, without going back to having /proc mounted.
  • Firefox detects support for the flag at runtime, and will always use it when available, so the "correct" thing happens regardless of what I do.
  • I'm feeling lazy.

comment:3 Changed 22 months ago by arma

Thanks!

Note: See TracTickets for help on using tickets.