GNU bug report logs - #27394
[PATCH] gnu: tor: Add seccomp support.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27394 in the body.
You can then email your comments to 27394 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Rutger Helling <rhelling <at> mykolab.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: tor: Add seccomp support.
Date: Fri, 16 Jun 2017 13:21:37 +0200

[Message part 1 (text/plain, inline)]

Hello, 

this patch adds seccomp support to tor.

[Message part 2 (text/html, inline)]

[0001-gnu-tor-Add-seccomp-support.patch (text/x-diff, attachment)]

Message #8 received at 27394 <at> debbugs.gnu.org (full text, mbox):

From: ng0 <ng0 <at> infotropique.org>
To: Rutger Helling <rhelling <at> mykolab.com>
Cc: 27394 <at> debbugs.gnu.org
Subject: Re: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Date: Fri, 16 Jun 2017 12:01:08 +0000

[Message part 1 (text/plain, inline)]

Rutger Helling transcribed 2.5K bytes:
> Hello, 
> 
> this patch adds seccomp support to tor.

There's the question if we would want that.
tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
But we also enable hardening by default, which differs from the tor default.
I have no problem with moving unstable features in, but hardening
seems much more tested to me than seccomp.
-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 27394 <at> debbugs.gnu.org (full text, mbox):

From: Rutger Helling <rhelling <at> mykolab.com>
To: 27394 <at> debbugs.gnu.org
Subject: Re: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Date: Fri, 16 Jun 2017 14:33:31 +0200

[Message part 1 (text/plain, inline)]

Hey ng0, 

I think that ticket references whether the default torrc should have
"Sandbox 1". This patch doesn't do that, you still have to set that
manually if you want to use it. It only gives you the option (Tor will
just ignore that option in Guix right now). 

I also don't think that hardening and the sandbox bite each other in any
way. 

On 2017-06-16 14:01, ng0 wrote:

> Rutger Helling transcribed 2.5K bytes: 
> 
>> Hello, 
>> 
>> this patch adds seccomp support to tor.
> 
> There's the question if we would want that.
> tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> But we also enable hardening by default, which differs from the tor default.
> I have no problem with moving unstable features in, but hardening
> seems much more tested to me than seccomp.

[Message part 2 (text/html, inline)]

Message #14 received at 27394 <at> debbugs.gnu.org (full text, mbox):

From: ng0 <ng0 <at> infotropique.org>
To: Rutger Helling <rhelling <at> mykolab.com>
Cc: 27394 <at> debbugs.gnu.org
Subject: Re: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Date: Fri, 16 Jun 2017 12:46:39 +0000

[Message part 1 (text/plain, inline)]

Rutger Helling transcribed 2.6K bytes:
> Hey ng0, 
> 
> I think that ticket references whether the default torrc should have
> "Sandbox 1".

I understood the Whonix mail, which is how I got to the trac of tor,
in the way that they don't enable seccomp because tor does not enable
it as default. I'm not 100% positive on this, but I think I used
tor with +seccomp and hardening in Gentoo for a very long time.


> This patch doesn't do that, you still have to set that
> manually if you want to use it. It only gives you the option (Tor will
> just ignore that option in Guix right now). 
> 
> I also don't think that hardening and the sandbox bite each other in any
> way. 
> 
> On 2017-06-16 14:01, ng0 wrote:
> 
> > Rutger Helling transcribed 2.5K bytes: 
> > 
> >> Hello, 
> >> 
> >> this patch adds seccomp support to tor.
> > 
> > There's the question if we would want that.
> > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > But we also enable hardening by default, which differs from the tor default.
> > I have no problem with moving unstable features in, but hardening
> > seems much more tested to me than seccomp.

-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 27394 <at> debbugs.gnu.org (full text, mbox):

From: ng0 <ng0 <at> infotropique.org>
To: Rutger Helling <rhelling <at> mykolab.com>, 27394 <at> debbugs.gnu.org
Subject: Re: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Date: Fri, 16 Jun 2017 13:10:08 +0000

The patch itself seems to work.

Just introducing upstream explicitly marked (see 'man tor') as "experimental"
features is difficult. As long as nothing breaks it's okay I guess.

Should tor or the GuixSD native tor-service start to consume too much
resources, we can still adjust.

ng0 transcribed 2.3K bytes:
> Rutger Helling transcribed 2.6K bytes:
> > Hey ng0, 
> > 
> > I think that ticket references whether the default torrc should have
> > "Sandbox 1".
> 
> I understood the Whonix mail, which is how I got to the trac of tor,
> in the way that they don't enable seccomp because tor does not enable
> it as default. I'm not 100% positive on this, but I think I used
> tor with +seccomp and hardening in Gentoo for a very long time.
> 
> 
> > This patch doesn't do that, you still have to set that
> > manually if you want to use it. It only gives you the option (Tor will
> > just ignore that option in Guix right now). 
> > 
> > I also don't think that hardening and the sandbox bite each other in any
> > way. 
> > 
> > On 2017-06-16 14:01, ng0 wrote:
> > 
> > > Rutger Helling transcribed 2.5K bytes: 
> > > 
> > >> Hello, 
> > >> 
> > >> this patch adds seccomp support to tor.
> > > 
> > > There's the question if we would want that.
> > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > > But we also enable hardening by default, which differs from the tor default.
> > > I have no problem with moving unstable features in, but hardening
> > > seems much more tested to me than seccomp.
> 
> -- 
> ng0
> OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> https://krosos.org/~/ng0/ https://www.infotropique.org



-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

Message #20 received at 27394 <at> debbugs.gnu.org (full text, mbox):

From: ng0 <ng0 <at> infotropique.org>
To: Rutger Helling <rhelling <at> mykolab.com>, 27394 <at> debbugs.gnu.org
Subject: Re: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Date: Fri, 16 Jun 2017 22:09:02 +0000

There's a problem. I think it's not that problematic but it's a problem:

Activating the Sandbox option (torrc Sandbox 1) prevents reloading
certain functions of tor without stopping tor. Now when you do this
with our GuixSD tor-service running through a guix system reconfigure,
you will get a sandbox violation. Because I reboot directly after
reconfigure I don't know if this is a serious problem, but I know
there are plans for system-generation activation or what they call
it (switch to the newly generated system directly after it was build).

After a day of using your patch and encountering the sandbox violations
I'm positive it works as intended, but I'm not sure what to do about
the switch. Maybe our tor-service has to be adjusted? This is no
requirement for this to be merged, I'm just trying to point out details.
ng0 transcribed 1.8K bytes:
> The patch itself seems to work.
> 
> Just introducing upstream explicitly marked (see 'man tor') as "experimental"
> features is difficult. As long as nothing breaks it's okay I guess.
> 
> Should tor or the GuixSD native tor-service start to consume too much
> resources, we can still adjust.
> 
> ng0 transcribed 2.3K bytes:
> > Rutger Helling transcribed 2.6K bytes:
> > > Hey ng0, 
> > > 
> > > I think that ticket references whether the default torrc should have
> > > "Sandbox 1".
> > 
> > I understood the Whonix mail, which is how I got to the trac of tor,
> > in the way that they don't enable seccomp because tor does not enable
> > it as default. I'm not 100% positive on this, but I think I used
> > tor with +seccomp and hardening in Gentoo for a very long time.
> > 
> > 
> > > This patch doesn't do that, you still have to set that
> > > manually if you want to use it. It only gives you the option (Tor will
> > > just ignore that option in Guix right now). 
> > > 
> > > I also don't think that hardening and the sandbox bite each other in any
> > > way. 
> > > 
> > > On 2017-06-16 14:01, ng0 wrote:
> > > 
> > > > Rutger Helling transcribed 2.5K bytes: 
> > > > 
> > > >> Hello, 
> > > >> 
> > > >> this patch adds seccomp support to tor.
> > > > 
> > > > There's the question if we would want that.
> > > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > > > But we also enable hardening by default, which differs from the tor default.
> > > > I have no problem with moving unstable features in, but hardening
> > > > seems much more tested to me than seccomp.
> > 
> > -- 
> > ng0
> > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> > https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> -- 
> ng0
> OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> 

-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

Message #25 received at 27394-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Rutger Helling <rhelling <at> mykolab.com>
Cc: 27394-done <at> debbugs.gnu.org
Subject: Re: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Date: Tue, 20 Jun 2017 23:07:38 +0200

Hi Rutger,

Rutger Helling <rhelling <at> mykolab.com> skribis:

> From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> From: Rutger Helling <rhelling <at> mykolab.com>
> Date: Fri, 16 Jun 2017 13:15:17 +0200
> Subject: [PATCH] gnu: tor: Add seccomp support.
>
> * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.

Applied, thanks.

Do you think the GuixSD service should set “Sandbox 1” by default?  The
Besides, the GuixSD service runs Tor in a container, but that doesn’t
necessarily provide the same guarantees:
<https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.

Ludo’.

Message #28 received at 27394-done <at> debbugs.gnu.org (full text, mbox):

From: <ng0 <at> infotropique.org>
To: "Ludovic Courtès" <ludo <at> gnu.org>
Cc: 27394-done <27394-done <at> debbugs.gnu.org>,
 Rutger Helling <rhelling <at> mykolab.com>
Subject: Re: bug#27394: [PATCH] gnu: tor: Add seccomp support.
Date: Wed, 21 Jun 2017 00:31:18 +0200 (CEST)

On Tue, 20 Jun 2017 23:07:38 +0200, ludo <at> gnu.org (Ludovic Courtès) wrote:

> Hi Rutger,
> 
> Rutger Helling <rhelling <at> mykolab.com> skribis:
> 
> > From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> > From: Rutger Helling <rhelling <at> mykolab.com>
> > Date: Fri, 16 Jun 2017 13:15:17 +0200
> > Subject: [PATCH] gnu: tor: Add seccomp support.
> >
> > * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.
> 
> Applied, thanks.
> 
> Do you think the GuixSD service should set “Sandbox 1” by default?  The
> Besides, the GuixSD service runs Tor in a container, but that doesn’t
> necessarily provide the same guarantees:
> <https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.
> 
> Ludo’.

As mentioned earlier in the thread: I don't think it should be default until we have
found it to be stable enough. I experienced several "sandbox violations" when running
this in the last days. Is this good? Is this bad? I had no chance to investigate this so far.
It also goes against torproject recommendations, as they consider sandbox (seccomp) in
tor to be an unstable + testing feature, disabled by default.

Message #31 received at 27394-done <at> debbugs.gnu.org (full text, mbox):

From: Rutger Helling <rhelling <at> mykolab.com>
To: Ludovic CourtXXs <ludo <at> gnu.org>, ng0 <at> infotropique.org
Cc: 27394-done <27394-done <at> debbugs.gnu.org>
Subject: Re: bug#27394: [PATCH] gnu: tor: Add seccomp support.
Date: Wed, 21 Jun 2017 08:57:01 +0200

[Message part 1 (text/plain, inline)]

I don't have any issues (yet) running it with the sandbox on, but I
agree it's good to test it extensively beforehand and depending on the
stability wait until the Tor Project defaults to it. 

On 2017-06-21 00:31, ng0 <at> infotropique.org wrote:

> On Tue, 20 Jun 2017 23:07:38 +0200, ludo <at> gnu.org (Ludovic Courtès) wrote:
> 
> Hi Rutger,
> 
> Rutger Helling <rhelling <at> mykolab.com> skribis:
> 
> From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> From: Rutger Helling <rhelling <at> mykolab.com>
> Date: Fri, 16 Jun 2017 13:15:17 +0200
> Subject: [PATCH] gnu: tor: Add seccomp support.
> 
> * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp. 
> Applied, thanks.
> 
> Do you think the GuixSD service should set "Sandbox 1" by default?  The
> Besides, the GuixSD service runs Tor in a container, but that doesn't
> necessarily provide the same guarantees:
> <https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.
> 
> Ludo'.

As mentioned earlier in the thread: I don't think it should be default
until we have
found it to be stable enough. I experienced several "sandbox violations"
when running
this in the last days. Is this good? Is this bad? I had no chance to
investigate this so far.
It also goes against torproject recommendations, as they consider
sandbox (seccomp) in
tor to be an unstable + testing feature, disabled by default.

[Message part 2 (text/html, inline)]

Message #34 received at 27394-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Rutger Helling <rhelling <at> mykolab.com>
Cc: 27394-done <27394-done <at> debbugs.gnu.org>, ng0 <at> infotropique.org
Subject: Re: bug#27394: [PATCH] gnu: tor: Add seccomp support.
Date: Wed, 21 Jun 2017 10:24:15 +0200

Hi,

Rutger Helling <rhelling <at> mykolab.com> skribis:

> I don't have any issues (yet) running it with the sandbox on, but I
> agree it's good to test it extensively beforehand and depending on the
> stability wait until the Tor Project defaults to it. 

Sounds reasonable.  Thanks for your feedback, ng0 and Rutger.

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.