[tor-bugs] #26580 [Core Tor/Torsocks]: torsocks complains about unknown system call #417 on FreeBSD

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 8 16:47:46 UTC 2019 

#26580: torsocks complains about unknown system call #417 on FreeBSD
-------------------------------+-------------------------
 Reporter:  yurivict271        |          Owner:  dgoulet
     Type:  defect             |         Status:  new
 Priority:  Medium             |      Milestone:
Component:  Core Tor/Torsocks  |        Version:
 Severity:  Normal             |     Resolution:
 Keywords:                     |  Actual Points:
Parent ID:                     |         Points:
 Reviewer:                     |        Sponsor:
-------------------------------+-------------------------

Comment (by onirony):

 Replying to [comment:2 yurivict271]:
 > All unknown system calls should be passed, because they have nothing to
 do with socket operations. This would be a correct fix of this.

 Agreed, I think that everyone would prefer that. There are currently two
 (very solvable) problems.

 ----

 **1. Every Unix-like OS has it's own syscall sandboxing system.
 **
 Right now Torsocks is whitelisting a small subset of syscalls (bad).
 Modern operating systems provide mechanisms to implement syscall
 blacklists (good) instead. However, everyone does it differently. Viz,

 **Linux**:   seccomp
 **FreeBSD**:  capsicum
 **OpenBSD**: pledge
 **OS X**:
 [https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
 App Sandbox] (which deprecates sandbox_init()).

 Redesigning Torsocks to take advantage of these tools would require
 significant reengineering, but is probably the best/only approach. At the
 very least, we could start with Linux/seccomp, which covers the
 overwhelming majority of Torsocks' userbase, then move on to
 FreeBSD/Capsicum, then MacOS/App Sandbox, and eventually OpenBSD/pledge.
 However, there is still the issue of...


 **2. Kernels regularly add new networking syscalls.**

 We are unlikely to keep totally up to date with every new syscall added to
 Linux, MacOS, OpenBSD, et al. This puts users in risk when they run an
 application through torsocks assuming their traffic is being routed
 through Tor, only to have their IP leaked because their application made a
 networking-related syscall we didn't know about.

 MacOS, for example, has connectx. If Torsocks had relied on a blacklist at
 the time that connectx was released, all of the torified applications
 using connectx would have had their IP addresses exposed. Instead,
 Torsocks merely failed.

 ----

 So there are definitely some downsides, but compared to the alternative
 (manually adding every non-socket syscall from every popular *nix system)
 definitely appeals to me.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26580#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list