[tor-dev] [GSOC] Status report - Tor capabilities
Cristian-Matei Toader
cristian.matei.toader at gmail.com
Fri Jun 28 14:25:56 UTC 2013
Hello tor-dev,
As a small reminder the purpose of the project is to create
capabilities based sandboxing for Tor, which may only allow the
program to execute a number of predefined syscalls.
For the past 2 weeks:
- I have consulted with Nick Mathewson (nickm) and agreed upon using
seccomp2 [1], and more recently a library built on top of that called
libseccomp [2].
- I have set up a public remote branch [3].
- We have agreed on a 3 step plan for the project:
1. General sandbox based on a single (permisive) filter which
restricts tor to using a number of syscalls.
2. Add configuration option for step 1, if any parts were broken
in phase 1 by adding capabilities, they can be re-enabled at the cost
of security.
3. Figure out what functionality should be split into separate
processes, based on our experience from step 1 and step 2.
- So far I have implemented step 1 using both libseccomp and seccomp2
[3]. Step 1 was developed in such a way that nothing from tor should
be broken at the moment; What this means is that sandboxing currently
exists in the remote branch, but is fairly coarse and will need some
fine tuning at a later stage such as only allowing specific files to
be open, or allowing the exec syscall to be called with specific
parameters.
These days I will be adding command line support, which is basically
step 2, which will be followed by a code review and merge in the
master branch.
[1] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt;hb=HEAD
[2] http://sourceforge.net/projects/libseccomp/
[3] https://github.com/cristiantoader/tor-gsoc-capabilities
More information about the tor-dev
mailing list