[tor-dev] Call For Testing: Capsicum Integration With Tor

Shawn Webb shawn.webb at hardenedbsd.org
Wed Oct 18 17:31:41 UTC 2017


Hey All,

This is a brief update.

On Tue, Oct 17, 2017 at 05:01:33PM +0000, Shawn Webb wrote:
> Known Issues
> ------------
> 
> Enabling the sandbox while having Tor configured in transparent proxy
> mode is currently broken. We are researching what causes the breakage.
> Chances are that either Tor is trying to access the global namespace in
> transparent proxy mode or one or more file descriptors simply need to
> be granted one or more extra capabilities.

In discussions with a FreeBSD developer, the whitelist methodology for
filesystem access that Tor uses and that I adopted isn't as strong as it
could be. An attacker could potentially get around the whitelist scheme
as currently implemented.

Instead, the code will be rewritten to pre-open expected directories
when Tor starts up, and utilize openat(2) to open file descriptors. We
can utilize the existing whitelisting API to perform that work, since
the whitelisting API is called prior to entering capmode.

We will keep the sandbox_open abstraction, since that will do the work
of matching up with directory descriptor matches the requested path.

> 
> Future Work
> -----------
> 
> The read-only nature of the whitelist is only enforced via a logic
> operation. We plan to relocate the whitelist into a memory mapping
> that will turn read-only upon entering capmode.

This is nullified by the statement above.

> 
> The current implementation should be further abstracted in order for
> Tor to be able to pick at runtime the appropriate sandbox
> implementation. This would be similar to how Tor chooses which ed25519
> implementation to use, donna or ref10.

This is mostly done. The FreeBSD/Capsicum side is done. However, the
Linux/seccomp-filter side needs to be integrated.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20171018/95210dc2/attachment.sig>


More information about the tor-dev mailing list