Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:  nickm
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:  implemented
 Keywords:  sandbox, review-group-22  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by nickm):

 * status:  merge_ready => closed
 * resolution:   => implemented


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:  nickm
 Type:  defect| Status:  merge_ready
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox, review-group-22  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by nickm):

 fixed, squashed, merged!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:  nickm
 Type:  defect| Status:  merge_ready
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox, review-group-22  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by nickm):

 Replying to [comment:10 dgoulet]:
 > >  This isn't fundamentally about seccomp; it's about disabling
 functionality. Our sandbox already disables all exec calls.
 >
 > Not sure it does... All the exeve() calls are disabled by `#if 0`.

 Ah, but that code is for _enabling_ execve.  Unless a syscall is
 specifically enabled, the sandbox code doesn't allow it.

 > The changes file has this weird sentence:
 >
 > {{{
 > - Added a new NoExec option to . When this option is set to 1,
 > }}}

 Oops. Will fix.

 > Apart from that, lgtm;

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:  nickm
 Type:  defect| Status:  merge_ready
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox, review-group-22  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by dgoulet):

 * status:  needs_review => merge_ready


Comment:

 >  This isn't fundamentally about seccomp; it's about disabling
 functionality. Our sandbox already disables all exec calls.

 Not sure it does... All the exeve() calls are disabled by `#if 0`.

 The changes file has this weird sentence:

 {{{
 - Added a new NoExec option to . When this option is set to 1,
 }}}

 Apart from that, lgtm;

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:  nickm
 Type:  defect| Status:  needs_review
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by nickm):

 * status:  accepted => needs_review


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:  nickm
 Type:  defect| Status:  accepted
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by nickm):

 * owner:   => nickm
 * status:  new => accepted


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by nickm):

 Implementation in my `feature22976` branch.

 This isn't fundamentally about seccomp; it's about disabling
 functionality. Our sandbox already disables all exec calls.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by yawning):

 Replying to [comment:1 dgoulet]:
 > Do we really have a way to remove a syscall from the sandbox filters at
 runtime?

 That would be trivial to add because the bpf is runtime generated with
 libseccomp.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by nickm):

 We could allow a transition in one direction (allow->disallow) but not the
 other.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by dgoulet):

 Replying to [comment:2 dawuud]:
 > No that is really not the intent of the ticket at all; in Subgraph OS
 tor is running outside the sandbox. This ticket/feature specified is not
 concerned with syscall filtering but merely "telling tor to not ever exec
 via a config option".

 Ah! So a torrc option that would be "do not exec never ever" so if any
 option that does that is enabled through control port, it's denied I
 guess.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by dawuud):

 No that is really not the intent of the ticket at all; the Subgraph OS
 sandbox doesn't run tor in the sandbox.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22976 [Core Tor/Tor]: disallow tor exec'ing

[Tor Bug Tracker & Wiki]

#22976: disallow tor exec'ing
--+
 Reporter:  dawuud|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  sandbox   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by dgoulet):

 * keywords:   => sandbox
 * milestone:   => Tor: 0.3.2.x-final


Comment:

 Do we really have a way to remove a syscall from the sandbox filters at
 runtime?

 That is, tor realizes at runtime that `ClientTransportPlugin` is in used
 for instance so we would need a way to tell the sandbox "Oh, this is set,
 ok don't filter execv()".

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs