#26580: torsocks complains about unknown system call #417 on FreeBSD -------------------------------+------------------------- Reporter: yurivict271 | Owner: dgoulet Type: defect | Status: new Priority: Medium | Milestone: Component: Core Tor/Torsocks | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------+-------------------------
Comment (by onirony): Replying to [comment:2 yurivict271]: > All unknown system calls should be passed, because they have nothing to do with socket operations. This would be a correct fix of this. Agreed, I think that everyone would prefer that. There are currently two (very solvable) problems. ---- **1. Every Unix-like OS has it's own syscall sandboxing system. ** Right now Torsocks is whitelisting a small subset of syscalls (bad). Modern operating systems provide mechanisms to implement syscall blacklists (good) instead. However, everyone does it differently. Viz, **Linux**: seccomp **FreeBSD**: capsicum **OpenBSD**: pledge **OS X**: [https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html App Sandbox] (which deprecates sandbox_init()). Redesigning Torsocks to take advantage of these tools would require significant reengineering, but is probably the best/only approach. At the very least, we could start with Linux/seccomp, which covers the overwhelming majority of Torsocks' userbase, then move on to FreeBSD/Capsicum, then MacOS/App Sandbox, and eventually OpenBSD/pledge. However, there is still the issue of... **2. Kernels regularly add new networking syscalls.** We are unlikely to keep totally up to date with every new syscall added to Linux, MacOS, OpenBSD, et al. This puts users in risk when they run an application through torsocks assuming their traffic is being routed through Tor, only to have their IP leaked because their application made a networking-related syscall we didn't know about. MacOS, for example, has connectx. If Torsocks had relied on a blacklist at the time that connectx was released, all of the torified applications using connectx would have had their IP addresses exposed. Instead, Torsocks merely failed. ---- So there are definitely some downsides, but compared to the alternative (manually adding every non-socket syscall from every popular *nix system) definitely appeals to me. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26580#comment:3> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs