Make --enable-expensive-hardening work with sandbox

We should encourage people to build, sometimes, with more expensive hardening options than we'd like by default. I'm thinking in particular of turning on AddressSanitizer where available.

This should also force memory pool optimizations off, if they're not already off by default. (see #11476 (moved))

The above is merged; see discussion below for the remaining parts of this ticket.

changed milestone to %Tor: 0.2.5.x-final

added 025-deferrable 025-triaged component::core tor/tor milestone::Tor: 0.2.5.x-final owner::nickm priority::medium resolution::fixed status::closed tor-relay type::defect labels

Branch "bug11477" contains a quick implementation here.

Trac:
Status: new to needs_review

Trac:
tor-0.2.4.21-as.patch

patch from 'starlight' on tor-talk

I've attached a separate patch from starlight on tor-relays (see "running Tor relay live with AddressSanitizer") that redirects stdout and stderr instead of closing them, and which uses __sanitizer_sandbox_on_notify() to work well with chroot and other sandboxen.

This should be conditional on AddressSanitizer being enabled. Perhaps __sanitizer_sandbox_on_notify() also needs to be integrated with our seccomp2 sandboxing. Needs testing.

I wonder if __sanitizer_set_report_fd() isn't a better idea than "tor.out" and "tor.err" replacing stdout and stderr.

Trac:
Keywords: N/A deleted, nickm-review-0254 added

I've merged the "bug11477" branch after some testing; this ticket is now about integrating starlight's patch above.

Trac:
Keywords: nickm-review-0254 deleted, tor-relay added
Owner: N/A to nickm
Status: needs_review to assigned

Trac:
Summary: Add an --enable-expensive-compiler-hardening option to Make --enable-expensive-compiler-hardening work with sandbox
Description: We should encourage people to build, sometimes, with more expensive hardening options than we'd like by default. I'm thinking in particular of turning on AddressSanitizer where available.

This should also force memory pool optimizations off, if they're not already off by default. (see #11476 (moved))

to

We should encourage people to build, sometimes, with more expensive hardening options than we'd like by default. I'm thinking in particular of turning on AddressSanitizer where available.

This should also force memory pool optimizations off, if they're not already off by default. (see #11476 (moved))

The above is merged; see discussion below for the remaining parts of this ticket.

Leaving in 0.2.5, since I think that people who are extra paranoid will probably want to try both of these features together. If it turns out to be a huge yak-shaving exercise, though, it waits for 0.2.6.

Trac:
Keywords: tor-relay deleted, tor-relay 025-triaged 025-deferrable added

In my experiments, this mostly worked, except that if there's an error message from the sanitizer, you get a sandbox failure stack trace from inside the sandbox rather than a sanitizer message and stack trace. I think that's deferrable.

Trac:
Milestone: Tor: 0.2.5.x-final to Tor: 0.2.6.x-final

Replying to nickm:

In my experiments, this mostly worked, except that if there's an error message from the sanitizer, you get a sandbox failure stack trace from inside the sandbox rather than a sanitizer message and stack trace. I think that's deferrable.

I got a stack trace at 'Bootstrapped 80%' using 0.2.5.4-alpha-dev. I did not apply starlight's patch. Is this expected? (You said it "mostly worked"). Do you want the stack trace and/or a new bug report?

Also, I didn't see a configure option called --enable-expensive-compiler-hardening. I assume this is actually --enable-expensive-hardening?

Trac:
Username: alphawolf

Do you want the stack trace and/or a new bug report?

Yes please!

I assume this is actually --enable-expensive-hardening?

That's right.

Trac:
Summary: Make --enable-expensive-compiler-hardening work with sandbox to Make --enable-expensive-hardening work with sandbox

Note, this is built from the nickm bug11946 branch:

May 14 19:32:00.000 [notice] Your Tor server's identity key fingerprint is 'Unnamed 4C8387D56221185ABE68E4BDF6E164BF759B4F52'
May 14 19:32:00.000 [notice] Bootstrapped 0%: Starting
May 14 19:32:00.000 [notice] This version of Tor (0.2.5.4-alpha-dev) is newer than any recommended version, according to the directory authorities. Recommended versions are: 0.2.3.24-rc,0.2.3.25,0.2.4.17-rc,0.2.4.18-rc,0.2.4.19,0.2.4.20,0.2.4.21,0.2.4.22,0.2.5.1-alpha,0.2.5.2-alpha,0.2.5.3-alpha,0.2.5.4-alpha
May 14 19:32:01.000 [notice] We now have enough directory information to build circuits.
May 14 19:32:01.000 [notice] Bootstrapped 80%: Connecting to the Tor network

============================================================ T= 1400110321
(Sandbox) Caught a bad syscall attempt (syscall sched_getaffinity)
/usr/bin/tor(+0x32ca30)[0x7f78c1cd2a30]
/lib/x86_64-linux-gnu/libpthread.so.0(pthread_getaffinity_np+0x24)[0x7f78bd61eb34]
/lib/x86_64-linux-gnu/libpthread.so.0(pthread_getaffinity_np+0x24)[0x7f78bd61eb34]
/lib/x86_64-linux-gnu/libpthread.so.0(pthread_getattr_np+0x9e)[0x7f78bd618e3e]
/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x1aa9d)[0x7f78be810a9d]
/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x18872)[0x7f78be80e872]
/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x188bd)[0x7f78be80e8bd]
/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x18a3e)[0x7f78be80ea3e]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x8062)[0x7f78bd617062]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f78bd146bfd]

Let me know if you need anything else!

Trac:
Username: alphawolf

This is with --enable-expensive-hardening and with sandboxing, and it doesn't happen with sandboxing only on this computer?

Is this also with 'User' and 'RunAsDaemon', or any other options that debian likes to set?

Replying to nickm:

This is with --enable-expensive-hardening and with sandboxing, and it doesn't happen with sandboxing only on this computer?

Correct. This is the exact same setup as used in testing #11946 (moved). The patch for 11946 allows tor to run sandboxed without issue, but recompiling with --enable-expensive-hardening causes a stack trace consistently (three times) at 80% bootstrapped.

Is this also with 'User' and 'RunAsDaemon', or any other options that debian likes to set?

Yes, all of the above, and using the init.d script. I can copy torrc, etc, here if you'd like, but they are the same as in #11946 (moved). I can test in other ways if you'd like; I just like to mimic the Debian package since that's what most end users will experience.

Trac:
Username: alphawolf

Trac:
Milestone: Tor: 0.2.6.x-final to Tor: 0.2.5.x-final

fef65fa64341fb70df0e7b34d91d3b08a74e7aad should fix this. Please reopen if it is not working in master.

Trac:
Resolution: N/A to fixed
Status: assigned to closed

closed

moved to tpo/core/tor#11477 (closed)