We should encourage people to build, sometimes, with more expensive hardening options than we'd like by default. I'm thinking in particular of turning on AddressSanitizer where available.
This should also force memory pool optimizations off, if they're not already off by default. (see #11476 (moved))
The above is merged; see discussion below for the remaining parts of this ticket.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items 0
Show closed items
No child items are currently assigned. Use child items to break down this issue into smaller parts.
Linked items 0
Link issues together to show that they're related.
Learn more.
I've attached a separate patch from starlight on tor-relays (see "running Tor relay live with AddressSanitizer") that redirects stdout and stderr instead of closing them, and which uses __sanitizer_sandbox_on_notify() to work well with chroot and other sandboxen.
This should be conditional on AddressSanitizer being enabled. Perhaps __sanitizer_sandbox_on_notify() also needs to be integrated with our seccomp2 sandboxing. Needs testing.
Trac: Summary: Add an --enable-expensive-compiler-hardening option to Make --enable-expensive-compiler-hardening work with sandbox Description: We should encourage people to build, sometimes, with more expensive hardening options than we'd like by default. I'm thinking in particular of turning on AddressSanitizer where available.
This should also force memory pool optimizations off, if they're not already off by default. (see #11476 (moved))
to
We should encourage people to build, sometimes, with more expensive hardening options than we'd like by default. I'm thinking in particular of turning on AddressSanitizer where available.
This should also force memory pool optimizations off, if they're not already off by default. (see #11476 (moved))
The above is merged; see discussion below for the remaining parts of this ticket.
Leaving in 0.2.5, since I think that people who are extra paranoid will probably want to try both of these features together. If it turns out to be a huge yak-shaving exercise, though, it waits for 0.2.6.
In my experiments, this mostly worked, except that if there's an error message from the sanitizer, you get a sandbox failure stack trace from inside the sandbox rather than a sanitizer message and stack trace. I think that's deferrable.
Trac: Milestone: Tor: 0.2.5.x-final to Tor: 0.2.6.x-final
In my experiments, this mostly worked, except that if there's an error message from the sanitizer, you get a sandbox failure stack trace from inside the sandbox rather than a sanitizer message and stack trace. I think that's deferrable.
I got a stack trace at 'Bootstrapped 80%' using 0.2.5.4-alpha-dev. I did not apply starlight's patch. Is this expected? (You said it "mostly worked"). Do you want the stack trace and/or a new bug report?
Also, I didn't see a configure option called --enable-expensive-compiler-hardening. I assume this is actually --enable-expensive-hardening?
Note, this is built from the nickm bug11946 branch:
May 14 19:32:00.000 [notice] Your Tor server's identity key fingerprint is 'Unnamed 4C8387D56221185ABE68E4BDF6E164BF759B4F52'May 14 19:32:00.000 [notice] Bootstrapped 0%: StartingMay 14 19:32:00.000 [notice] This version of Tor (0.2.5.4-alpha-dev) is newer than any recommended version, according to the directory authorities. Recommended versions are: 0.2.3.24-rc,0.2.3.25,0.2.4.17-rc,0.2.4.18-rc,0.2.4.19,0.2.4.20,0.2.4.21,0.2.4.22,0.2.5.1-alpha,0.2.5.2-alpha,0.2.5.3-alpha,0.2.5.4-alphaMay 14 19:32:01.000 [notice] We now have enough directory information to build circuits.May 14 19:32:01.000 [notice] Bootstrapped 80%: Connecting to the Tor network============================================================ T= 1400110321(Sandbox) Caught a bad syscall attempt (syscall sched_getaffinity)/usr/bin/tor(+0x32ca30)[0x7f78c1cd2a30]/lib/x86_64-linux-gnu/libpthread.so.0(pthread_getaffinity_np+0x24)[0x7f78bd61eb34]/lib/x86_64-linux-gnu/libpthread.so.0(pthread_getaffinity_np+0x24)[0x7f78bd61eb34]/lib/x86_64-linux-gnu/libpthread.so.0(pthread_getattr_np+0x9e)[0x7f78bd618e3e]/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x1aa9d)[0x7f78be810a9d]/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x18872)[0x7f78be80e872]/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x188bd)[0x7f78be80e8bd]/usr/lib/x86_64-linux-gnu/libasan.so.0(+0x18a3e)[0x7f78be80ea3e]/lib/x86_64-linux-gnu/libpthread.so.0(+0x8062)[0x7f78bd617062]/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f78bd146bfd]
This is with --enable-expensive-hardening and with sandboxing, and it doesn't happen with sandboxing only on this computer?
Correct. This is the exact same setup as used in testing #11946 (moved). The patch for 11946 allows tor to run sandboxed without issue, but recompiling with --enable-expensive-hardening causes a stack trace consistently (three times) at 80% bootstrapped.
Is this also with 'User' and 'RunAsDaemon', or any other options that debian likes to set?
Yes, all of the above, and using the init.d script. I can copy torrc, etc, here if you'd like, but they are the same as in #11946 (moved). I can test in other ways if you'd like; I just like to mimic the Debian package since that's what most end users will experience.