Tor should be able to read all files it creates when Sandbox enabled.

After #12035 (moved) and #12041 (moved), I realized that there are probably a lot of files that tor creates that are not specifically allowed in the sandbox. I've not tested all of these to make sure there is actually a bug, but these are the files listed in the torrc documentation that I don't see mentioned in sandbox_cfg_allow_open_filename_array() or elsewhere in src/or/main.c.

Part 1 (Stuff I have a patch for):

DataDirectory/status/entry-stats
DataDirectory/status/exit-stats
DataDirectory/status/buffer-stats
DataDirectory/status/conn-stats

Part 2 (Marked obsolete in docs... patch not necessary?):

DataDirectory/cached-routers and cached-routers.new
DataDirectory/bw_accounting

Part 3 (Stuff I'm unsure of):

DataDirectory/control_auth_cookie
DataDirectory/approved-routers

Part 4 (Hidden Directory Files - tested, broken because unable to read private_key):

HiddenServiceDirectory/hostname
HiddenServiceDirectory/private_key
HiddenServiceDirectory/client_keys

A patch for part 1 is inbound (based off the fixes for the previous bugs). Someone else will need to write any patches for parts 2 - 4.

Trac:
Username: alphawolf

changed milestone to %Tor: 0.2.5.x-final

added component::core tor/tor milestone::Tor: 0.2.5.x-final owner::nickm priority::medium reporter::alphawolf resolution::fixed sandbox status::closed type::defect version::tor 0.2.5.4-alpha labels

Trac:
Username: alphawolf

bug12064_part1.patch

Patch on master. Only tested that it compiles and runs.

Trac:
Username: alphawolf

Trac:
Username: alphawolf
Description: After #12034 (moved) and #12041 (moved), I realized that there are probably a lot of files that tor creates that are not specifically allowed in the sandbox. I've not tested all of these to make sure there is actually a bug, but these are the files listed in the torrc documentation that I don't see mentioned in sandbox_cfg_allow_open_filename_array() or elsewhere in src/or/main.c.

Part 1 (Stuff I have a patch for):

DataDirectory/status/entry-stats
DataDirectory/status/exit-stats
DataDirectory/status/buffer-stats
DataDirectory/status/conn-stats

Part 2 (Marked obsolete in docs... patch not necessary?):

DataDirectory/cached-routers and cached-routers.new
DataDirectory/bw_accounting

Part 3 (Stuff I'm unsure of):

DataDirectory/control_auth_cookie
DataDirectory/approved-routers

Part 4 (Hidden Directory Files - tested, broken because unable to read private_key):

HiddenServiceDirectory/hostname
HiddenServiceDirectory/private_key
HiddenServiceDirectory/client_keys

A patch for part 1 is inbound (based off the fixes for the previous bugs). Someone else will need to write any patches for parts 2 - 4.

to

After #12035 (moved) and #12041 (moved), I realized that there are probably a lot of files that tor creates that are not specifically allowed in the sandbox. I've not tested all of these to make sure there is actually a bug, but these are the files listed in the torrc documentation that I don't see mentioned in sandbox_cfg_allow_open_filename_array() or elsewhere in src/or/main.c.

Part 1 (Stuff I have a patch for):

DataDirectory/status/entry-stats
DataDirectory/status/exit-stats
DataDirectory/status/buffer-stats
DataDirectory/status/conn-stats

Part 2 (Marked obsolete in docs... patch not necessary?):

DataDirectory/cached-routers and cached-routers.new
DataDirectory/bw_accounting

Part 3 (Stuff I'm unsure of):

DataDirectory/control_auth_cookie
DataDirectory/approved-routers

Part 4 (Hidden Directory Files - tested, broken because unable to read private_key):

HiddenServiceDirectory/hostname
HiddenServiceDirectory/private_key
HiddenServiceDirectory/client_keys

A patch for part 1 is inbound (based off the fixes for the previous bugs). Someone else will need to write any patches for parts 2 - 4.

Replying to alphawolf:

After #12035 (moved) and #12041 (moved), I realized that there are probably a lot of files that tor creates that are not specifically allowed in the sandbox. I've not tested all of these to make sure there is actually a bug, but these are the files listed in the torrc documentation that I don't see mentioned in sandbox_cfg_allow_open_filename_array() or elsewhere in src/or/main.c.

Part 1 (Stuff I have a patch for): {{{ DataDirectory/status/entry-stats DataDirectory/status/exit-stats DataDirectory/status/buffer-stats DataDirectory/status/conn-stats }}}

You mean "stats", not "status"?

Part 2 (Marked obsolete in docs... patch not necessary?): {{{ DataDirectory/cached-routers and cached-routers.new DataDirectory/bw_accounting }}}

Correct; these are not used any longer.

Part 3 (Stuff I'm unsure of): {{{ DataDirectory/control_auth_cookie DataDirectory/approved-routers }}}

control_auth_cookie can be overridden with CookieAuthFile. See (and maybe use?) get_cookie_file() in control.c. If that function is going to become non-static however, it probably needs a better name.

Also see get_ext_or_auth_cookie_file_name().

The approved-routers file should be readable too.

Part 4 (Hidden Directory Files - tested, broken because unable to read private_key): {{{ HiddenServiceDirectory/hostname HiddenServiceDirectory/private_key HiddenServiceDirectory/client_keys }}}

A patch for part 1 is inbound (based off the fixes for the previous bugs). Someone else will need to write any patches for parts 2 - 4.

Trac:
Status: new to assigned
Owner: N/A to nickm

Replying to nickm:

You mean "stats", not "status"?

All names are exactly as they appear in the manual I linked from www.tpo. I assumed "status" had a special meaning ("DataDirectory" and "HiddenServiceDirectory" are not actual directory names either). The patch I uploaded uses "stats", since that is what was used for the bridge-stats and dirreq-stats documents.

Trac:
Username: alphawolf

RE: part 1, I've confirmed that 3 of the 4 files can trigger warnings:

May 21 22:01:06.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats/entry-stats
May 21 22:01:06.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats/exit-stats
May 21 22:01:06.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats/conn-stats

Relevant torrc settings:

EntryStatistics 1
ExitPortStatistics 1
ConnDirectionStatistics 1

I don't know how to enable buffer-stats in order to test that. The bug12064_part1 patch does fix these three warnings.

Trac:
Username: alphawolf

Should be fixed in cfd0ee514c279bc6c7b7c299e001693a5aeb1f5f, 85f49abfbe50d29e4314ed0a3b436f3b14162d00, ffc1fde01fb4fc752aa54de0282cf027bdb738cf

Trac:
Resolution: N/A to fixed
Status: assigned to closed

(also merged your patch as 387f294d40c9b5c0bb9d6f29b85b7da1a185bc8c)

I'm getting a stack trace on the hidden services. I thought it was because of the trailing '/' on HiddenServiceDir, but it seems to happen even when I get rid of that. The only difference is that the '/' is not doubled up in the bug message as it is below. Note, this only happens after HUP.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

May 22 22:01:24.000 [notice] Received reload signal (hup). Reloading config and resetting internal state.
May 22 22:01:24.000 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
May 22 22:01:24.000 [notice] Read configuration file "/etc/tor/torrc".
May 22 22:01:24.000 [notice] Tor 0.2.5.4-alpha-dev (git-cfd0ee514c279bc6) opening log file.
May 22 22:01:24.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/hidden_service/
May 22 22:01:24.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/hidden_service//hostname.tmp

============================================================ T= 1400810484
(Sandbox) Caught a bad syscall attempt (syscall open)
/usr/bin/tor(+0x1239aa)[0x7f0e05c959aa]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f0e04778180]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f0e04778180]
/usr/bin/tor(tor_open_cloexec+0x40)[0x7f0e05c82360]
/usr/bin/tor(start_writing_to_file+0xfb)[0x7f0e05c90f7b]
/usr/bin/tor(+0x11f0db)[0x7f0e05c910db]
/usr/bin/tor(+0x11f228)[0x7f0e05c91228]
/usr/bin/tor(+0x5a218)[0x7f0e05bcc218]
/usr/bin/tor(rend_service_load_all_keys+0x81)[0x7f0e05bce231]
/usr/bin/tor(set_options+0xb9a)[0x7f0e05c2e4ba]
/usr/bin/tor(options_init_from_string+0x2d9)[0x7f0e05c2fcf9]
/usr/bin/tor(options_init_from_torrc+0x1a7)[0x7f0e05c2fff7]
/usr/bin/tor(process_signal+0x46c)[0x7f0e05ba93ac]
/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x9a5)[0x7f0e051fe715]
/usr/bin/tor(do_main_loop+0x195)[0x7f0e05ba8285]
/usr/bin/tor(tor_main+0xd75)[0x7f0e05baa6e5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f0e041dcb45]
/usr/bin/tor(+0x32adb)[0x7f0e05ba4adb]

Trac:
Username: alphawolf
Status: closed to reopened
Resolution: fixed to N/A

Thanks; should be better in 824bebd40954d2f766a7b37e6b4d206f9b682ed9

Trac:
Status: reopened to closed
Resolution: N/A to fixed

Oops! Looks like we missed something.

Jun 10 05:35:47.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats

Trac:
Username: alphawolf
Status: closed to reopened
Resolution: fixed to N/A

Fixed with bbb1ffe5357e408aa63b16b8691ca938cd62216c ; thanks!

Trac:
Status: reopened to closed
Resolution: N/A to fixed

closed

moved to tpo/core/tor#12064 (closed)