Opened 4 years ago

Closed 4 years ago

#16244 closed defect (fixed)

(Sandbox) Unexpected syscalls on relay

Reported by: asn Owned by:
Priority: Medium Milestone: Tor: 0.2.7.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-sandbox tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

weasel reported the following sandxbox warnings on his relay:

(Sandbox) Caught a bad syscall attempt (syscall eventfd2)
/usr/bin/tor(+0x1328b6)[0x7f71180d18b6]
/lib/x86_64-linux-gnu/libc.so.6(eventfd+0xd)[0x7f711649e2fd]
/lib/x86_64-linux-gnu/libc.so.6(eventfd+0xd)[0x7f711649e2fd]
/usr/bin/tor(alert_sockets_create+0xec)[0x7f71180bef9c]
 (Sandbox) Caught a bad syscall attempt (syscall open)
 /usr/bin/tor(+0x1328b6)[0x7f653db158b6]
 /lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f653c3b81d0]
 /lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f653c3b81d0]
 /usr/bin/tor(tor_open_cloexec+0x40)[0x7f653daff5e0]
 /usr/bin/tor(start_writing_to_file+0xf2)[0x7f653db10732]
 /usr/bin/tor(+0x12d89b)[0x7f653db1089b]
 /usr/bin/tor(+0x12d9e8)[0x7f653db109e8]
 /usr/bin/tor(crypto_pk_write_private_key_to_filename+0xcb)[0x7f653db1f57b]

We should probably test the sandbox more thoroughly on relay-mode.
Here is the torrc used (to reproduce this):

Sandbox 1
PublishServerDescriptor 0
OrPort 9031

Child Tickets

Attachments (1)

0001-Fix-sandboxing-to-work-when-running-as-a-relay.patch (2.0 KB) - added by weasel 4 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 4 years ago by weasel

Status: newneeds_review

At least it seems to run now:

--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -129,11 +129,13 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(clone),
     SCMP_SYS(epoll_create),
     SCMP_SYS(epoll_wait),
+    SCMP_SYS(eventfd2),
     SCMP_SYS(fcntl),
     SCMP_SYS(fstat),
 #ifdef __NR_fstat64
     SCMP_SYS(fstat64),
 #endif
+    SCMP_SYS(futex),
     SCMP_SYS(getdents64),
     SCMP_SYS(getegid),
 #ifdef __NR_getegid32
diff --git a/src/or/main.c b/src/or/main.c
index d0fe8cb..8aa9a15 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2984,7 +2984,7 @@ sandbox_init_filter(void)
   // orport
   if (server_mode(get_options())) {
·
-    OPEN_DATADIR2_SUFFIX("keys", "secret_id_key", "tmp");
+    OPEN_DATADIR2_SUFFIX("keys", "secret_id_key", ".tmp");
     OPEN_DATADIR2_SUFFIX("keys", "secret_onion_key", ".tmp");
     OPEN_DATADIR2_SUFFIX("keys", "secret_onion_key_ntor", ".tmp");
     OPEN_DATADIR2("keys", "secret_id_key.old");

comment:2 Changed 4 years ago by weasel

Status: needs_reviewneeds_revision

comment:3 Changed 4 years ago by weasel

Status: needs_revisionneeds_review

comment:4 Changed 4 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged to 0.2.6 and later; thanks!

Note: See TracTickets for help on using tickets.