Opened 3 years ago

Closed 3 years ago

#20782 closed enhancement (fixed)

Use a seccomp whitelist when the tor daemon is configured to use Bridges.

Reported by: yawning Owned by: yawning
Priority: High Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The seccomp whitelist for the tor sandbox only has the system calls required for the tor daemon itself (based off tor's UseSandbox implementation). This causes obfs4proxy to not work, so when Bridges are enabled, a rudimentary blacklist is installed instead.

The proper thing to do would be to figure out what systemcalls obfs4proxy needs in addition to the ones in the current whitelist and selective expand the whitelist at runtime based on configuration.

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by yawning

Upon deeper thought, the real solution to this is to spawn PTs in their own container, each with a tailored whitelist, particularly since #20781 will require that, so it may as well be generalized.

The main stumbling point would be that tor doesn't support using AF_LOCAL to talk to PTs, but if I do this correctly the tor sandbox can run without external network access when PTs are used.

comment:2 Changed 3 years ago by yawning

This is what obfs4proxy needs in addition to what's in the existing tor whitelist on x86_64.

mprotect -> arg2 == PROT_READ | PROT_WRITE
futex -> arg1 == 1 || arg1 == 0 (FUTEX_WAKE, FUTEX_WAIT)
setsockopt -> arg1 == SOL_TCP && arg2 == TCP_NODELAY
set_tid_address: 1
mincore: 1
dup2: 1
select: 1
mkdirat: 1 (Might not be needed if the pt state dir exists.)
fsync: 1
epoll_create1 -> arg0 == EPOLL_CLOEXEC
getpeername: 1

comment:3 Changed 3 years ago by yawning

Priority: MediumHigh

Bumping up the priority on this because this is really crappy.

comment:4 Changed 3 years ago by yawning

I missed a few calls when I wrote up my list of what's required, and since the tor profile now has mmap rules, there's even more stuff.

setsockopt -> arg1 == SOL_SOCKET && arg2 == SO_BROADCAST, arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY
mmap -> arg2 == PROT_NONE && (arg3 == MAP_PRIVATE|MAP_ANONYMOUS || arg3 == MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)
getppid: 1

comment:5 Changed 3 years ago by yawning

Resolution: fixed
Status: newclosed

https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=7cf5fba78a7641043454f7f7d24edce4ed938197

For now use a combined tor + obfs4prxy whitelist. Seems to work in my test envs. I'm going to tag this as fixed for now, and deal with decoupling the two later.

Note: See TracTickets for help on using tickets.