Opened 6 months ago

Last modified 2 months ago

#33346 needs_revision defect

Seccomp soft fail (no write) in 0.4.2.6

Reported by: subjectfrosting Owned by: nickm
Priority: Medium Milestone: Tor: 0.4.4.x-final
Component: Core Tor/Tor Version: 0.4.2.6
Severity: Normal Keywords: easy?, 035-backport, 041-backport, 042-backport, 043-backport, regression, 044-should, postfreeze-ok
Cc: Actual Points: .1
Parent ID: Points: .1
Reviewer: Sponsor:

Description

I've upgraded to 0.4.2.6 (as a good software user, but also because I noticed the seccomp changes).

Tor successfully starts with seccomp, but 'soft fails' because it can't write to its data directory (here: /var/lib/tor/data). Tor has permissions to write to this directory - fine with Sandbox 0.

Log:

# cat /var/log/tor/log
Feb 16 00:46:56.000 [notice] Tor 0.4.2.6 opening new log file.
Feb 16 00:46:56.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Feb 16 00:46:57.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Feb 16 00:46:57.000 [notice] Bootstrapped 0% (starting): Starting
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/cached-certs": Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/cached-consensus" for mmap(): Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/unverified-consensus" for mmap(): Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/cached-microdesc-consensus" for mmap(): Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/unverified-microdesc-consensus" for mmap(): Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/cached-microdescs" for mmap(): Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/cached-microdescs.new": Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/cached-descriptors" for mmap(): Operation not permitted
Feb 16 00:46:57.000 [warn] Could not open "/var/lib/tor/data/cached-extrainfo" for mmap(): Operation not permitted
Feb 16 00:46:57.000 [notice] Starting with guard context "default"
Feb 16 00:46:58.000 [warn] Couldn't open "/var/lib/tor/data/state.tmp" (/var/lib/tor/data/state) for writing: Operation not permitted
Feb 16 00:46:58.000 [warn] Unable to write state to file "/var/lib/tor/data/state"; will try again later
Feb 16 00:46:58.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Feb 16 00:46:58.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Feb 16 00:46:58.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Feb 16 00:46:58.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Feb 16 00:46:58.000 [notice] Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
Feb 16 00:46:58.000 [notice] Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
Feb 16 00:46:58.000 [notice] Bootstrapped 30% (loading_status): Loading networkstatus consensus
Feb 16 00:46:59.000 [warn] Couldn't open "/var/lib/tor/data/unverified-microdesc-consensus.tmp" (/var/lib/tor/data/unverified-microdesc-consensus) for writing: Operation not permitted
Feb 16 00:46:59.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Feb 16 00:46:59.000 [notice] Bootstrapped 40% (loading_keys): Loading authority key certs
Feb 16 00:46:59.000 [warn] Couldn't open "/var/lib/tor/data/cached-certs.tmp" (/var/lib/tor/data/cached-certs) for writing: Operation not permitted
Feb 16 00:46:59.000 [warn] Error writing certificates to disk.
Feb 16 00:46:59.000 [warn] Could not open "/var/lib/tor/data/unverified-microdesc-consensus" for mmap(): Operation not permitted
Feb 16 00:46:59.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.

Appendix

Environment
Tor: 0.4.2.6
OS: Gentoo arm64
Hardware: Raspberry Pi 4
Kernel: 4.19.102-v8+ (RPi base)

Other info

When running 0.4.2.5, I experienced a crash with seccomp (possibly related to #27315)?

# tor
Feb 16 00:37:42.963 [notice] Tor 0.4.2.5 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Feb 16 00:37:42.963 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 16 00:37:42.963 [notice] Read configuration file "/etc/tor/torrc".
Feb 16 00:37:42.966 [notice] Opening Socks listener on 127.0.0.1:9050
Feb 16 00:37:42.966 [notice] Opened Socks listener on 127.0.0.1:9050

============================================================ T= 1581813463
(Sandbox) Caught a bad syscall attempt (syscall unlinkat)
tor(+0x1cd714)[0x5571820714]
linux-vdso.so.1(__kernel_rt_sigreturn+0x0)[0x7f8bde0658]
/lib64/libc.so.6(unlink+0x30)[0x7f8b8058d8]
tor(run_tor_main_loop+0x74)[0x55716ae874]
tor(tor_run_main+0x11c)[0x55716aead4]
tor(tor_main+0x50)[0x55716ad458]
tor(main+0x24)[0x55716acf74]
/lib64/libc.so.6(__libc_start_main+0xe4)[0x7f8b758cac]
tor(+0x59fd0)[0x55716acfd0]

Child Tickets

Change History (12)

comment:1 Changed 6 months ago by subjectfrosting

libseccomp version: 2.4.2-r1

comment:2 Changed 6 months ago by nickm

Keywords: easy? 035-backport 041-backport 042-backport 043-backport added
Milestone: Tor: 0.4.4.x-final
Owner: set to nickm
Points: .1
Status: newaccepted

Hm. Specifically it looks like the unlinkat() syscall is failing, which isn't in our listed syscalls. I guess your libc uses unlinkat() when we would have expected unlink().

comment:3 Changed 6 months ago by nickm

Actual Points: .1
Status: acceptedneeds_review

I've made a patch in ticket33346_035, and appropriate merge-forward branches.

The merge forward is clean, so all branches but the first are just for CI.

subjectfrosting, does the patch in these branches solve the issue for you? And if so, does it expose any other issues? :)

comment:4 Changed 6 months ago by subjectfrosting

Hi nickm, thanks for the response!

Tor still can't write to its data directory /var/lib/tor/data.
Runs fine still with Sandbox 0.

Let me know if I need to do more experimentation :)

Tor log:

Tor[4561]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Tor[4561]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Tor[4561]: Bootstrapped 0% (starting): Starting
Tor[4561]: Could not open "/var/lib/tor/data/cached-certs": Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/cached-consensus" for mmap(): Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/unverified-consensus" for mmap(): Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/cached-microdesc-consensus" for mmap(): Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/unverified-microdesc-consensus" for mmap(): Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/cached-microdescs" for mmap(): Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/cached-microdescs.new": Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/cached-descriptors" for mmap(): Operation not permitted
Tor[4561]: Could not open "/var/lib/tor/data/cached-extrainfo" for mmap(): Operation not permitted
Tor[4561]: Starting with guard context "default"
Tor[4561]: Couldn't open "/var/lib/tor/data/state.tmp" (/var/lib/tor/data/state) for writing: Operation not permitted
Tor[4561]: Unable to write state to file "/var/lib/tor/data/state"; will try again later
Tor[4561]: Bootstrapped 5% (conn): Connecting to a relay
Tor[4561]: Bootstrapped 10% (conn_done): Connected to a relay
Tor[4561]: Bootstrapped 14% (handshake): Handshaking with a relay
Tor[4561]: Bootstrapped 15% (handshake_done): Handshake with a relay done
Tor[4561]: Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
Tor[4561]: Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
Tor[4561]: Bootstrapped 30% (loading_status): Loading networkstatus consensus
Tor[4561]: Couldn't open "/var/lib/tor/data/unverified-microdesc-consensus.tmp" (/var/lib/tor/data/unverified-microdesc-consensus) for writing: Operation not permitted
Tor[4561]: I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Tor[4561]: Bootstrapped 40% (loading_keys): Loading authority key certs
Tor[4561]: Couldn't open "/var/lib/tor/data/cached-certs.tmp" (/var/lib/tor/data/cached-certs) for writing: Operation not permitted
Tor[4561]: Error writing certificates to disk.
Tor[4561]: Could not open "/var/lib/tor/data/unverified-microdesc-consensus" for mmap(): Operation not permitted
Tor[4561]: I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Last edited 6 months ago by subjectfrosting (previous) (diff)

comment:5 Changed 5 months ago by dgoulet

Status: needs_reviewneeds_revision

comment:6 Changed 5 months ago by nickm

Tor[4561]: Could not open "/var/lib/tor/data/cached-certs": Operation not permitted

Okay, that's going to be trickier to figure out. Do you know to use strace? If so, it would be really really helpful to know what syscall exactly was being rejected here.

comment:7 Changed 5 months ago by subjectfrosting

Nick and I discussed this on IRC earlier. I did try tampering with the flags that we give openat() but no luck. I was able to reproduce the bug on my amd64 machine too, so it is not ARM related.

Let me know if there's anything further I can try out. Nick suggested it was likely to be one of two things:

  • seccomp2 is not adding the rule that we think
  • using wrong pointer for the file (must match handle, not just same string)

I added my own logging on nick's request to see if the right path was being detected, but this seemed normal:

write(1, "seccomp: allow_file_open called "..., 51seccomp: allow_file_open called with use_openat:1
) = 51
write(1, "seccomp: allow_file_open called "..., 75seccomp: allow_file_open called with file:/home/user/.tor/cached-consensus
openat(AT_FDCWD, "/home/user/.tor/cached-consensus", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
write(1, "Mar 09 16:30:06.000 [warn] Could"..., 112Mar 09 16:30:06.000 [warn] Could not open "/home/user/.tor/cached-consensus" for mmap(): Operation not permitted

An excerpt of my strace:

...
getpid()                                = 22986
sendto(7, "<29>Mar  9 14:26:07 Tor[22986]: "..., 69, MSG_NOSIGNAL, NULL, 0) = 69
unlinkat(AT_FDCWD, "/var/lib/tor/data/key-pinning-entries", 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/var/lib/tor/data/cached-certs", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 105, MSG_NOSIGNAL, NULL, 0) = 105
openat(AT_FDCWD, "/var/lib/tor/data/cached-consensus", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 120, MSG_NOSIGNAL, NULL, 0) = 120
openat(AT_FDCWD, "/var/lib/tor/data/unverified-consensus", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 124, MSG_NOSIGNAL, NULL, 0) = 124
openat(AT_FDCWD, "/var/lib/tor/data/cached-microdesc-consensus", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 130, MSG_NOSIGNAL, NULL, 0) = 130
openat(AT_FDCWD, "/var/lib/tor/data/unverified-microdesc-consensus", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 134, MSG_NOSIGNAL, NULL, 0) = 134
openat(AT_FDCWD, "/var/lib/tor/data/cached-microdescs", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 121, MSG_NOSIGNAL, NULL, 0) = 121
openat(AT_FDCWD, "/var/lib/tor/data/cached-microdescs.new", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 114, MSG_NOSIGNAL, NULL, 0) = 114
openat(AT_FDCWD, "/var/lib/tor/data/cached-descriptors", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 122, MSG_NOSIGNAL, NULL, 0) = 122
newfstatat(AT_FDCWD, "/var/lib/tor/data/cached-descriptors.new", 0x7fefcc0258, 0) = -1 EPERM (Operation not permitted)
openat(AT_FDCWD, "/var/lib/tor/data/cached-extrainfo", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<28>Mar  9 14:26:07 Tor[22986]: "..., 120, MSG_NOSIGNAL, NULL, 0) = 120
newfstatat(AT_FDCWD, "/var/lib/tor/data/cached-extrainfo.new", 0x7fefcc0258, 0) = -1 EPERM (Operation not permitted)
getpid()                                = 22986
sendto(7, "<29>Mar  9 14:26:07 Tor[22986]: "..., 70, MSG_NOSIGNAL, NULL, 0) = 70
epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN, {u32=6, u64=6}}) = 0
epoll_ctl(3, EPOLL_CTL_ADD, 4, {EPOLLIN, {u32=4, u64=4}}) = 0
epoll_pwait(3, ^C0x558e1975d0, 32, 1000, NULL, 8) = -1 EINTR (Interrupted system call)
strace: Process 22986 detached
Last edited 5 months ago by subjectfrosting (previous) (diff)

comment:8 Changed 3 months ago by asn

Keywords: regression added

comment:9 Changed 3 months ago by nickm

Keywords: easy? 035-backport 041-backport 042-backport 043-backport regressioneasy?, 035-backport, 041-backport, 042-backport, 043-backport, regression

Add 044-must to all "regression" tickets in 0.4.4

comment:10 Changed 2 months ago by nickm

Keywords: 044-should added

comment:11 Changed 2 months ago by nickm

Keywords: postfreeze-ok added

Mark tickets which are important or safe enough to look at post-freeze for 0.4.4.

comment:12 Changed 2 months ago by Jigsaw52

Apart from the syscall unlinkat and newfstatat that are failing due to being missing on the seccomp filter, the remaining failures seem to be from openat. I think this may be the same problem as #27315.

subjectfrosting, which glibc version are you running?

Note: See TracTickets for help on using tickets.