Opened 7 years ago

Closed 5 years ago

#7005 closed enhancement (implemented)

seccomp2

Reported by: ioerror Owned by:
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Keywords: security tor-relay
Cc: mikeperry, nickm, arma, intrigeri@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor should attempt to use seccomp2 - to that end - we should find a list of syscalls that we'd will ever expect tor to use and add them to a seccomp filter. We should also allow relays to have a much more restrictive seccomp filter set if they wish at compile time.

A good url for examples is here:
http://outflux.net/teach-seccomp/

We may want to use libseccomp:
http://sourceforge.net/projects/libseccomp/
http://sourceforge.net/p/libseccomp/libseccomp/ci/f08622cda8ff41d8d77d70ab034ab26413289013/tree/

In theory this will be a first line (zero being not having a bug) of defense against someone actually getting arbitrary code execution in tor or related libraries. The next line of defense would be a jail or a chroot. The next line would be some kind of kernel ACL/MAC like SELinux/AppArmor/GRSec/etc. I suppose in reality, it's all together as one but I'm pretending for the sake of simplicity.

Child Tickets

Change History (11)

comment:1 Changed 7 years ago by nickm

Milestone: Tor: unspecified

I could swear we already had a ticket for this.

comment:2 Changed 7 years ago by ioerror

I thought so as well - I'm going to code up a basic patch for it and hopefully it can make it into 2.4.x or 2.5.x - it is 2.4.x now, right? :)

comment:3 Changed 7 years ago by nickm

yeah; The deadlines for 0.2.4 are on https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/024 . There are some discussions there about how to find the right set of system calls. Note the drama surrounding exec.

And I think this is a duplicate for #5756 ; please close this ticket as such if you agree.

comment:4 Changed 7 years ago by nickm

Woops; #5756 is the place where there is discussion about finding the right set of system calls.

comment:5 Changed 7 years ago by ioerror

seccomp2 is easy to use to detect syscalls as far as I can see from the docs. This isn't a dup as it at worst could be a child ticket for little t tor. I'm going to code a diff in the next hour.

comment:6 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:7 Changed 7 years ago by nickm

Component: Tor RelayTor

comment:8 Changed 7 years ago by ioerror

I've implemented a very basic seccomp static filter based on the example by Kees. I need to generate a canonical syscall list and then I think it is rather straight forward to use after that point.

Ironically, I lack a system with seccomp2 enabled by default so I'm not sure of the best way to test this code. Which systems have seccomp2 working out of the box? Just the latest Ubuntu? Does Debian unstable?

comment:9 Changed 7 years ago by nickm

So it's Linux 3.5 that has this feature, right? If so, Fedora has it too.

comment:10 Changed 6 years ago by intrigeri

Cc: intrigeri@… added

comment:11 Changed 5 years ago by nickm

Milestone: Tor: unspecifiedTor: 0.2.5.x-final
Resolution: implemented
Status: newclosed

It would appear that this is solved by the sandbox code in 0.2.5

Note: See TracTickets for help on using tickets.