Opened 11 years ago

Closed 9 years ago

Last modified 7 years ago

#828 closed defect (wontfix)

native-connect sockaddr error

Reported by: komo Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version: 0.2.0.31
Severity: Keywords:
Cc: komo, arma, nickm, jackwssp Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am running Tor in systrace v1.6d on OpenBSD 4.3
After an upgrade of Tor 0.1.2.19 to 0.2.0.30/31 a new policy appeared

native-connect: sockaddr eq "error" then permit

Apart from that, I get numerous messages on a terminal window:

systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory

and so on. It makes it very hard to use the terminal because the error
messages come and go, often when you are in the middle of something. It
just makes it impossible to use. Unlike policy violations these errors
are not logged, they just scroll on screen.

[Automatically added by flyspray2trac: Operating System: BSD]

Child Tickets

Change History (15)

comment:1 Changed 11 years ago by arma

Is this a bug report for the openbsd Tor package? If so, you should find their
bugtracker and report it there.

Or is it a bug with Tor 0.2.0.31 itself? If so, you're going to have to
clarify what it is.

comment:2 Changed 11 years ago by komo

The current (snapshot) OpenBSD Tor package has an installation issue and I am not using it. I've compiled Tor 0.2.0.31

from the source code. Tor works as expected, but unlike version 0.1.2.19, I now observe weird error messages from

systrace. I could just stop using systrace, right? But isn't it interesting why the new Tor version is doing it?

The error messages appear when Tor establishes connections with other nodes.

comment:3 Changed 11 years ago by nickm

Tor never calls getnameinfo directly; if this is called, it's probably called as an underlying function to
implement gethostbyaddr. But weirdly, Tor never calls gethostbyaddr as far as I can tell. This is confusing.

comment:4 Changed 11 years ago by nickm

Oh! Here's a thought. Is it possible that systrace is trying to do reverse DNS lookups *itself* on addresses
that Tor is looking up, and failing for some reason?

Also, let's think about what files might getnameinfo might be looking for. /etc/hosts and /etc/resolv.conf seem
like the likeliest suspects to me. Is anything stopping it from finding them?

comment:5 Changed 11 years ago by komo

The files exist and have normal permissions. DNS resolving is OK.

I have two OpenBSD installations in somewhat different configurations,
in VirtualBox and real hardware. Both show the same problem.

comment:6 Changed 11 years ago by komo

Here is the exact sequence of events, including "sockaddr eq error" which did not exist
in the earlier Tor version.

native-fsread: filename eq "/var/tor/cached-routers" then permit
native-fsread: filename eq "/var/tor/cached-descriptors.new" then permit
native-fsread: filename eq "/var/tor/cached-extrainfo" then permit
native-fsread: filename eq "/var/tor/cached-extrainfo.new" then permit
native-sendto: true then permit
native-connect: sockaddr eq "inet-[128.31.0.34]:9005" then permit
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
native-connect: sockaddr eq "error" then permit
native-getsockname: permit
native-connect: sockaddr eq "inet-[195.85.225.145]:9001" then permit
native-connect: sockaddr eq "inet-[92.205.3.132]:9001" then permit
native-connect: sockaddr eq "inet-[194.109.206.212]:443" then permit
native-connect: sockaddr eq "inet-[202.78.240.82]:143" then permit
native-fswrite: filename eq "/var/tor/state.tmp" then permit
native-rename: filename eq "/var/tor/state.tmp" and filename[1] eq "/var/tor/state" then permit
native-getsockopt: permit
native-fswrite: filename eq "/var/tor/cached-descriptors.new" then permit
native-connect: sockaddr eq "inet-[85.10.240.250]:443" then permit
native-connect: sockaddr eq "inet-[87.98.143.223]:443" then permit
native-connect: sockaddr eq "inet-[192.42.113.248]:9001" then permit
native-connect: sockaddr eq "inet-[91.208.34.1]:443" then permit

comment:7 Changed 11 years ago by komo

Until there is a solution to this problem, I decided to use a workaround to get rid of the
scrolling error messages. In systrace's "intercept-translate.c" I commented-out one line:

sa->sa_len = len;
if (getnameinfo(sa, len,

host, sizeof(host), serv, sizeof(serv),
NI_NUMERICHOST | NI_NUMERICSERV)) {
warn("getnameinfo");
return (-1);

}

That does not mean it is a systrace's issue of course.

comment:8 Changed 11 years ago by nickm

So, systrace _is_ calling getnameinfo(). And that call is returning nonzero, so it must be failing. It looks like
the warning message was bogus, because (according to the manpage), getnameinfo does not set errno on failure; it returns
an error code that you can convert to a string using gai_strerror().

You might be able to get a better idea of why getnameinfo() is failing by changing that code to

sa->sa_len = len;
{

int r = getnameinfo(sa, len, host, sizeof(host), serv, sizeof(serv), NI_NUMERICHOST | NI_NUMBERSERV);
if (r) {

warnx("getnameinfo: %s", r==(EAI_SYSTEM) ? strerror(errno) : gai_strerror(r));
return (-1);

}

}

I don't know what Tor could possibly be doing to make getnameinfo fail, but this would be a good place to
start looking.

comment:9 Changed 11 years ago by nickm

Any progress on figuring out why getnameinfo() is failing with systrace and Tor?

comment:10 Changed 11 years ago by nickm

No contact with user since October; can't debug without confirmation that it's actually Tor messing with getnameinfo
and a real error message from getnameinfo() via gai_strerror(). Closing as 'user disappeared.'

comment:11 Changed 10 years ago by arma

Reopening by user request. What's up?

comment:12 Changed 10 years ago by jackwssp

Have the same problem with systraced tor.

$ uname -a
OpenBSD obsd.my.domain 4.6 GENERIC#53 amd64

$ cat tor.sh
/usr/sbin/chroot -u _chrootedtor -g _chrootedtor /home/chrooted/tor /bin/systrace -a -d /etc/tor/systrace /bin/tor -f /etc/tor/torrc

./tor.sh
# systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
etc..

In /var/log/message clean, but if I put chroot to systrace this flooded by syslogd /var/log/message, with the same sockaddr: error.

I think, that it is because I havn't set syslogd dev to chroot. Will report when

Use it https://wiki.torproject.org/noreply/TheOnionRouter/OpenbsdChrootedTor#XXXWorkinProgress--UsingachrootedsystracewithachrootedTorclient

$ cat /home/chrooted/tor/etc/tor/systrace/bin_tor
Policy: /bin/tor, Emulation: native

native-sysctl: permit
native-break: permit

# Memory

native-mmap: permit
native-mprotect: permit
native-mquery: permit
native-munmap: permit

# Files

native-chdir: filename eq "/var/tor" then permit
native-chdir: filename eq "/var/tor" then permit
native-close: permit
native-dup2: permit
native-fcntl: permit
native-fstat: permit
native-getdirentries: permit
native-ioctl: permit
native-lseek: permit
native-pread: permit
native-read: permit
native-write: permit
native-flock: permit

# File reads

native-fsread: filename match "/<non-existent filename>: *" then deny
native-fsread: filename eq "/dev/crypto" then permit
native-fsread: filename eq "/dev/null" then permit
native-fsread: filename eq "/dev/srandom" then permit
native-fsread: filename eq "/etc/group" then permit
native-fsread: filename eq "/etc/pwd.db" then permit
native-fsread: filename eq "/etc/spwd.db" then permit
native-fsread: filename eq "/etc/tor/torrc" then permit
native-fsread: filename eq "/etc/malloc.conf" then permit
native-fsread: filename eq "/etc/localtime" then permit
native-fsread: filename eq "/usr/lib" then permit
native-fsread: filename eq "/etc/hosts" then permit
native-fsread: filename eq "/etc/resolv.conf" then permit
native-fsread: filename match "/usr/lib/libc.so*" then permit
native-fsread: filename match "/usr/lib/libcrypto.so*" then permit
native-fsread: filename match "/usr/lib/libssl.so*" then permit
native-fsread: filename match "/usr/lib/libz.so*" then permit
native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
native-fsread: filename eq "/share/tor/geoip" then permit
native-fsread: filename eq "/share/tor/fallback-consensus" then permit
native-fsread: filename match "/usr/share/zoneinfo/*" then permit
native-fsread: filename eq "/var/tor" then permit
native-fsread: filename match "/var/tor/*" then permit
native-fsread: filename eq "/var/log/tor" then permit
native-fsread: filename match "/var/tor/*" then permit
native-fsread: filename eq "/var/tor" then permit

# Time

native-clock_gettime: permit
native-gettimeofday: permit
native-setitimer: permit

# User ID and group ID. Change these as needed.

native-getuid: permit
native-setgid: gid eq "1003" then permit
native-setuid: uid eq "1003" and uname eq "_chrootedtor" then permit

# Resource limits

native-getrlimit: permit
native-setrlimit: permit

# Process

native-exit: permit
native-kill: permit
native-fork: permit
native-pipe: permit

# Permission bits

native-getpid: permit
native-geteuid: permit
native-issetugid: permit
native-setsid: permit

# Signals

native-sigaction: permit
native-sigprocmask: permit
native-sigreturn: permit

# File writes

native-fswrite: filename match "/<non-existent filename>: *" then deny
native-fswrite: filename eq "/dev/crypto" then permit
native-fswrite: filename eq "/dev/null" then permit
native-fswrite: filename eq "/var/tor" then permit
native-fswrite: filename eq "/usr/local/var/log/tor/notices.log" then permit
native-fswrite: filename match "/var/tor/*" then permit
native-fswrite: filename match "/var/log/tor/*" then permit
native-fswrite: filename match "/var/tor/*" then permit
native-rename: filename match "/var/tor/*" then permit
native-rename: filename match "/var/tor/cached-directory*" and filename[1] match "/var/tor/cached-directory*" then permit

# Networking

native-connect: sockaddr eq "inet-[172.20.1.5]:53" then permit
native-connect: sockaddr eq "inet-[172.20.1.6]:53" then permit
native-bind: sockaddr eq "inet-[0.0.0.0]:9001" then permit
native-bind: sockaddr eq "inet-[0.0.0.0]:9030" then permit
native-bind: sockaddr eq "inet-[127.0.0.1]:9050" then permit
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
native-setsockopt: permit
native-listen: permit
native-poll: permit
native-getsockopt: permit
native-accept: permit
native-recvfrom: permit
native-sendto: true then permit

# Without socketpair, you cannot access Tor hidden services.

native-socketpair: permit

# List of ports to connect to. These are needed for the server list and potentially
# using a tor server.

native-connect: sockaddr match "inet-*:80" then permit
native-connect: sockaddr match "inet-*:443" then permit

# Typically, tor servers are in the range of 8,000 - 10,000. This below lets tor
# connect to any unpriv port.
# Match ports 1024 through 1999

native-connect: sockaddr re "inet-.*:102[4-9]$" then permit
native-connect: sockaddr re "inet-.*:10[3-9][0-9]$" then permit
native-connect: sockaddr re "inet-.*:1[1-9][0-9]{2}$" then permit

# Match 2000 - 9999

native-connect: sockaddr re "inet-.*:[2-9][0-9]{3}$" then permit

# Match ports 10000 - 65535

native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit

comment:13 Changed 10 years ago by jackwssp

So, i did it.

# /usr/bin/nice -n 10 /usr/sbin/chroot -u _tor -g _tor /home/chrooted/tor /bin/systrace -a -d /etc/systrace /bin/tor -f /etc/tor/torrc

Jan 12 16:51:04.185 [notice] Tor v0.2.2.6-alpha (git-1ee580407ccb9130). This is experimental software. Do not rely on it for strong anonymity. (Running on OpenBSD amd64)
Jan 12 16:51:04.236 [notice] Initialized libevent version 1.3e using method poll. Good.
Jan 12 16:51:04.237 [notice] Opening Socks listener on 127.0.0.1:9050
# systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory
systrace: getnameinfo: No such file or directory

etc..

mute sockaddr: error in /var/log/message by adding:

native-connect: sockaddr eq "error" then deny

So,
# cat /home/chrooted/tor/etc/systrace/bin_tor

Policy: /bin/tor, Emulation: native

native-sysctl: permit
native-break: permit

# Memory

native-mmap: permit
native-mprotect: permit
native-mquery: permit
native-munmap: permit

# Files

native-chdir: filename eq "/var/tor" then permit
native-close: permit
native-dup2: permit
native-fcntl: permit
native-fstat: permit
native-getdirentries: permit
native-ioctl: permit
native-lseek: permit
native-pread: permit
native-read: permit
native-write: permit
native-flock: permit

# File reads

native-fsread: filename match "/<non-existent filename>: *" then deny
native-fsread: filename eq "/dev/crypto" then permit
native-fsread: filename eq "/dev/null" then permit
native-fsread: filename eq "/dev/srandom" then permit
native-fsread: filename eq "/etc/group" then permit
native-fsread: filename eq "/etc/pwd.db" then permit
native-fsread: filename eq "/etc/spwd.db" then permit
native-fsread: filename eq "/etc/tor/torrc" then permit
native-fsread: filename eq "/etc/malloc.conf" then permit
native-fsread: filename eq "/etc/localtime" then permit
native-fsread: filename eq "/usr/lib" then permit
native-fsread: filename eq "/etc/hosts" then permit
native-fsread: filename eq "/etc/resolv.conf" then permit
native-fsread: filename match "/usr/lib/libc.so*" then permit
native-fsread: filename match "/usr/lib/libcrypto.so*" then permit
native-fsread: filename match "/usr/lib/libssl.so*" then permit
native-fsread: filename match "/usr/lib/libz.so*" then permit
native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
native-fsread: filename eq "/share/tor/geoip" then permit
native-fsread: filename eq "/share/tor/fallback-consensus" then permit
native-fsread: filename match "/usr/share/zoneinfo/*" then permit
native-fsread: filename eq "/var/tor" then permit
native-fsread: filename match "/var/tor/*" then permit
native-fsread: filename eq "/var/log/tor" then permit
native-fsread: filename match "/var/tor/*" then permit
native-fsread: filename eq "/var/tor" then permit

# Time

native-clock_gettime: permit
native-gettimeofday: permit
native-setitimer: permit

# User ID and group ID. Change these as needed.

native-getuid: permit
native-setgid: gid eq "1002" then permit
native-setuid: uid eq "1002" and uname eq "_tor" then permit

# Resource limits

native-getrlimit: permit
native-setrlimit: permit

# Process

native-exit: permit
native-kill: permit
native-fork: permit
native-pipe: permit

# Permission bits

native-getpid: permit
native-geteuid: permit
native-issetugid: permit
native-setsid: permit

# Signals

native-sigaction: permit
native-sigprocmask: permit
native-sigreturn: permit

# File writes

native-fswrite: filename match "/<non-existent filename>: *" then deny
native-fswrite: filename eq "/dev/crypto" then permit
native-fswrite: filename eq "/dev/null" then permit
native-fswrite: filename eq "/var/tor" then permit
native-fswrite: filename eq "/usr/local/var/log/tor/notices.log" then permit
native-fswrite: filename match "/var/tor/*" then permit
native-fswrite: filename match "/var/log/tor/*" then permit
native-fswrite: filename match "/var/tor/*" then permit
native-rename: filename match "/var/tor/*" then permit
native-rename: filename match "/var/tor/cached-directory*" and filename[1] match "/var/tor/cached-directory*" then permit

# Networking

native-connect: sockaddr eq "error" then deny
native-connect: sockaddr eq "inet-[172.20.1.5]:53" then permit
native-connect: sockaddr eq "inet-[172.20.1.6]:53" then permit
native-bind: sockaddr eq "inet-[0.0.0.0]:9001" then permit
native-bind: sockaddr eq "inet-[0.0.0.0]:9030" then permit
native-bind: sockaddr eq "inet-[127.0.0.1]:9050" then permit
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
native-setsockopt: permit
native-listen: permit
native-poll: permit
native-getsockname: permit
native-getsockopt: permit
native-accept: permit
native-recvfrom: permit
native-sendto: true then permit

# Without socketpair, you cannot access Tor hidden services.

native-socketpair: permit

# List of ports to connect to. These are needed for the server list and potentially
# using a tor server.

native-connect: sockaddr match "inet-*:80" then permit
native-connect: sockaddr match "inet-*:443" then permit

# Typically, tor servers are in the range of 8,000 - 10,000. This below lets tor
# connect to any unpriv port.
# Match ports 1024 through 1999

native-connect: sockaddr re "inet-.*:102[4-9]$" then permit
native-connect: sockaddr re "inet-.*:10[3-9][0-9]$" then permit
native-connect: sockaddr re "inet-.*:1[1-9][0-9]{2}$" then permit

# Match 2000 - 9999

native-connect: sockaddr re "inet-.*:[2-9][0-9]{3}$" then permit

# Match ports 10000 - 65535

native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit

comment:14 Changed 9 years ago by nickm

Resolution: Nonewontfix
Status: newclosed

Closing; if getnameinfo called by systrace isn't working, it isn't because of Tor. There seems to be a workaround as reported above.

comment:15 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.