[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #29819 [Core Tor/Tor]: Seccomp: sandbox crash on rt_sigaction with libseccomp 0.2.4



#29819: Seccomp: sandbox crash on rt_sigaction with libseccomp 0.2.4
-----------------------------------+------------------------------------
 Reporter:  toralf                 |          Owner:  nickm
     Type:  defect                 |         Status:  assigned
 Priority:  Medium                 |      Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor           |        Version:  Tor: unspecified
 Severity:  Normal                 |     Resolution:
 Keywords:  crash, linux, sandbox  |  Actual Points:
Parent ID:                         |         Points:  2-10
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------------------

Comment (by pege):

 pege -- the EPERM idea seems plausible, if it works. Do you have time to
 try it out?

 I should have some time to try this this weekend. I'll let you know how it
 is going.

    Otherwise, the only workable idea I can think of is to rearchitect how
 we handle filesystem interactions in the sandbox. We should really have an
 trusted unsandboxed process whose job it is to open files for the main
 process, and pass them back over a pipe. This would let us support more
 sandboxing techniques, and allow us to throw out our immutable-string
 hacks. It would be a lot of work though, and I don't see where we have
 time to do it in our current roadmap.

 Moving file handling to some kind of broker running in an unsandboxed
 process is the proper solution here I'd say but that'll take some time.
 Let's see how EPERM works out first. The only issue I can see with the
 sandbox is that `mmap()`ing files to save memory will no longer be
 possible. Consider the security benefit, it's probably a minor issue
 though.

 I wonder if there isn't some third party library for creating a broker,
 handling permissions and passing content to the sandboxed process. If not,
 I'm thinking this could make a good project for introducing some more
 Rust. I guess the broker itself could be written in Rust completely.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29819#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs