[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #26580 [Core Tor/Torsocks]: torsocks complains about unknown system call #417 on FreeBSD
#26580: torsocks complains about unknown system call #417 on FreeBSD
-------------------------------+-------------------------
Reporter: yurivict271 | Owner: dgoulet
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Torsocks | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------+-------------------------
Comment (by onirony):
Replying to [comment:2 yurivict271]:
> All unknown system calls should be passed, because they have nothing to
do with socket operations. This would be a correct fix of this.
Agreed, I think that everyone would prefer that. There are currently two
(very solvable) problems.
----
**1. Every Unix-like OS has it's own syscall sandboxing system.
**
Right now Torsocks is whitelisting a small subset of syscalls (bad).
Modern operating systems provide mechanisms to implement syscall
blacklists (good) instead. However, everyone does it differently. Viz,
**Linux**: seccomp
**FreeBSD**: capsicum
**OpenBSD**: pledge
**OS X**:
[https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
App Sandbox] (which deprecates sandbox_init()).
Redesigning Torsocks to take advantage of these tools would require
significant reengineering, but is probably the best/only approach. At the
very least, we could start with Linux/seccomp, which covers the
overwhelming majority of Torsocks' userbase, then move on to
FreeBSD/Capsicum, then MacOS/App Sandbox, and eventually OpenBSD/pledge.
However, there is still the issue of...
**2. Kernels regularly add new networking syscalls.**
We are unlikely to keep totally up to date with every new syscall added to
Linux, MacOS, OpenBSD, et al. This puts users in risk when they run an
application through torsocks assuming their traffic is being routed
through Tor, only to have their IP leaked because their application made a
networking-related syscall we didn't know about.
MacOS, for example, has connectx. If Torsocks had relied on a blacklist at
the time that connectx was released, all of the torified applications
using connectx would have had their IP addresses exposed. Instead,
Torsocks merely failed.
----
So there are definitely some downsides, but compared to the alternative
(manually adding every non-socket syscall from every popular *nix system)
definitely appeals to me.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26580#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs