[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Did 'Sandbox 1' break Tor for anyone else on 0.4.5.6?



Hi William

William Kane:
> Hi everyone,
> 
> Ever since I upgraded to tor version 0.4.5.6, enabling tor's built-in
> seccomp sandbox completely breaks tor, i.e. it gets killed by the
> kernel on start for a seccomp violation (fstat(..)) - sandboxing
> worked fine on 0.4.4.6, my system configuration did not change between
> the updates.

Tor itself usually fails with a Permission Denied error when a syscall
fails due to seccomp. So, this is rather odd.

> I figured this was happening because I do not grant the
> CAP_DAC_READ_SEARCH capability, but I'm not so sure anymore if that's
> the reason.

You should simply see a Permission Denied if the capability is the problem.

Would be great if you could get details about the failing call. If
seccomp is involved, you should be able to get details like this:

• install package auditd
• make sure auditd is running
• crash Tor
• find the syscall with `ausearch -ts recent -i`

Peter
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays