[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #24037 [Core Tor/Torsocks]: Use syscall blacklist rather than whitelist for torsocks
#24037: Use syscall blacklist rather than whitelist for torsocks
-------------------------------+------------------------------
Reporter: cypherpunks | Owner: dgoulet
Type: enhancement | Status: needs_review
Priority: Medium | Milestone:
Component: Core Tor/Torsocks | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------+------------------------------
Comment (by cypherpunks):
>implement the first solution
Nice! 33 insertions, 576 deletions. Great to see an alternative that gets
rid of so much bad code. I'm working on the second solution myself (at
least once #24400 is resolved so `SocksPort` doesn't break on UNIX domain
sockets with the sandbox), but I think the two solutions can go hand in
hand, as the second solution, while more secure, is Linux-specific.
>that part probably needs review
I don't think this will be an issue once torsocks no longer uses a
whitelist. It seems to be more related to #24116, where the `mmap()`
wrapper requires using `mmap()` to initialize memory, but can't be
initialized until the syscall runs, resulting in a deadlock. There is no
danger security-wise to allowing that syscall.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24037#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs