From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36165)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dLzRP-0003Br-Ef
	for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dLzRK-0006xi-Nk
	for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:49106)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dLzRK-0006xS-KO
	for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dLzRK-0007FY-7e
	for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:02 -0400
Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Resent-Message-ID: <handler.27394.B27394.149765096427807@debbugs.gnu.org>
Date: Fri, 16 Jun 2017 22:09:02 +0000
From: ng0 <ng0@infotropique.org>
Message-ID: <20170616220902.agnoznv4nrcr7fdz@abyayala>
References: <b07675b7f603b2040abf4acee8fafcb1@mykolab.com>
	<20170616120108.d5kx6h2ukiy7qtux@abyayala>
	<00b283d856293540d950c67502d4538e@mykolab.com>
	<20170616124639.a7lq7dgrbmr2wn4t@abyayala>
	<20170616131008.deg2qeu7fzwwxnxy@abyayala>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20170616131008.deg2qeu7fzwwxnxy@abyayala>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Rutger Helling <rhelling@mykolab.com>, 27394@debbugs.gnu.org

There's a problem. I think it's not that problematic but it's a problem:

Activating the Sandbox option (torrc Sandbox 1) prevents reloading
certain functions of tor without stopping tor. Now when you do this
with our GuixSD tor-service running through a guix system reconfigure,
you will get a sandbox violation. Because I reboot directly after
reconfigure I don't know if this is a serious problem, but I know
there are plans for system-generation activation or what they call
it (switch to the newly generated system directly after it was build).

After a day of using your patch and encountering the sandbox violations
I'm positive it works as intended, but I'm not sure what to do about
the switch. Maybe our tor-service has to be adjusted? This is no
requirement for this to be merged, I'm just trying to point out details.
ng0 transcribed 1.8K bytes:
> The patch itself seems to work.
> 
> Just introducing upstream explicitly marked (see 'man tor') as "experimental"
> features is difficult. As long as nothing breaks it's okay I guess.
> 
> Should tor or the GuixSD native tor-service start to consume too much
> resources, we can still adjust.
> 
> ng0 transcribed 2.3K bytes:
> > Rutger Helling transcribed 2.6K bytes:
> > > Hey ng0, 
> > > 
> > > I think that ticket references whether the default torrc should have
> > > "Sandbox 1".
> > 
> > I understood the Whonix mail, which is how I got to the trac of tor,
> > in the way that they don't enable seccomp because tor does not enable
> > it as default. I'm not 100% positive on this, but I think I used
> > tor with +seccomp and hardening in Gentoo for a very long time.
> > 
> > 
> > > This patch doesn't do that, you still have to set that
> > > manually if you want to use it. It only gives you the option (Tor will
> > > just ignore that option in Guix right now). 
> > > 
> > > I also don't think that hardening and the sandbox bite each other in any
> > > way. 
> > > 
> > > On 2017-06-16 14:01, ng0 wrote:
> > > 
> > > > Rutger Helling transcribed 2.5K bytes: 
> > > > 
> > > >> Hello, 
> > > >> 
> > > >> this patch adds seccomp support to tor.
> > > > 
> > > > There's the question if we would want that.
> > > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > > > But we also enable hardening by default, which differs from the tor default.
> > > > I have no problem with moving unstable features in, but hardening
> > > > seems much more tested to me than seccomp.
> > 
> > -- 
> > ng0
> > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> > https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> -- 
> ng0
> OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> 

-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org