From: Rutger Helling <rhelling@mykolab.com>
To: Ludovic CourtXXs <ludo@gnu.org>, ng0@infotropique.org
Cc: 27394-done <27394-done@debbugs.gnu.org>
Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support.
Date: Wed, 21 Jun 2017 08:57:01 +0200 [thread overview]
Message-ID: <9a77b4c9d799bd5f95bf3fce88e268af@mykolab.com> (raw)
In-Reply-To: <E1dNRg6-000781-Lh@rmmprod07.runbox>
[-- Attachment #1: Type: text/plain, Size: 1385 bytes --]
I don't have any issues (yet) running it with the sandbox on, but I
agree it's good to test it extensively beforehand and depending on the
stability wait until the Tor Project defaults to it.
On 2017-06-21 00:31, ng0@infotropique.org wrote:
> On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Courtès) wrote:
>
> Hi Rutger,
>
> Rutger Helling <rhelling@mykolab.com> skribis:
>
> From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> From: Rutger Helling <rhelling@mykolab.com>
> Date: Fri, 16 Jun 2017 13:15:17 +0200
> Subject: [PATCH] gnu: tor: Add seccomp support.
>
> * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.
> Applied, thanks.
>
> Do you think the GuixSD service should set "Sandbox 1" by default? The
> Besides, the GuixSD service runs Tor in a container, but that doesn't
> necessarily provide the same guarantees:
> <https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.
>
> Ludo'.
As mentioned earlier in the thread: I don't think it should be default
until we have
found it to be stable enough. I experienced several "sandbox violations"
when running
this in the last days. Is this good? Is this bad? I had no chance to
investigate this so far.
It also goes against torproject recommendations, as they consider
sandbox (seccomp) in
tor to be an unstable + testing feature, disabled by default.
[-- Attachment #2: Type: text/html, Size: 2427 bytes --]
next prev parent reply other threads:[~2017-06-21 6:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-16 11:21 [bug#27394] [PATCH] gnu: tor: Add seccomp support Rutger Helling
2017-06-16 12:01 ` ng0
2017-06-16 12:33 ` Rutger Helling
2017-06-16 12:46 ` ng0
2017-06-16 13:10 ` ng0
2017-06-16 22:09 ` ng0
2017-06-20 21:07 ` bug#27394: " Ludovic Courtès
2017-06-20 22:31 ` [bug#27394] " ng0
2017-06-21 6:57 ` Rutger Helling [this message]
2017-06-21 8:24 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9a77b4c9d799bd5f95bf3fce88e268af@mykolab.com \
--to=rhelling@mykolab.com \
--cc=27394-done@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=ng0@infotropique.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).