unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
@ 2017-06-16 11:21 Rutger Helling
  2017-06-16 12:01 ` ng0
  2017-06-20 21:07 ` bug#27394: " Ludovic Courtès
  0 siblings, 2 replies; 10+ messages in thread
From: Rutger Helling @ 2017-06-16 11:21 UTC (permalink / raw)
  To: 27394


[-- Attachment #1.1: Type: text/plain, Size: 48 bytes --]

Hello, 

this patch adds seccomp support to tor.

[-- Attachment #1.2: Type: text/html, Size: 258 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-tor-Add-seccomp-support.patch --]
[-- Type: text/x-diff; name=0001-gnu-tor-Add-seccomp-support.patch, Size: 1127 bytes --]

From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
From: Rutger Helling <rhelling@mykolab.com>
Date: Fri, 16 Jun 2017 13:15:17 +0200
Subject: [PATCH] gnu: tor: Add seccomp support.

* gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.
---
 gnu/packages/tor.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm
index 819092cb7..bcb5aacbd 100644
--- a/gnu/packages/tor.scm
+++ b/gnu/packages/tor.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -61,7 +62,8 @@
     (inputs
      `(("zlib" ,zlib)
        ("openssl" ,openssl)
-       ("libevent" ,libevent)))
+       ("libevent" ,libevent)
+       ("libseccomp", libseccomp)))
     (home-page "https://www.torproject.org/")
     (synopsis "Anonymous network router to improve privacy on the Internet")
     (description
-- 
2.13.1


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-16 11:21 [bug#27394] [PATCH] gnu: tor: Add seccomp support Rutger Helling
@ 2017-06-16 12:01 ` ng0
  2017-06-16 12:33   ` Rutger Helling
  2017-06-20 21:07 ` bug#27394: " Ludovic Courtès
  1 sibling, 1 reply; 10+ messages in thread
From: ng0 @ 2017-06-16 12:01 UTC (permalink / raw)
  To: Rutger Helling; +Cc: 27394

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

Rutger Helling transcribed 2.5K bytes:
> Hello, 
> 
> this patch adds seccomp support to tor.

There's the question if we would want that.
tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
But we also enable hardening by default, which differs from the tor default.
I have no problem with moving unstable features in, but hardening
seems much more tested to me than seccomp.
-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-16 12:01 ` ng0
@ 2017-06-16 12:33   ` Rutger Helling
  2017-06-16 12:46     ` ng0
  0 siblings, 1 reply; 10+ messages in thread
From: Rutger Helling @ 2017-06-16 12:33 UTC (permalink / raw)
  To: 27394

[-- Attachment #1: Type: text/plain, Size: 816 bytes --]

Hey ng0, 

I think that ticket references whether the default torrc should have
"Sandbox 1". This patch doesn't do that, you still have to set that
manually if you want to use it. It only gives you the option (Tor will
just ignore that option in Guix right now). 

I also don't think that hardening and the sandbox bite each other in any
way. 

On 2017-06-16 14:01, ng0 wrote:

> Rutger Helling transcribed 2.5K bytes: 
> 
>> Hello, 
>> 
>> this patch adds seccomp support to tor.
> 
> There's the question if we would want that.
> tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> But we also enable hardening by default, which differs from the tor default.
> I have no problem with moving unstable features in, but hardening
> seems much more tested to me than seccomp.

[-- Attachment #2: Type: text/html, Size: 1491 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-16 12:33   ` Rutger Helling
@ 2017-06-16 12:46     ` ng0
  2017-06-16 13:10       ` ng0
  0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2017-06-16 12:46 UTC (permalink / raw)
  To: Rutger Helling; +Cc: 27394

[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]

Rutger Helling transcribed 2.6K bytes:
> Hey ng0, 
> 
> I think that ticket references whether the default torrc should have
> "Sandbox 1".

I understood the Whonix mail, which is how I got to the trac of tor,
in the way that they don't enable seccomp because tor does not enable
it as default. I'm not 100% positive on this, but I think I used
tor with +seccomp and hardening in Gentoo for a very long time.


> This patch doesn't do that, you still have to set that
> manually if you want to use it. It only gives you the option (Tor will
> just ignore that option in Guix right now). 
> 
> I also don't think that hardening and the sandbox bite each other in any
> way. 
> 
> On 2017-06-16 14:01, ng0 wrote:
> 
> > Rutger Helling transcribed 2.5K bytes: 
> > 
> >> Hello, 
> >> 
> >> this patch adds seccomp support to tor.
> > 
> > There's the question if we would want that.
> > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > But we also enable hardening by default, which differs from the tor default.
> > I have no problem with moving unstable features in, but hardening
> > seems much more tested to me than seccomp.

-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-16 12:46     ` ng0
@ 2017-06-16 13:10       ` ng0
  2017-06-16 22:09         ` ng0
  0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2017-06-16 13:10 UTC (permalink / raw)
  To: Rutger Helling, 27394

The patch itself seems to work.

Just introducing upstream explicitly marked (see 'man tor') as "experimental"
features is difficult. As long as nothing breaks it's okay I guess.

Should tor or the GuixSD native tor-service start to consume too much
resources, we can still adjust.

ng0 transcribed 2.3K bytes:
> Rutger Helling transcribed 2.6K bytes:
> > Hey ng0, 
> > 
> > I think that ticket references whether the default torrc should have
> > "Sandbox 1".
> 
> I understood the Whonix mail, which is how I got to the trac of tor,
> in the way that they don't enable seccomp because tor does not enable
> it as default. I'm not 100% positive on this, but I think I used
> tor with +seccomp and hardening in Gentoo for a very long time.
> 
> 
> > This patch doesn't do that, you still have to set that
> > manually if you want to use it. It only gives you the option (Tor will
> > just ignore that option in Guix right now). 
> > 
> > I also don't think that hardening and the sandbox bite each other in any
> > way. 
> > 
> > On 2017-06-16 14:01, ng0 wrote:
> > 
> > > Rutger Helling transcribed 2.5K bytes: 
> > > 
> > >> Hello, 
> > >> 
> > >> this patch adds seccomp support to tor.
> > > 
> > > There's the question if we would want that.
> > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > > But we also enable hardening by default, which differs from the tor default.
> > > I have no problem with moving unstable features in, but hardening
> > > seems much more tested to me than seccomp.
> 
> -- 
> ng0
> OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> https://krosos.org/~/ng0/ https://www.infotropique.org



-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-16 13:10       ` ng0
@ 2017-06-16 22:09         ` ng0
  0 siblings, 0 replies; 10+ messages in thread
From: ng0 @ 2017-06-16 22:09 UTC (permalink / raw)
  To: Rutger Helling, 27394

There's a problem. I think it's not that problematic but it's a problem:

Activating the Sandbox option (torrc Sandbox 1) prevents reloading
certain functions of tor without stopping tor. Now when you do this
with our GuixSD tor-service running through a guix system reconfigure,
you will get a sandbox violation. Because I reboot directly after
reconfigure I don't know if this is a serious problem, but I know
there are plans for system-generation activation or what they call
it (switch to the newly generated system directly after it was build).

After a day of using your patch and encountering the sandbox violations
I'm positive it works as intended, but I'm not sure what to do about
the switch. Maybe our tor-service has to be adjusted? This is no
requirement for this to be merged, I'm just trying to point out details.
ng0 transcribed 1.8K bytes:
> The patch itself seems to work.
> 
> Just introducing upstream explicitly marked (see 'man tor') as "experimental"
> features is difficult. As long as nothing breaks it's okay I guess.
> 
> Should tor or the GuixSD native tor-service start to consume too much
> resources, we can still adjust.
> 
> ng0 transcribed 2.3K bytes:
> > Rutger Helling transcribed 2.6K bytes:
> > > Hey ng0, 
> > > 
> > > I think that ticket references whether the default torrc should have
> > > "Sandbox 1".
> > 
> > I understood the Whonix mail, which is how I got to the trac of tor,
> > in the way that they don't enable seccomp because tor does not enable
> > it as default. I'm not 100% positive on this, but I think I used
> > tor with +seccomp and hardening in Gentoo for a very long time.
> > 
> > 
> > > This patch doesn't do that, you still have to set that
> > > manually if you want to use it. It only gives you the option (Tor will
> > > just ignore that option in Guix right now). 
> > > 
> > > I also don't think that hardening and the sandbox bite each other in any
> > > way. 
> > > 
> > > On 2017-06-16 14:01, ng0 wrote:
> > > 
> > > > Rutger Helling transcribed 2.5K bytes: 
> > > > 
> > > >> Hello, 
> > > >> 
> > > >> this patch adds seccomp support to tor.
> > > > 
> > > > There's the question if we would want that.
> > > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > > > But we also enable hardening by default, which differs from the tor default.
> > > > I have no problem with moving unstable features in, but hardening
> > > > seems much more tested to me than seccomp.
> > 
> > -- 
> > ng0
> > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> > https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> -- 
> ng0
> OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> 

-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

^ permalink raw reply	[flat|nested] 10+ messages in thread

* bug#27394: [PATCH] gnu: tor: Add seccomp support.
  2017-06-16 11:21 [bug#27394] [PATCH] gnu: tor: Add seccomp support Rutger Helling
  2017-06-16 12:01 ` ng0
@ 2017-06-20 21:07 ` Ludovic Courtès
  2017-06-20 22:31   ` [bug#27394] " ng0
  1 sibling, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2017-06-20 21:07 UTC (permalink / raw)
  To: Rutger Helling; +Cc: 27394-done

Hi Rutger,

Rutger Helling <rhelling@mykolab.com> skribis:

> From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> From: Rutger Helling <rhelling@mykolab.com>
> Date: Fri, 16 Jun 2017 13:15:17 +0200
> Subject: [PATCH] gnu: tor: Add seccomp support.
>
> * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.

Applied, thanks.

Do you think the GuixSD service should set “Sandbox 1” by default?  The
Besides, the GuixSD service runs Tor in a container, but that doesn’t
necessarily provide the same guarantees:
<https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-20 21:07 ` bug#27394: " Ludovic Courtès
@ 2017-06-20 22:31   ` ng0
  2017-06-21  6:57     ` Rutger Helling
  0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2017-06-20 22:31 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 27394-done, Rutger Helling



On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Courtès) wrote:

> Hi Rutger,
> 
> Rutger Helling <rhelling@mykolab.com> skribis:
> 
> > From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> > From: Rutger Helling <rhelling@mykolab.com>
> > Date: Fri, 16 Jun 2017 13:15:17 +0200
> > Subject: [PATCH] gnu: tor: Add seccomp support.
> >
> > * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.
> 
> Applied, thanks.
> 
> Do you think the GuixSD service should set “Sandbox 1” by default?  The
> Besides, the GuixSD service runs Tor in a container, but that doesn’t
> necessarily provide the same guarantees:
> <https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.
> 
> Ludo’.

As mentioned earlier in the thread: I don't think it should be default until we have
found it to be stable enough. I experienced several "sandbox violations" when running
this in the last days. Is this good? Is this bad? I had no chance to investigate this so far.
It also goes against torproject recommendations, as they consider sandbox (seccomp) in
tor to be an unstable + testing feature, disabled by default.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-20 22:31   ` [bug#27394] " ng0
@ 2017-06-21  6:57     ` Rutger Helling
  2017-06-21  8:24       ` Ludovic Courtès
  0 siblings, 1 reply; 10+ messages in thread
From: Rutger Helling @ 2017-06-21  6:57 UTC (permalink / raw)
  To: Ludovic CourtXXs, ng0; +Cc: 27394-done

[-- Attachment #1: Type: text/plain, Size: 1385 bytes --]

I don't have any issues (yet) running it with the sandbox on, but I
agree it's good to test it extensively beforehand and depending on the
stability wait until the Tor Project defaults to it. 

On 2017-06-21 00:31, ng0@infotropique.org wrote:

> On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Courtès) wrote:
> 
> Hi Rutger,
> 
> Rutger Helling <rhelling@mykolab.com> skribis:
> 
> From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> From: Rutger Helling <rhelling@mykolab.com>
> Date: Fri, 16 Jun 2017 13:15:17 +0200
> Subject: [PATCH] gnu: tor: Add seccomp support.
> 
> * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp. 
> Applied, thanks.
> 
> Do you think the GuixSD service should set "Sandbox 1" by default?  The
> Besides, the GuixSD service runs Tor in a container, but that doesn't
> necessarily provide the same guarantees:
> <https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.
> 
> Ludo'.

As mentioned earlier in the thread: I don't think it should be default
until we have
found it to be stable enough. I experienced several "sandbox violations"
when running
this in the last days. Is this good? Is this bad? I had no chance to
investigate this so far.
It also goes against torproject recommendations, as they consider
sandbox (seccomp) in
tor to be an unstable + testing feature, disabled by default.

[-- Attachment #2: Type: text/html, Size: 2427 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#27394] [PATCH] gnu: tor: Add seccomp support.
  2017-06-21  6:57     ` Rutger Helling
@ 2017-06-21  8:24       ` Ludovic Courtès
  0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2017-06-21  8:24 UTC (permalink / raw)
  To: Rutger Helling; +Cc: 27394-done

Hi,

Rutger Helling <rhelling@mykolab.com> skribis:

> I don't have any issues (yet) running it with the sandbox on, but I
> agree it's good to test it extensively beforehand and depending on the
> stability wait until the Tor Project defaults to it. 

Sounds reasonable.  Thanks for your feedback, ng0 and Rutger.

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2017-06-21  8:25 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-16 11:21 [bug#27394] [PATCH] gnu: tor: Add seccomp support Rutger Helling
2017-06-16 12:01 ` ng0
2017-06-16 12:33   ` Rutger Helling
2017-06-16 12:46     ` ng0
2017-06-16 13:10       ` ng0
2017-06-16 22:09         ` ng0
2017-06-20 21:07 ` bug#27394: " Ludovic Courtès
2017-06-20 22:31   ` [bug#27394] " ng0
2017-06-21  6:57     ` Rutger Helling
2017-06-21  8:24       ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).