[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[Rutger Helling]

[-- Attachment #1.1: Type: text/plain, Size: 48 bytes --]

Hello, 

this patch adds seccomp support to tor.

[-- Attachment #1.2: Type: text/html, Size: 258 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-tor-Add-seccomp-support.patch --]
[-- Type: text/x-diff; name=0001-gnu-tor-Add-seccomp-support.patch, Size: 1127 bytes --]

From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
From: Rutger Helling <rhelling@mykolab.com>
Date: Fri, 16 Jun 2017 13:15:17 +0200
Subject: [PATCH] gnu: tor: Add seccomp support.

* gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.
---
 gnu/packages/tor.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm
index 819092cb7..bcb5aacbd 100644
--- a/gnu/packages/tor.scm
+++ b/gnu/packages/tor.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -61,7 +62,8 @@
     (inputs
      `(("zlib" ,zlib)
        ("openssl" ,openssl)
-       ("libevent" ,libevent)))
+       ("libevent" ,libevent)
+       ("libseccomp", libseccomp)))
     (home-page "https://www.torproject.org/")
     (synopsis "Anonymous network router to improve privacy on the Internet")
     (description
-- 
2.13.1

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[ng0]

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

Rutger Helling transcribed 2.5K bytes:
> Hello, 
> 
> this patch adds seccomp support to tor.

There's the question if we would want that.
tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
But we also enable hardening by default, which differs from the tor default.
I have no problem with moving unstable features in, but hardening
seems much more tested to me than seccomp.
-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[Rutger Helling]

[-- Attachment #1: Type: text/plain, Size: 816 bytes --]

Hey ng0, 

I think that ticket references whether the default torrc should have
"Sandbox 1". This patch doesn't do that, you still have to set that
manually if you want to use it. It only gives you the option (Tor will
just ignore that option in Guix right now). 

I also don't think that hardening and the sandbox bite each other in any
way. 

On 2017-06-16 14:01, ng0 wrote:

> Rutger Helling transcribed 2.5K bytes: 
> 
>> Hello, 
>> 
>> this patch adds seccomp support to tor.
> 
> There's the question if we would want that.
> tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> But we also enable hardening by default, which differs from the tor default.
> I have no problem with moving unstable features in, but hardening
> seems much more tested to me than seccomp.

[-- Attachment #2: Type: text/html, Size: 1491 bytes --]

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[ng0]

[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]

Rutger Helling transcribed 2.6K bytes:
> Hey ng0, 
> 
> I think that ticket references whether the default torrc should have
> "Sandbox 1".

I understood the Whonix mail, which is how I got to the trac of tor,
in the way that they don't enable seccomp because tor does not enable
it as default. I'm not 100% positive on this, but I think I used
tor with +seccomp and hardening in Gentoo for a very long time.


> This patch doesn't do that, you still have to set that
> manually if you want to use it. It only gives you the option (Tor will
> just ignore that option in Guix right now). 
> 
> I also don't think that hardening and the sandbox bite each other in any
> way. 
> 
> On 2017-06-16 14:01, ng0 wrote:
> 
> > Rutger Helling transcribed 2.5K bytes: 
> > 
> >> Hello, 
> >> 
> >> this patch adds seccomp support to tor.
> > 
> > There's the question if we would want that.
> > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > But we also enable hardening by default, which differs from the tor default.
> > I have no problem with moving unstable features in, but hardening
> > seems much more tested to me than seccomp.

-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[ng0]

The patch itself seems to work.

Just introducing upstream explicitly marked (see 'man tor') as "experimental"
features is difficult. As long as nothing breaks it's okay I guess.

Should tor or the GuixSD native tor-service start to consume too much
resources, we can still adjust.

ng0 transcribed 2.3K bytes:
> Rutger Helling transcribed 2.6K bytes:
> > Hey ng0, 
> > 
> > I think that ticket references whether the default torrc should have
> > "Sandbox 1".
> 
> I understood the Whonix mail, which is how I got to the trac of tor,
> in the way that they don't enable seccomp because tor does not enable
> it as default. I'm not 100% positive on this, but I think I used
> tor with +seccomp and hardening in Gentoo for a very long time.
> 
> 
> > This patch doesn't do that, you still have to set that
> > manually if you want to use it. It only gives you the option (Tor will
> > just ignore that option in Guix right now). 
> > 
> > I also don't think that hardening and the sandbox bite each other in any
> > way. 
> > 
> > On 2017-06-16 14:01, ng0 wrote:
> > 
> > > Rutger Helling transcribed 2.5K bytes: 
> > > 
> > >> Hello, 
> > >> 
> > >> this patch adds seccomp support to tor.
> > > 
> > > There's the question if we would want that.
> > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > > But we also enable hardening by default, which differs from the tor default.
> > > I have no problem with moving unstable features in, but hardening
> > > seems much more tested to me than seccomp.
> 
> -- 
> ng0
> OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> https://krosos.org/~/ng0/ https://www.infotropique.org



-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[ng0]

There's a problem. I think it's not that problematic but it's a problem:

Activating the Sandbox option (torrc Sandbox 1) prevents reloading
certain functions of tor without stopping tor. Now when you do this
with our GuixSD tor-service running through a guix system reconfigure,
you will get a sandbox violation. Because I reboot directly after
reconfigure I don't know if this is a serious problem, but I know
there are plans for system-generation activation or what they call
it (switch to the newly generated system directly after it was build).

After a day of using your patch and encountering the sandbox violations
I'm positive it works as intended, but I'm not sure what to do about
the switch. Maybe our tor-service has to be adjusted? This is no
requirement for this to be merged, I'm just trying to point out details.
ng0 transcribed 1.8K bytes:
> The patch itself seems to work.
> 
> Just introducing upstream explicitly marked (see 'man tor') as "experimental"
> features is difficult. As long as nothing breaks it's okay I guess.
> 
> Should tor or the GuixSD native tor-service start to consume too much
> resources, we can still adjust.
> 
> ng0 transcribed 2.3K bytes:
> > Rutger Helling transcribed 2.6K bytes:
> > > Hey ng0, 
> > > 
> > > I think that ticket references whether the default torrc should have
> > > "Sandbox 1".
> > 
> > I understood the Whonix mail, which is how I got to the trac of tor,
> > in the way that they don't enable seccomp because tor does not enable
> > it as default. I'm not 100% positive on this, but I think I used
> > tor with +seccomp and hardening in Gentoo for a very long time.
> > 
> > 
> > > This patch doesn't do that, you still have to set that
> > > manually if you want to use it. It only gives you the option (Tor will
> > > just ignore that option in Guix right now). 
> > > 
> > > I also don't think that hardening and the sandbox bite each other in any
> > > way. 
> > > 
> > > On 2017-06-16 14:01, ng0 wrote:
> > > 
> > > > Rutger Helling transcribed 2.5K bytes: 
> > > > 
> > > >> Hello, 
> > > >> 
> > > >> this patch adds seccomp support to tor.
> > > > 
> > > > There's the question if we would want that.
> > > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
> > > > But we also enable hardening by default, which differs from the tor default.
> > > > I have no problem with moving unstable features in, but hardening
> > > > seems much more tested to me than seccomp.
> > 
> > -- 
> > ng0
> > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> > https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> -- 
> ng0
> OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
> https://krosos.org/~/ng0/ https://www.infotropique.org
> 
> 
> 
> 

-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

bug#27394: [PATCH] gnu: tor: Add seccomp support.

[Ludovic Courtès]

Hi Rutger,

Rutger Helling <rhelling@mykolab.com> skribis:

> From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> From: Rutger Helling <rhelling@mykolab.com>
> Date: Fri, 16 Jun 2017 13:15:17 +0200
> Subject: [PATCH] gnu: tor: Add seccomp support.
>
> * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.

Applied, thanks.

Do you think the GuixSD service should set “Sandbox 1” by default?  The
Besides, the GuixSD service runs Tor in a container, but that doesn’t
necessarily provide the same guarantees:
<https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.

Ludo’.

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[ng0]

On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Courtès) wrote:

> Hi Rutger,
> 
> Rutger Helling <rhelling@mykolab.com> skribis:
> 
> > From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> > From: Rutger Helling <rhelling@mykolab.com>
> > Date: Fri, 16 Jun 2017 13:15:17 +0200
> > Subject: [PATCH] gnu: tor: Add seccomp support.
> >
> > * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.
> 
> Applied, thanks.
> 
> Do you think the GuixSD service should set “Sandbox 1” by default?  The
> Besides, the GuixSD service runs Tor in a container, but that doesn’t
> necessarily provide the same guarantees:
> <https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.
> 
> Ludo’.

As mentioned earlier in the thread: I don't think it should be default until we have
found it to be stable enough. I experienced several "sandbox violations" when running
this in the last days. Is this good? Is this bad? I had no chance to investigate this so far.
It also goes against torproject recommendations, as they consider sandbox (seccomp) in
tor to be an unstable + testing feature, disabled by default.

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[Rutger Helling]

[-- Attachment #1: Type: text/plain, Size: 1385 bytes --]

I don't have any issues (yet) running it with the sandbox on, but I
agree it's good to test it extensively beforehand and depending on the
stability wait until the Tor Project defaults to it. 

On 2017-06-21 00:31, ng0@infotropique.org wrote:

> On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Courtès) wrote:
> 
> Hi Rutger,
> 
> Rutger Helling <rhelling@mykolab.com> skribis:
> 
> From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001
> From: Rutger Helling <rhelling@mykolab.com>
> Date: Fri, 16 Jun 2017 13:15:17 +0200
> Subject: [PATCH] gnu: tor: Add seccomp support.
> 
> * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp. 
> Applied, thanks.
> 
> Do you think the GuixSD service should set "Sandbox 1" by default?  The
> Besides, the GuixSD service runs Tor in a container, but that doesn't
> necessarily provide the same guarantees:
> <https://www.gnu.org/software/guix/news/running-system-services-in-containers.html>.
> 
> Ludo'.

As mentioned earlier in the thread: I don't think it should be default
until we have
found it to be stable enough. I experienced several "sandbox violations"
when running
this in the last days. Is this good? Is this bad? I had no chance to
investigate this so far.
It also goes against torproject recommendations, as they consider
sandbox (seccomp) in
tor to be an unstable + testing feature, disabled by default.

[-- Attachment #2: Type: text/html, Size: 2427 bytes --]

[bug#27394] [PATCH] gnu: tor: Add seccomp support.

[Ludovic Courtès]

Hi,

Rutger Helling <rhelling@mykolab.com> skribis:

> I don't have any issues (yet) running it with the sandbox on, but I
> agree it's good to test it extensively beforehand and depending on the
> stability wait until the Tor Project defaults to it. 

Sounds reasonable.  Thanks for your feedback, ng0 and Rutger.

Ludo’.