From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45254) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLr1m-0000Qj-6U for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLr1i-0000dT-TT for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47771) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLr1i-0000dH-LE for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLr1i-0006wi-GT for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: Date: Fri, 16 Jun 2017 13:10:08 +0000 From: ng0 Message-ID: <20170616131008.deg2qeu7fzwwxnxy@abyayala> References: <20170616120108.d5kx6h2ukiy7qtux@abyayala> <00b283d856293540d950c67502d4538e@mykolab.com> <20170616124639.a7lq7dgrbmr2wn4t@abyayala> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20170616124639.a7lq7dgrbmr2wn4t@abyayala> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Rutger Helling , 27394@debbugs.gnu.org The patch itself seems to work. Just introducing upstream explicitly marked (see 'man tor') as "experimental" features is difficult. As long as nothing breaks it's okay I guess. Should tor or the GuixSD native tor-service start to consume too much resources, we can still adjust. ng0 transcribed 2.3K bytes: > Rutger Helling transcribed 2.6K bytes: > > Hey ng0, > > > > I think that ticket references whether the default torrc should have > > "Sandbox 1". > > I understood the Whonix mail, which is how I got to the trac of tor, > in the way that they don't enable seccomp because tor does not enable > it as default. I'm not 100% positive on this, but I think I used > tor with +seccomp and hardening in Gentoo for a very long time. > > > > This patch doesn't do that, you still have to set that > > manually if you want to use it. It only gives you the option (Tor will > > just ignore that option in Guix right now). > > > > I also don't think that hardening and the sandbox bite each other in any > > way. > > > > On 2017-06-16 14:01, ng0 wrote: > > > > > Rutger Helling transcribed 2.5K bytes: > > > > > >> Hello, > > >> > > >> this patch adds seccomp support to tor. > > > > > > There's the question if we would want that. > > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215 > > > But we also enable hardening by default, which differs from the tor default. > > > I have no problem with moving unstable features in, but hardening > > > seems much more tested to me than seccomp. > > -- > ng0 > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 > https://krosos.org/~/ng0/ https://www.infotropique.org -- ng0 OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://krosos.org/~/ng0/ https://www.infotropique.org