From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48526) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLpLG-0005f6-Cz for guix-patches@gnu.org; Fri, 16 Jun 2017 07:23:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLpLC-0004ON-GY for guix-patches@gnu.org; Fri, 16 Jun 2017 07:23:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47633) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLpLC-0004Nz-Cs for guix-patches@gnu.org; Fri, 16 Jun 2017 07:23:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLpLC-0002Xk-4X for guix-patches@gnu.org; Fri, 16 Jun 2017 07:23:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48211) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLpJz-0004YG-3L for guix-patches@gnu.org; Fri, 16 Jun 2017 07:21:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLpJv-0003Iy-Ne for guix-patches@gnu.org; Fri, 16 Jun 2017 07:21:47 -0400 Received: from mx.kolabnow.com ([95.128.36.1]:33560 helo=mx-out01.mykolab.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dLpJv-0003FZ-FS for guix-patches@gnu.org; Fri, 16 Jun 2017 07:21:43 -0400 Received: from mx03.mykolab.com (mx03.mykolab.com [10.20.7.101]) by mx-out01.mykolab.com (Postfix) with ESMTPS id F3B4661CFB for ; Fri, 16 Jun 2017 13:21:37 +0200 (CEST) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_ca168bd71ea8e5ededcce8d871447efb" Date: Fri, 16 Jun 2017 13:21:37 +0200 From: Rutger Helling Message-ID: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 27394@debbugs.gnu.org --=_ca168bd71ea8e5ededcce8d871447efb Content-Type: multipart/alternative; boundary="=_7a280cc2365c917e5ed3e2f011284529" --=_7a280cc2365c917e5ed3e2f011284529 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Hello, this patch adds seccomp support to tor. --=_7a280cc2365c917e5ed3e2f011284529 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

Hello,

this patch adds seccomp support to tor.

 
--=_7a280cc2365c917e5ed3e2f011284529-- --=_ca168bd71ea8e5ededcce8d871447efb Content-Transfer-Encoding: base64 Content-Type: text/x-diff; name=0001-gnu-tor-Add-seccomp-support.patch Content-Disposition: attachment; filename=0001-gnu-tor-Add-seccomp-support.patch; size=1127 RnJvbSA1ZTkzNzMzYmJhMTQ1YWMzZTNhM2YzOWZiNDNmMjVhZDcxMjVmYTJmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBSdXRnZXIgSGVsbGluZyA8cmhlbGxpbmdAbXlrb2xhYi5jb20+ CkRhdGU6IEZyaSwgMTYgSnVuIDIwMTcgMTM6MTU6MTcgKzAyMDAKU3ViamVjdDogW1BBVENIXSBn bnU6IHRvcjogQWRkIHNlY2NvbXAgc3VwcG9ydC4KCiogZ251L3BhY2thZ2VzL3Rvci5zY20gKHRv cilbaW5wdXRzXTogQWRkIGxpYnNlY2NvbXAuCi0tLQogZ251L3BhY2thZ2VzL3Rvci5zY20gfCA0 ICsrKy0KIDEgZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRp ZmYgLS1naXQgYS9nbnUvcGFja2FnZXMvdG9yLnNjbSBiL2dudS9wYWNrYWdlcy90b3Iuc2NtCmlu ZGV4IDgxOTA5MmNiNy4uYmNiNWFhY2JkIDEwMDY0NAotLS0gYS9nbnUvcGFja2FnZXMvdG9yLnNj bQorKysgYi9nbnUvcGFja2FnZXMvdG9yLnNjbQpAQCAtNSw2ICs1LDcgQEAKIDs7OyBDb3B5cmln aHQgwqkgMjAxNiwgMjAxNyBuZzAgPGNvbnRhY3QubmcwQGNyeXB0b2xhYi5uZXQ+CiA7OzsgQ29w eXJpZ2h0IMKpIDIwMTcgVG9iaWFzIEdlZXJpbmNreC1SaWNlIDxtZUB0b2JpYXMuZ3I+CiA7Ozsg Q29weXJpZ2h0IMKpIDIwMTcgRXJpYyBCYXZpZXIgPGJhdmllckBtZW1iZXIuZnNmLm9yZz4KKzs7 OyBDb3B5cmlnaHQgwqkgMjAxNyBSdXRnZXIgSGVsbGluZyA8cmhlbGxpbmdAbXlrb2xhYi5jb20+ CiA7OzsKIDs7OyBUaGlzIGZpbGUgaXMgcGFydCBvZiBHTlUgR3VpeC4KIDs7OwpAQCAtNjEsNyAr NjIsOCBAQAogICAgIChpbnB1dHMKICAgICAgYCgoInpsaWIiICx6bGliKQogICAgICAgICgib3Bl bnNzbCIgLG9wZW5zc2wpCi0gICAgICAgKCJsaWJldmVudCIgLGxpYmV2ZW50KSkpCisgICAgICAg KCJsaWJldmVudCIgLGxpYmV2ZW50KQorICAgICAgICgibGlic2VjY29tcCIsIGxpYnNlY2NvbXAp KSkKICAgICAoaG9tZS1wYWdlICJodHRwczovL3d3dy50b3Jwcm9qZWN0Lm9yZy8iKQogICAgIChz eW5vcHNpcyAiQW5vbnltb3VzIG5ldHdvcmsgcm91dGVyIHRvIGltcHJvdmUgcHJpdmFjeSBvbiB0 aGUgSW50ZXJuZXQiKQogICAgIChkZXNjcmlwdGlvbgotLSAKMi4xMy4xCgo= --=_ca168bd71ea8e5ededcce8d871447efb-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57664) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLpxx-0001HG-0Z for guix-patches@gnu.org; Fri, 16 Jun 2017 08:03:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLpxt-00065P-Uf for guix-patches@gnu.org; Fri, 16 Jun 2017 08:03:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47693) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLpxt-00065C-RH for guix-patches@gnu.org; Fri, 16 Jun 2017 08:03:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLpxt-0005JX-KI for guix-patches@gnu.org; Fri, 16 Jun 2017 08:03:01 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: Date: Fri, 16 Jun 2017 12:01:08 +0000 From: ng0 Message-ID: <20170616120108.d5kx6h2ukiy7qtux@abyayala> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7qjrcyt77d6uejsp" Content-Disposition: inline In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Rutger Helling Cc: 27394@debbugs.gnu.org --7qjrcyt77d6uejsp Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Rutger Helling transcribed 2.5K bytes: > Hello,=20 >=20 > this patch adds seccomp support to tor. There's the question if we would want that. tor doesn't enable it by default, see: https://trac.torproject.org/projects= /tor/ticket/19215 But we also enable hardening by default, which differs from the tor default. I have no problem with moving unstable features in, but hardening seems much more tested to me than seccomp. --=20 ng0 OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://krosos.org/~/ng0/ https://www.infotropique.org --7qjrcyt77d6uejsp Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAllDyIQACgkQ4i+bv+40 hYjr9Q//WlK3xZ7Rh921sX27xcXrWo7eCuterYn8XO/4AGq9jO5V/aUaWKfkWgW5 43wlDzs9P1UB80zLGFSQ5trRlL+p/e9VvTgtZZaStFoc+2njdpJqjT3tc5A+1/Ay JRRBzdEdPPYMiy4slL8bZVuXajFOC2c9Qtvazog5RgCTQdPdZ1eoOiV4CxoBEKeI rf1Pe+jytIXIEmT4QkqcNc8k/sh7qzrTgHV8ez+VhUMneN+NR4fJFRZcIkoMwKr1 raxGl0SytEvOrC94B6RfrABYA98GDff5RCaQzB+yJH7iNbz+GOBTqFRQFhnjCZsx vBmZvg/54b4FPLYwqhuQi5i4FJGPdZ+9Xjp9aiL6XTJlPweD7F+44US+IoDEU+2X 8DSoj6wQMIvlyVzJ2Zdw74bAe3jF6uaPsiiPeAT0qioPxszROEVkwDSbeAxZqX9m HOGz6Jb/y2CVypvvCe/8f5tRMkpntt8VXAipa5YqIWA1bfDjAb45M1onAqlvIAeB VXpWIn2fhUL7dM8ehy1NkiMyBaTfgboh1ORmySer01Zt8Jcq1ApLvjhr8o+IS2va K8nTL8Xw6MGemEP6xlze0V9uP5XKdDEK6qt5VEX2Xhdush3/1UT821wXshhKqudk kNmHgralMOm6ua0LpAIcU4FlV62npt9SV3GdQRjedWGt/PllBi8= =bdov -----END PGP SIGNATURE----- --7qjrcyt77d6uejsp-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36438) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLqRy-000543-J4 for guix-patches@gnu.org; Fri, 16 Jun 2017 08:34:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLqRu-0008UQ-LK for guix-patches@gnu.org; Fri, 16 Jun 2017 08:34:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47707) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLqRu-0008U5-Hf for guix-patches@gnu.org; Fri, 16 Jun 2017 08:34:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLqRu-000618-8y for guix-patches@gnu.org; Fri, 16 Jun 2017 08:34:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_12cc08064fe61caa7ce1de7c2bfc4ab8" Date: Fri, 16 Jun 2017 14:33:31 +0200 From: Rutger Helling In-Reply-To: <20170616120108.d5kx6h2ukiy7qtux@abyayala> References: <20170616120108.d5kx6h2ukiy7qtux@abyayala> Message-ID: <00b283d856293540d950c67502d4538e@mykolab.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 27394@debbugs.gnu.org --=_12cc08064fe61caa7ce1de7c2bfc4ab8 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Hey ng0, I think that ticket references whether the default torrc should have "Sandbox 1". This patch doesn't do that, you still have to set that manually if you want to use it. It only gives you the option (Tor will just ignore that option in Guix right now). I also don't think that hardening and the sandbox bite each other in any way. On 2017-06-16 14:01, ng0 wrote: > Rutger Helling transcribed 2.5K bytes: > >> Hello, >> >> this patch adds seccomp support to tor. > > There's the question if we would want that. > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215 > But we also enable hardening by default, which differs from the tor default. > I have no problem with moving unstable features in, but hardening > seems much more tested to me than seccomp. --=_12cc08064fe61caa7ce1de7c2bfc4ab8 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

Hey ng0,

I think that ticket references whether the default torrc should have "Sa= ndbox 1". This patch doesn't do that, you still have to set that manually i= f you want to use it. It only gives you the option (Tor will just ignore th= at option in Guix right now).

I also don't think that hardening and the sandbox bite each other in any= way.

On 2017-06-16 14:01, ng0 wrote:

= Rutger Helling transcribed 2.5K bytes:
Hello,

this patch adds seccomp support to= tor.

There's the question if we would want that.
tor doesn't enable= it by default, see: https://trac.torproject.org/projects/tor/ticket/19215
= But we also enable hardening by default, which differs from the tor defaul= t.
I have no problem with moving unstable features in, but hardening<= br /> seems much more tested to me than seccomp.

 

 
--=_12cc08064fe61caa7ce1de7c2bfc4ab8-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39915) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLqfV-0001aA-Vm for guix-patches@gnu.org; Fri, 16 Jun 2017 08:48:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLqfS-0002K6-Ra for guix-patches@gnu.org; Fri, 16 Jun 2017 08:48:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47734) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLqfS-0002Jw-O6 for guix-patches@gnu.org; Fri, 16 Jun 2017 08:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLqfS-0006MR-HE for guix-patches@gnu.org; Fri, 16 Jun 2017 08:48:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: Date: Fri, 16 Jun 2017 12:46:39 +0000 From: ng0 Message-ID: <20170616124639.a7lq7dgrbmr2wn4t@abyayala> References: <20170616120108.d5kx6h2ukiy7qtux@abyayala> <00b283d856293540d950c67502d4538e@mykolab.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rwy6dmzddrkmpyyv" Content-Disposition: inline In-Reply-To: <00b283d856293540d950c67502d4538e@mykolab.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Rutger Helling Cc: 27394@debbugs.gnu.org --rwy6dmzddrkmpyyv Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Rutger Helling transcribed 2.6K bytes: > Hey ng0,=20 >=20 > I think that ticket references whether the default torrc should have > "Sandbox 1". I understood the Whonix mail, which is how I got to the trac of tor, in the way that they don't enable seccomp because tor does not enable it as default. I'm not 100% positive on this, but I think I used tor with +seccomp and hardening in Gentoo for a very long time. > This patch doesn't do that, you still have to set that > manually if you want to use it. It only gives you the option (Tor will > just ignore that option in Guix right now).=20 >=20 > I also don't think that hardening and the sandbox bite each other in any > way.=20 >=20 > On 2017-06-16 14:01, ng0 wrote: >=20 > > Rutger Helling transcribed 2.5K bytes:=20 > >=20 > >> Hello,=20 > >>=20 > >> this patch adds seccomp support to tor. > >=20 > > There's the question if we would want that. > > tor doesn't enable it by default, see: https://trac.torproject.org/proj= ects/tor/ticket/19215 > > But we also enable hardening by default, which differs from the tor def= ault. > > I have no problem with moving unstable features in, but hardening > > seems much more tested to me than seccomp. --=20 ng0 OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://krosos.org/~/ng0/ https://www.infotropique.org --rwy6dmzddrkmpyyv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAllD0y8ACgkQ4i+bv+40 hYgwWA/+OtyJii7+kefGbMykAF32fYU+q+Lqc1pILxDlTCOYGjQfQzFozFK0SJqt RPB3iVo1eSYZA5g6umtCi4dYECrZ9P7YUOWqONmxkXE8+7iWcabL84TJdJvPOTca KyoVSKd7Nh7nuELP3KF56riaIS/ADjtq/MOZk7oFmpVc6rtzy3D3UJzVJh1UMudO 5EQsxz+r4lz0xmnM7EQyjZyNBIwNeBx7d/uQFgqaUDs4wxTkIMqFXwPo4/cLvUgo 33oW6WtOzVQ4xVtRNu3haUTrMXC+5+yIs+SBbEOVf1nrcnxm7tJa1DZXAfeSTQ1L anQW0M5w3Kn6hqcEl1D40M8FtNBjUSESGg5OfC3PUyUOyxvNSbrnwPp+DmQtkwc7 oGV1NfcdyKIEiktM5fqvC6DtPxKTZjCIK+7/8PT9i75/errozzI6xyr8GQiEuK4K CGHv99q0JGiSmbb0Ktg/zWjXcdwPfLooQGiAfQOZd14OLLoO9o3zgjj4FJXywSrl MO54VhkjKSXPQBCr7cj1/me1HV0szTjbHgBkXl17Pjw6EH5Zm+iD6FPEd0AkPI9g 5idG8YrOk1zosvG6hnZw6wzRl5DVEjO52DMgAvfzRQM1lzPWq3sXX054qTTaoEYW aQ9N/55cANmTh/Co59hB6AxEhymlA72VrWVS3ZkRujEPMFsrx9s= =BBe5 -----END PGP SIGNATURE----- --rwy6dmzddrkmpyyv-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45254) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLr1m-0000Qj-6U for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLr1i-0000dT-TT for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47771) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLr1i-0000dH-LE for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLr1i-0006wi-GT for guix-patches@gnu.org; Fri, 16 Jun 2017 09:11:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: Date: Fri, 16 Jun 2017 13:10:08 +0000 From: ng0 Message-ID: <20170616131008.deg2qeu7fzwwxnxy@abyayala> References: <20170616120108.d5kx6h2ukiy7qtux@abyayala> <00b283d856293540d950c67502d4538e@mykolab.com> <20170616124639.a7lq7dgrbmr2wn4t@abyayala> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20170616124639.a7lq7dgrbmr2wn4t@abyayala> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Rutger Helling , 27394@debbugs.gnu.org The patch itself seems to work. Just introducing upstream explicitly marked (see 'man tor') as "experimental" features is difficult. As long as nothing breaks it's okay I guess. Should tor or the GuixSD native tor-service start to consume too much resources, we can still adjust. ng0 transcribed 2.3K bytes: > Rutger Helling transcribed 2.6K bytes: > > Hey ng0, > > > > I think that ticket references whether the default torrc should have > > "Sandbox 1". > > I understood the Whonix mail, which is how I got to the trac of tor, > in the way that they don't enable seccomp because tor does not enable > it as default. I'm not 100% positive on this, but I think I used > tor with +seccomp and hardening in Gentoo for a very long time. > > > > This patch doesn't do that, you still have to set that > > manually if you want to use it. It only gives you the option (Tor will > > just ignore that option in Guix right now). > > > > I also don't think that hardening and the sandbox bite each other in any > > way. > > > > On 2017-06-16 14:01, ng0 wrote: > > > > > Rutger Helling transcribed 2.5K bytes: > > > > > >> Hello, > > >> > > >> this patch adds seccomp support to tor. > > > > > > There's the question if we would want that. > > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215 > > > But we also enable hardening by default, which differs from the tor default. > > > I have no problem with moving unstable features in, but hardening > > > seems much more tested to me than seccomp. > > -- > ng0 > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 > https://krosos.org/~/ng0/ https://www.infotropique.org -- ng0 OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://krosos.org/~/ng0/ https://www.infotropique.org From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36165) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLzRP-0003Br-Ef for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLzRK-0006xi-Nk for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:49106) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLzRK-0006xS-KO for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLzRK-0007FY-7e for guix-patches@gnu.org; Fri, 16 Jun 2017 18:10:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: Date: Fri, 16 Jun 2017 22:09:02 +0000 From: ng0 Message-ID: <20170616220902.agnoznv4nrcr7fdz@abyayala> References: <20170616120108.d5kx6h2ukiy7qtux@abyayala> <00b283d856293540d950c67502d4538e@mykolab.com> <20170616124639.a7lq7dgrbmr2wn4t@abyayala> <20170616131008.deg2qeu7fzwwxnxy@abyayala> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20170616131008.deg2qeu7fzwwxnxy@abyayala> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Rutger Helling , 27394@debbugs.gnu.org There's a problem. I think it's not that problematic but it's a problem: Activating the Sandbox option (torrc Sandbox 1) prevents reloading certain functions of tor without stopping tor. Now when you do this with our GuixSD tor-service running through a guix system reconfigure, you will get a sandbox violation. Because I reboot directly after reconfigure I don't know if this is a serious problem, but I know there are plans for system-generation activation or what they call it (switch to the newly generated system directly after it was build). After a day of using your patch and encountering the sandbox violations I'm positive it works as intended, but I'm not sure what to do about the switch. Maybe our tor-service has to be adjusted? This is no requirement for this to be merged, I'm just trying to point out details. ng0 transcribed 1.8K bytes: > The patch itself seems to work. > > Just introducing upstream explicitly marked (see 'man tor') as "experimental" > features is difficult. As long as nothing breaks it's okay I guess. > > Should tor or the GuixSD native tor-service start to consume too much > resources, we can still adjust. > > ng0 transcribed 2.3K bytes: > > Rutger Helling transcribed 2.6K bytes: > > > Hey ng0, > > > > > > I think that ticket references whether the default torrc should have > > > "Sandbox 1". > > > > I understood the Whonix mail, which is how I got to the trac of tor, > > in the way that they don't enable seccomp because tor does not enable > > it as default. I'm not 100% positive on this, but I think I used > > tor with +seccomp and hardening in Gentoo for a very long time. > > > > > > > This patch doesn't do that, you still have to set that > > > manually if you want to use it. It only gives you the option (Tor will > > > just ignore that option in Guix right now). > > > > > > I also don't think that hardening and the sandbox bite each other in any > > > way. > > > > > > On 2017-06-16 14:01, ng0 wrote: > > > > > > > Rutger Helling transcribed 2.5K bytes: > > > > > > > >> Hello, > > > >> > > > >> this patch adds seccomp support to tor. > > > > > > > > There's the question if we would want that. > > > > tor doesn't enable it by default, see: https://trac.torproject.org/projects/tor/ticket/19215 > > > > But we also enable hardening by default, which differs from the tor default. > > > > I have no problem with moving unstable features in, but hardening > > > > seems much more tested to me than seccomp. > > > > -- > > ng0 > > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 > > https://krosos.org/~/ng0/ https://www.infotropique.org > > > > -- > ng0 > OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 > https://krosos.org/~/ng0/ https://www.infotropique.org > > > > -- ng0 OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://krosos.org/~/ng0/ https://www.infotropique.org From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59893) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNQNZ-0001Gb-Lp for guix-patches@gnu.org; Tue, 20 Jun 2017 17:08:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNQNW-0004Bl-G2 for guix-patches@gnu.org; Tue, 20 Jun 2017 17:08:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:55852) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNQNW-0004Bf-CP for guix-patches@gnu.org; Tue, 20 Jun 2017 17:08:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNQNW-0002kK-8P for guix-patches@gnu.org; Tue, 20 Jun 2017 17:08:02 -0400 Subject: bug#27394: [PATCH] gnu: tor: Add seccomp support. Resent-To: guix-patches@gnu.org Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: Date: Tue, 20 Jun 2017 23:07:38 +0200 In-Reply-To: (Rutger Helling's message of "Fri, 16 Jun 2017 13:21:37 +0200") Message-ID: <87bmpil65h.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Rutger Helling Cc: 27394-done@debbugs.gnu.org Hi Rutger, Rutger Helling skribis: > From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001 > From: Rutger Helling > Date: Fri, 16 Jun 2017 13:15:17 +0200 > Subject: [PATCH] gnu: tor: Add seccomp support. > > * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp. Applied, thanks. Do you think the GuixSD service should set =E2=80=9CSandbox 1=E2=80=9D by d= efault? The Besides, the GuixSD service runs Tor in a container, but that doesn=E2=80= =99t necessarily provide the same guarantees: . Ludo=E2=80=99. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48695) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNRgs-0000qo-RS for guix-patches@gnu.org; Tue, 20 Jun 2017 18:32:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNRgo-0008Is-Qr for guix-patches@gnu.org; Tue, 20 Jun 2017 18:32:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:55917) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNRgo-0008Ik-NH for guix-patches@gnu.org; Tue, 20 Jun 2017 18:32:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNRgo-0004gY-E2 for guix-patches@gnu.org; Tue, 20 Jun 2017 18:32:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. References: Resent-Message-ID: Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 From: Date: Wed, 21 Jun 2017 00:31:18 +0200 (CEST) In-Reply-To: <87bmpil65h.fsf@gnu.org> Message-Id: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27394-done <27394-done@debbugs.gnu.org>, Rutger Helling On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Court=C3=A8s) wro= te: > Hi Rutger, >=20 > Rutger Helling skribis: >=20 > > From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001 > > From: Rutger Helling > > Date: Fri, 16 Jun 2017 13:15:17 +0200 > > Subject: [PATCH] gnu: tor: Add seccomp support. > > > > * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp. >=20 > Applied, thanks. >=20 > Do you think the GuixSD service should set =E2=80=9CSandbox 1=E2=80=9D by= default? The > Besides, the GuixSD service runs Tor in a container, but that doesn=E2=80= =99t > necessarily provide the same guarantees: > . >=20 > Ludo=E2=80=99. As mentioned earlier in the thread: I don't think it should be default unti= l we have found it to be stable enough. I experienced several "sandbox violations" wh= en running this in the last days. Is this good? Is this bad? I had no chance to invest= igate this so far. It also goes against torproject recommendations, as they consider sandbox (= seccomp) in tor to be an unstable + testing feature, disabled by default. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38925) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNZaX-0004wr-T3 for guix-patches@gnu.org; Wed, 21 Jun 2017 02:58:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNZaU-0000v9-1z for guix-patches@gnu.org; Wed, 21 Jun 2017 02:58:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:56100) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNZaT-0000uz-Ul for guix-patches@gnu.org; Wed, 21 Jun 2017 02:58:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNZaT-00031Y-KZ for guix-patches@gnu.org; Wed, 21 Jun 2017 02:58:01 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_fc76302c4dba3273ab1050f2f1b36059" Date: Wed, 21 Jun 2017 08:57:01 +0200 From: Rutger Helling In-Reply-To: References: Message-ID: <9a77b4c9d799bd5f95bf3fce88e268af@mykolab.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic CourtXXs , ng0@infotropique.org Cc: 27394-done <27394-done@debbugs.gnu.org> --=_fc76302c4dba3273ab1050f2f1b36059 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 I don't have any issues (yet) running it with the sandbox on, but I agree it's good to test it extensively beforehand and depending on the stability wait until the Tor Project defaults to it. On 2017-06-21 00:31, ng0@infotropique.org wrote: > On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Courtès) wrote: > > Hi Rutger, > > Rutger Helling skribis: > > From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep 17 00:00:00 2001 > From: Rutger Helling > Date: Fri, 16 Jun 2017 13:15:17 +0200 > Subject: [PATCH] gnu: tor: Add seccomp support. > > * gnu/packages/tor.scm (tor)[inputs]: Add libseccomp. > Applied, thanks. > > Do you think the GuixSD service should set "Sandbox 1" by default? The > Besides, the GuixSD service runs Tor in a container, but that doesn't > necessarily provide the same guarantees: > . > > Ludo'. As mentioned earlier in the thread: I don't think it should be default until we have found it to be stable enough. I experienced several "sandbox violations" when running this in the last days. Is this good? Is this bad? I had no chance to investigate this so far. It also goes against torproject recommendations, as they consider sandbox (seccomp) in tor to be an unstable + testing feature, disabled by default. --=_fc76302c4dba3273ab1050f2f1b36059 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

I don't have any issues (yet) running it with the sandbox on, but I agre= e it's good to test it extensively beforehand and depending on the stabilit= y wait until the Tor Project defaults to it.

On 2017-06-21 00:31, ng0@infotropique.org wrote:

=

On Tue, 20 Jun 2017 23:07:38 +0200, ludo@gnu.org (Ludovic Courtès) wrote:

Hi Rutger,

Rutger Helling <rhelling@mykolab.com> skribis:

From 5e93733bba145ac3e3a3f39fb43f25ad7125fa2f Mon Sep = 17 00:00:00 2001
From: Rutger Helling <rhelling@mykolab.com>
Date: Fri, 16 Jun 2017 13:1= 5:17 +0200
Subject: [PATCH] gnu: tor: Add seccomp support.

* gnu/packages/tor.scm (tor)[inputs]: Add libseccomp.

Applied, thanks.

Do you think the GuixSD service should = set "Sandbox 1" by default?  The
Besides, the GuixSD service run= s Tor in a container, but that doesn't
necessarily provide the same g= uarantees:
<https://www.gnu.org/software/guix/n= ews/running-system-services-in-containers.html>.

Ludo'= =2E

As mentioned earlier in the thread: I don't think it should be defau= lt until we have
found it to be stable enough. I experienced several = "sandbox violations" when running
this in the last days. Is this good= ? Is this bad? I had no chance to investigate this so far.
It also go= es against torproject recommendations, as they consider sandbox (seccomp) i= n
tor to be an unstable + testing feature, disabled by default.

 

 
--=_fc76302c4dba3273ab1050f2f1b36059-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57329) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNawl-0000pe-MK for guix-patches@gnu.org; Wed, 21 Jun 2017 04:25:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNawg-0000Bn-MN for guix-patches@gnu.org; Wed, 21 Jun 2017 04:25:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:56150) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNawg-0000Ba-IS for guix-patches@gnu.org; Wed, 21 Jun 2017 04:25:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNawg-0006rI-9r for guix-patches@gnu.org; Wed, 21 Jun 2017 04:25:02 -0400 Subject: [bug#27394] [PATCH] gnu: tor: Add seccomp support. Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <9a77b4c9d799bd5f95bf3fce88e268af@mykolab.com> Date: Wed, 21 Jun 2017 10:24:15 +0200 In-Reply-To: <9a77b4c9d799bd5f95bf3fce88e268af@mykolab.com> (Rutger Helling's message of "Wed, 21 Jun 2017 08:57:01 +0200") Message-ID: <87mv91kats.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Rutger Helling Cc: 27394-done <27394-done@debbugs.gnu.org> Hi, Rutger Helling skribis: > I don't have any issues (yet) running it with the sandbox on, but I > agree it's good to test it extensively beforehand and depending on the > stability wait until the Tor Project defaults to it.=20 Sounds reasonable. Thanks for your feedback, ng0 and Rutger. Ludo=E2=80=99.