| Summary: | net-vpn/tor-0.3.4.7_rc sandbox not working anymore | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Hadrien Lacour <hadrien.lacour> |
| Component: | Current packages | Assignee: | Anthony Basile <blueness> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | jstein |
| Priority: | Normal | Keywords: | PATCH |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | patch fixing sandbox openat regression from 0.3.4.7_rc | ||
|
Description
Hadrien Lacour
2018-09-11 10:25:32 UTC
Tor 0.3.1 and 0.3.3 (removed from tree today) work fine. The bad syscall in 0.3.4 is openat: With a user ~/.torrc: RunAsDaemon 0 Sandbox 1 and tor -f ~/.torrc The following output results: Sep 11 13:49:26.854 [notice] Tor 0.3.4.7-rc (git-8465a8d84647c349) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.0.2p, Zlib 1.2.11, Liblzma 5.2.3, and Libzstd N/A. Sep 11 13:49:26.854 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Sep 11 13:49:26.854 [notice] Read configuration file "/home/kai/.torrc". Sep 11 13:49:26.859 [notice] Scheduler type KIST has been enabled. Sep 11 13:49:26.859 [notice] Opening Socks listener on 127.0.0.1:9050 Sep 11 13:49:26.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. Sep 11 13:49:27.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. Sep 11 13:49:27.000 [notice] Bootstrapped 0%: Starting Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/cached-certs": Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/cached-consensus": Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/unverified-consensus": Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/cached-microdesc-consensus": Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/unverified-microdesc-consensus": Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/cached-microdescs" for mmap(): Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/cached-microdescs.new": Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/cached-descriptors" for mmap(): Permission denied Sep 11 13:49:27.000 [warn] Could not open "/home/kai/.tor/cached-extrainfo" for mmap(): Permission denied Sep 11 13:49:27.000 [notice] Starting with guard context "default" ============================================================ T= 1536666568 (Sandbox) Caught a bad syscall attempt (syscall openat) tor(+0x2082ab)[0x5555e52ac2ab] /lib64/libpthread.so.0(open64+0x5d)[0x7f3a603923cd] /lib64/libpthread.so.0(open64+0x5d)[0x7f3a603923cd] tor(tor_open_cloexec+0x5a)[0x5555e528bcfa] tor(start_writing_to_file+0x1fc)[0x5555e52a4f2c] tor(+0x20106b)[0x5555e52a506b] tor(+0x201242)[0x5555e52a5242] tor(or_state_save+0x229)[0x5555e518e6d9] tor(+0x603ea)[0x5555e51043ea] tor(+0x85aa4)[0x5555e5129aa4] /usr/lib64/libevent-2.1.so.6(+0x29253)[0x7f3a61199253] /usr/lib64/libevent-2.1.so.6(event_base_loop+0x52f)[0x7f3a6119a33f] tor(do_main_loop+0x2cc)[0x5555e5109c8c] tor(tor_run_main+0x20d5)[0x5555e510d9d5] tor(tor_main+0x47)[0x5555e5102077] tor(main+0x26)[0x5555e5101d86] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7f3a5ffd005d] tor(_start+0x2a)[0x5555e5101dea] Upstream bug: https://trac.torproject.org/projects/tor/ticket/25440 But the commit is already in the source code: https://github.com/Jigsaw52/tor/commit/ed06866e8145b9cfb47acb5fc185e6de01d90a49 And reverting that change in sandbox.c makes tor work again with Sandbox=1. Same with tor-0.3.4.8. Finally found the actual upstream ticket: https://trac.torproject.org/projects/tor/ticket/27315 Created attachment 546906 [details, diff]
patch fixing sandbox openat regression from 0.3.4.7_rc
(In reply to Kai Damm from comment #4) > Created attachment 546906 [details, diff] [details, diff] > patch fixing sandbox openat regression from 0.3.4.7_rc looking at the upstream bug, it seems that it didn't land for 0.3.4.8. if its not in 0.3.4.9 when it comes out, i'll backport. The patch is not in the code for 0.3.4.9, but tor still works with sandbox, without patch. Even 0.3.4.7 works if compiled again. Possibly glibc related? The update to glibc-2.27 has been in between. (In reply to Kai Damm from comment #6) > The patch is not in the code for 0.3.4.9, but tor still works with sandbox, > without patch. Even 0.3.4.7 works if compiled again. Possibly glibc related? > The update to glibc-2.27 has been in between. weird. |
