August 2017 - tor-commits - lists.torproject.org

[tor/master] Block managed proxies at a higher point
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit 5fa8d05bfa17d61a2cf96c87f0ffd9a2b6e577d2 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 9 10:48:43 2017 -0400 Block managed proxies at a higher point --- src/or/config.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/or/config.c b/src/or/config.c index 7499dab47..e282a6cc6 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -5741,6 +5741,15 @@ parse_transport_line(const or_options_t *options, goto err; } + if (is_managed && options->NoExec) { + log_warn(LD_CONFIG, + "Managed proxies are not compatible with NoExec mode; ignoring." + "(%sTransportPlugin line was %s)", + server ? "Server" : "Client", escaped(line)); + r = 0; + goto done; + } + if (is_managed) { /* managed */

1 0

[tor/master] Also disable spawning on Sandbox.
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit a0bb1ff6ab0be8faa7284aec3f7f93e31e8578d9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 9 10:56:57 2017 -0400 Also disable spawning on Sandbox. This isn't a functional change, but it makes our logic more clear, and catches bugs earlier. --- changes/feature22976 | 3 ++- src/or/config.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/changes/feature22976 b/changes/feature22976 index 334f47ad0..407fd15b0 100644 --- a/changes/feature22976 +++ b/changes/feature22976 @@ -1,5 +1,6 @@ o Minor features (integration, hardening): - - Added a new NoExec option to . When this option is set to 1, + - Added a new NoExec option, to prevent Tor from running + other programs. When this option is set to 1, Tor will never try to run another program, regardless of the settings of PortForwardingHelper, ClientTransportPlugin, or ServerTransportPlugin. Once NoExec is set, it cannot be diff --git a/src/or/config.c b/src/or/config.c index e282a6cc6..30853724e 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1596,7 +1596,7 @@ options_act(const or_options_t *old_options) const int transition_affects_guards = old_options && options_transition_affects_guards(old_options, options); - if (options->NoExec) { + if (options->NoExec || options->Sandbox) { tor_disable_spawning_background_processes(); }

1 0

[tor/master] Merge branch 'feature22976_squashed'
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit d37e8b407a762316e89e0c0a613c26372ec897aa Merge: f4f828640 a0bb1ff6a Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Aug 24 09:23:43 2017 -0400 Merge branch 'feature22976_squashed' changes/feature22976 | 8 +++++++ doc/tor.1.txt | 7 ++++++ src/common/sandbox.c | 63 ---------------------------------------------------- src/common/sandbox.h | 8 ------- src/common/util.c | 20 +++++++++++++++++ src/common/util.h | 2 ++ src/or/config.c | 24 ++++++++++++++++++++ src/or/main.c | 3 ++- src/or/or.h | 4 ++++ 9 files changed, 67 insertions(+), 72 deletions(-)

1 0

[tor/master] Remove the #if 0ed code that was supposed to let the sandbox allow exec
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit 94352368db9045a9704c713dbbc0f41ecc511910 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 9 10:36:45 2017 -0400 Remove the #if 0ed code that was supposed to let the sandbox allow exec --- src/common/sandbox.c | 63 ---------------------------------------------------- src/common/sandbox.h | 8 ------- 2 files changed, 71 deletions(-) diff --git a/src/common/sandbox.c b/src/common/sandbox.c index c06f9694b..18beaabe1 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -289,37 +289,6 @@ sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return rc; } -#if 0 -/** - * Function responsible for setting up the execve syscall for - * the seccomp filter sandbox. - */ -static int -sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter) -{ - int rc; - sandbox_cfg_t *elem = NULL; - - // for each dynamic parameter filters - for (elem = filter; elem != NULL; elem = elem->next) { - smp_param_t *param = elem->param; - - if (param != NULL && param->prot == 1 && param->syscall - == SCMP_SYS(execve)) { - rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), - SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value)); - if (rc != 0) { - log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received " - "libseccomp error %d", rc); - return rc; - } - } - } - - return 0; -} -#endif - /** * Function responsible for setting up the time syscall for * the seccomp filter sandbox. @@ -1063,9 +1032,6 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) static sandbox_filter_func_t filter_func[] = { sb_rt_sigaction, sb_rt_sigprocmask, -#if 0 - sb_execve, -#endif sb_time, sb_accept4, #ifdef __NR_mmap2 @@ -1417,26 +1383,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) return 0; } -#if 0 -int -sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) -{ - sandbox_cfg_t *elem = NULL; - - elem = new_element(SCMP_SYS(execve), com); - if (!elem) { - log_err(LD_BUG,"(Sandbox) failed to register parameter!"); - return -1; - } - - elem->next = *cfg; - *cfg = elem; - - return 0; -} - -#endif - /** Cache entry for getaddrinfo results; used when sandboxing is implemented * so that we can consult the cache when the sandbox prevents us from doing * getaddrinfo. @@ -1910,15 +1856,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) return 0; } -#if 0 -int -sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) -{ - (void)cfg; (void)com; - return 0; -} -#endif - int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file) { diff --git a/src/common/sandbox.h b/src/common/sandbox.h index a6b83153a..55454eaa2 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -156,14 +156,6 @@ int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2); */ int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file); -#if 0 -/** - * Function used to add a execve allowed filename to a supplied configuration. - * The (char*) specifies the path to the allowed file; that pointer is stolen. - */ -int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com); -#endif - /** * Function used to add a stat/stat64 allowed filename to a configuration. * The (char*) specifies the path to the allowed file; that pointer is stolen.

1 0

[tor/master] Block the port-forwarding helper at a higher point
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit 801aa5d03b3a62c7ed09e8c36629ced23e8c663a Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 9 10:48:43 2017 -0400 Block the port-forwarding helper at a higher point --- src/or/config.c | 4 ++++ src/or/main.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/or/config.c b/src/or/config.c index 16e4ded69..7499dab47 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -3575,6 +3575,10 @@ options_validate(or_options_t *old_options, or_options_t *options, REJECT("PortForwarding is not compatible with Sandbox; at most one can " "be set"); } + if (options->PortForwarding && options->NoExec) { + COMPLAIN("Both PortForwarding and NoExec are set; PortForwarding will " + "be ignored."); + } if (ensure_bandwidth_cap(&options->BandwidthRate, "BandwidthRate", msg) < 0) diff --git a/src/or/main.c b/src/or/main.c index 42d984acf..45c37159d 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2036,7 +2036,8 @@ check_fw_helper_app_callback(time_t now, const or_options_t *options) { if (net_is_disabled() || ! server_mode(options) || - ! options->PortForwarding) { + ! options->PortForwarding || + options->NoExec) { return PERIODIC_EVENT_NO_UPDATE; } /* 11. check the port forwarding app */

1 0

[tor/master] Treat a bad tor_spawn_background() as a BUG().
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit b4963da987f0b374a2bbfd866e1a36358b1e750f Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 9 10:55:30 2017 -0400 Treat a bad tor_spawn_background() as a BUG(). The contract is that, if may_spawn_background_process() is 0, you're not even allowed to try to spawn a process. --- src/common/util.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/common/util.c b/src/common/util.c index 18108fc24..eff678d6a 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -4180,8 +4180,11 @@ tor_spawn_background(const char *const filename, const char **argv, process_environment_t *env, process_handle_t **process_handle_out) { - if (may_spawn_background_process == 0) + if (BUG(may_spawn_background_process == 0)) { + /* We should never reach this point if we're forbidden to spawn + * processes. Instead we should have caught the attempt earlier. */ return PROCESS_STATUS_ERROR; + } #ifdef _WIN32 HANDLE stdout_pipe_read = NULL;

1 0

[tor/master] Clean up choose_good_entry_server() doc; add assertion
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit df3bdc6bdeb7e8eef13248ba245a70fd8cbf1f86 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jul 31 20:35:58 2017 -0400 Clean up choose_good_entry_server() doc; add assertion We used to allow state==NULL here, but we no longer do. Fixes bug 22779. --- changes/bug22779 | 4 ++++ src/or/circuitbuild.c | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/changes/bug22779 b/changes/bug22779 new file mode 100644 index 000000000..dc5bc3859 --- /dev/null +++ b/changes/bug22779 @@ -0,0 +1,4 @@ + o Minor features (client, entry guards): + - Add an extra check to make sure that we always use the + new guard selection code for picking our guards. Closes + ticket 22779. diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 16cef0e56..f7dc7cbc6 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -2358,9 +2358,6 @@ choose_good_middle_server(uint8_t purpose, * router (if we're an OR), and respect firewall settings; if we're * configured to use entry guards, return one. * - * If <b>state</b> is NULL, we're choosing a router to serve as an entry - * guard, not for any particular circuit. - * * Set *<b>guard_state_out</b> to information about the guard that * we're selecting, which we'll use later to remember whether the * guard worked or not. @@ -2378,6 +2375,11 @@ choose_good_entry_server(uint8_t purpose, cpath_build_state_t *state, CRN_DIRECT_CONN); const node_t *node; + /* Once we used this function to select a node to be a guard. We had + * 'state == NULL' be the signal for that. But we don't do that any more. + */ + tor_assert_nonfatal(state); + if (state && options->UseEntryGuards && (purpose != CIRCUIT_PURPOSE_TESTING || options->BridgeRelay)) { /* This request is for an entry server to use for a regular circuit,

1 0

[tor/master] Merge branch 'bug22779_031'
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit f4f828640f25d73e9a29c3d901af4ab594de0d56 Merge: 53c82c082 df3bdc6bd Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Aug 24 09:18:39 2017 -0400 Merge branch 'bug22779_031' changes/bug22779 | 4 ++++ src/or/circuitbuild.c | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-)

1 0

[tor/master] Merge branch 'bug22677'
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit 53c82c0821737ce76bb99a75b5f309d0b2d715ba Merge: 18f3f1ffa 69222fe87 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Aug 24 09:18:03 2017 -0400 Merge branch 'bug22677' changes/bug22677 | 3 +++ doc/tor.1.txt | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-)

1 0

[tor/master] Clarify that "sandbox 1" requires linux and seccomp2
by nickm＠torproject.org 24 Aug '17

24 Aug '17

commit 69222fe87d5c79bd389905b3041f1c2187d6a1e8 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 9 09:29:34 2017 -0400 Clarify that "sandbox 1" requires linux and seccomp2 Closes 22677. --- changes/bug22677 | 3 +++ doc/tor.1.txt | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/changes/bug22677 b/changes/bug22677 new file mode 100644 index 000000000..6d750172a --- /dev/null +++ b/changes/bug22677 @@ -0,0 +1,3 @@ + o Documentation: + - Clarify in the manual that "Sandbox 1" is only supported on Linux + kernels. Closes ticket 22677. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index b4a3cc5f7..dd860af5b 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -558,8 +558,10 @@ GENERAL OPTIONS [[Sandbox]] **Sandbox** **0**|**1**:: If set to 1, Tor will run securely through the use of a syscall sandbox. Otherwise the sandbox will be disabled. The option is currently an - experimental feature. Can not be changed while tor is running. - + experimental feature. It only works on Linux-based operating systems, + and only when Tor has been built with the libseccomp library. This option + can not be changed while tor is running. + + When the Sandbox is 1, the following options can not be changed when tor is running: Address

1 0