[tor-bugs] #12751 [Tor]: systemd unit file could use more filesystem namespace hardening options

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Aug 31 16:25:04 UTC 2014 

#12751: systemd unit file could use more filesystem namespace hardening options
---------------------------+--------------------------------------------
     Reporter:  intrigeri  |      Owner:  intrigeri
         Type:  defect     |     Status:  needs_review
     Priority:  normal     |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor        |    Version:
   Resolution:             |   Keywords:  tor-relay systemd 025-backport
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+--------------------------------------------

Comment (by intrigeri):

 Replying to [comment:3 nickm]:
 > Do we care about managed pluggable transports launched by the Tor
 process here?

 Good point. My answer is that we definitely care: I don't want relay
 operators to mentally associate "systemd" with "breaks stuff that used to
 work just fine". The transition should be as smooth as possible.

 So, I have tested the proposed systemd unit files changes with obfsproxy
 (obfs3, scramblesuit) both on the client and relay sides.

 This question of yours also had me write an AppArmor profile for obfsproxy
 to confirm that it doesn't need to access other parts of the filesystem
 than what the proposed systemd unit file allows
 (https://bugs.debian.org/739284), so I'm now reasonably confident we're
 not going to break these usecases here.

 > Do they inherit these restrictions?

 I'm pretty sure they do, as the filesystem restrictions are implemented
 with Linux namespaces, and I don't see how a child process could escape
 it.

 > Would you like to narrow read directories down as well?  If so, see the
 list of stuff in the function sandbox_init_filter() in main.c.

 It could be a nice bonus, and I've tried it already, but my attempts at
 using a whitelist approach here (setting InaccessibleDirectories=/, and
 then adding the required directories to ReadOnlyDirectories) failed. I'll
 have to ask the systemd community for help on that one. I don't think
 that's a blocker, and I must say it's pretty low priority on my todo list:
 the usecases I'm most interested in also have AppArmor confinement
 profiles, or will have soonish.

 > (Also please let me know if there's some reason that Tails can't enable
 "sandbox 1"; I want to fix it if there is.)

 I'll have a look and report back.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12751#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list