[tor-bugs] #20773 [Applications/Tor Browser Sandbox]: Stop mounting `/proc` in the various containers once this is feasable.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Nov 26 18:24:36 UTC 2016
#20773: Stop mounting `/proc` in the various containers once this is feasable.
----------------------------------------------+-------------------------
Reporter: yawning | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by yawning):
Looking at the go runtime library's use of "/proc" as of 1.7.3:
* `src/syscall/exec_linux.go` - `/proc/$PID/[setgroups,uid_map,gid_map]`
* `src/runtime/pprof/pprof.go` - `/proc/self/maps`
* `src/os/sys_linux.go` - `/proc/sys/kernel/hostname`
* `src/net/sock_linux.go` - `/proc/sys/net/core/somaxconn`
* `src/net/interface_linux.go` - `/proc/net/[igmp,igmp6]`
* `src/cmd/internal/pprof/report/source.go` - `/proc/self/cwd`
* `src/cmd/dist/build.go` - `/proc/$PID/ns`
The files that may be accessed by obfs4proxy are:
* `/proc/sys/kernel/hostname` which is compiled in because the `log`
package has syslog support.
* `/proc/sys/net/core/somaxconn` which is used to determine the
`listen()` backlog, but will default to `128` if the read/parse fails in
any way.
Based on this I shall disable `/proc` entirely for the tor container.
https://gitweb.torproject.org/tor-browser/sandboxed-tor-
browser.git/commit/?id=db09c0bb793c705a13e275dc6d52eed70ca95c80
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20773#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list