[tor-bugs] #24400 [Core Tor/Tor]: Seccomp filter incorrectly tries to act on strings, allowing sandbox bypass
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Dec 5 01:16:14 UTC 2017
#24400: Seccomp filter incorrectly tries to act on strings, allowing sandbox bypass
--------------------------+------------------------------------
Reporter: Sebastian | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Major | Resolution:
Keywords: sandbox | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+------------------------------------
Comment (by cypherpunks):
>It's sure not very clean code, though, and I can believe that there are
ways around it that we don't know about. How does the brk() bypass work
here? What are the other bypasses that we should know about?
I saw a demonstration when I proposed this idea to... I think it was
TheJH? I'd have to ask again to remember the details.
>(and android?)
Android works the same way as vanilla Linux in this respect.
>In the shorter term, we could remove the logic that tries to list all the
files and only permit those, and instead permit open, openat, rename, etc
more generally, if there's a benefit to that.
While removal would fix some bugs, it still provides (I think) benefit for
systems with PaX MPROTECT, since that prevents making rx pages writable
(such as `.text`).
>We should also figure out what timeframe we can do the "right" solution
on.
This is an issue for many projects, so there is effort to remedy this
(e.g. with an LSM). It might be best for the "right" solution to use that
when it comes out. Having a separate process or greatly reworking the
architecture of Tor doesn't seem likely.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24400#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list