[tor-bugs] #24400 [Core Tor/Tor]: Seccomp filter incorrectly tries to act on strings, allowing sandbox bypass

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 5 01:16:14 UTC 2017


#24400: Seccomp filter incorrectly tries to act on strings, allowing sandbox bypass
--------------------------+------------------------------------
 Reporter:  Sebastian     |          Owner:  (none)
     Type:  defect        |         Status:  new
 Priority:  Medium        |      Milestone:  Tor: 0.3.3.x-final
Component:  Core Tor/Tor  |        Version:
 Severity:  Major         |     Resolution:
 Keywords:  sandbox       |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by cypherpunks):

 >It's sure not very clean code, though, and I can believe that there are
 ways around it that we don't know about. How does the brk() bypass work
 here? What are the other bypasses that we should know about?

 I saw a demonstration when I proposed this idea to... I think it was
 TheJH? I'd have to ask again to remember the details.

 >(and android?)

 Android works the same way as vanilla Linux in this respect.

 >In the shorter term, we could remove the logic that tries to list all the
 files and only permit those, and instead permit open, openat, rename, etc
 more generally, if there's a benefit to that.

 While removal would fix some bugs, it still provides (I think) benefit for
 systems with PaX MPROTECT, since that prevents making rx pages writable
 (such as `.text`).

 >We should also figure out what timeframe we can do the "right" solution
 on.

 This is an issue for many projects, so there is effort to remedy this
 (e.g. with an LSM). It might be best for the "right" solution to use that
 when it comes out. Having a separate process or greatly reworking the
 architecture of Tor doesn't seem likely.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24400#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list