[tor-dev] [GSOC] Status report - Tor capabilities
cristian.matei.toader at gmail.com
Fri Jun 28 14:25:56 UTC 2013
As a small reminder the purpose of the project is to create
capabilities based sandboxing for Tor, which may only allow the
program to execute a number of predefined syscalls.
For the past 2 weeks:
- I have consulted with Nick Mathewson (nickm) and agreed upon using
seccomp2 , and more recently a library built on top of that called
- I have set up a public remote branch .
- We have agreed on a 3 step plan for the project:
1. General sandbox based on a single (permisive) filter which
restricts tor to using a number of syscalls.
2. Add configuration option for step 1, if any parts were broken
in phase 1 by adding capabilities, they can be re-enabled at the cost
3. Figure out what functionality should be split into separate
processes, based on our experience from step 1 and step 2.
- So far I have implemented step 1 using both libseccomp and seccomp2
. Step 1 was developed in such a way that nothing from tor should
be broken at the moment; What this means is that sandboxing currently
exists in the remote branch, but is fairly coarse and will need some
fine tuning at a later stage such as only allowing specific files to
be open, or allowing the exec syscall to be called with specific
These days I will be adding command line support, which is basically
step 2, which will be followed by a code review and merge in the
More information about the tor-dev