[tor-dev] [GSOC] Status report - Tor capabilities

[Cristian-Matei Toader]

Hello tor-dev,

As a small reminder the purpose of the project is to create
capabilities based sandboxing for Tor, which may only allow the
program to execute a number of predefined syscalls.

For the past 2 weeks:

- I have consulted with Nick Mathewson (nickm) and agreed upon using
seccomp2 [1], and more recently a library built on top of that called
libseccomp [2].

- I have set up a public remote branch [3].

- We have agreed on a 3 step plan for the project:
    1. General sandbox based on a single (permisive) filter which
restricts tor to using a number of syscalls.
    2. Add configuration option for step 1, if any parts were broken
in phase 1 by adding capabilities, they can be re-enabled at the cost
of security.
    3. Figure out what functionality should be split into separate
processes, based on our experience from step 1 and step 2.

- So far I have implemented step 1 using both libseccomp and seccomp2
[3]. Step 1 was developed in such a way that nothing from tor should
be broken at the moment; What this means is that sandboxing currently
exists in the remote branch, but is fairly coarse and will need some
fine tuning at a later stage such as only allowing specific files to
be open, or allowing the exec syscall to be called with specific
parameters.

These days I will be adding command line support, which is basically
step 2, which will be followed by a code review and merge in the
master branch.

[1] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt;hb=HEAD
[2] http://sourceforge.net/projects/libseccomp/
[3] https://github.com/cristiantoader/tor-gsoc-capabilities