[Tor-BSD] [CFT] HardenedBSD's security/tor-capsicum port
George Rosamond
george at ceetonetechnology.com
Tue Feb 27 15:39:00 EST 2018
Shawn Webb:
> On Wed, Feb 28, 2018 at 07:31:35AM +1100, teor wrote:
>>
>>> On 28 Feb 2018, at 06:03, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
>>>
>>>> On Tue, Feb 27, 2018 at 01:44:00PM -0500, Shawn Webb wrote:
>>>>> On Tue, Feb 27, 2018 at 12:48:29PM -0500, Shawn Webb wrote:
>>>>> Hey All,
>>>>>
>>>>> Many of you know that I've been working on Capsicum support in Tor.
>>>>> I've added a ports entry for it in the HardenedBSD ports tree,
>>>>> security/tor-capsicum.
>>>>>
>>>>> To enable capmode, you'll need to add "Sandbox 1" to your torrc. Note
>>>>> that since libevent does not support Capsicum and creates sockets on
>>>>> its own, using DNSPort (most commonly used in transparent proxy
>>>>> setups) with capmode enabled is unsupported. I've filed a bug report
>>>>> with libevent to start the discussion around adding a
>>>>> Capsicum-friendly API for socket creation/maintenance.
>>>>>
>>>>> On HardenedBSD 12-CURRENT/amd64, security/tor-capsicum is compiled with:
>>>>> - PIE
>>>>> - Full RELRO
>>>>> - CFI (without the cfi-icall scheme)
>>>>> - SafeStack
>>>>> - Retpoline
>>>>> - Capsicum support
>>>>>
>>>>> Please test and let me know any success or failure stories.
>>>>
>>>> I've now tested in relay mode. It appears there's a bug that prevents
>>>> relay mode from working. I hope to have this resolved within a week.
>>>>
>>>> So, don't run with Capsicum enabled if you're running a relay.
>>>> However, please test if you're running simply as a client node.
>>>
>>> This is due to Tor using libevent to handle DNS when in relay mode. As
>>> noted above, libevent does not support Capsicum. So fixing relay mode
>>> will require a Capsicum-friendly libevent.
>>
>> Does Capsicum work for non-exit relays?
>> They shouldn't use DNS for anything important.
>
> It doesn't. Tor is still calling the evdns_* API for some reason. I
> need to do some extra digging to figure out the full call stack to see
> why the tor daemon is doing DNS stuff in a non-exit relay
> configuration.
It was *just* submitted as a tarball for OpenBSD ports.. not that it's
related to capsicum.
g
More information about the Tor-BSD
mailing list