[Tor-BSD] [CFT] HardenedBSD's security/tor-capsicum port

Shawn Webb shawn.webb at hardenedbsd.org
Tue Feb 27 14:03:57 EST 2018


On Tue, Feb 27, 2018 at 01:44:00PM -0500, Shawn Webb wrote:
> On Tue, Feb 27, 2018 at 12:48:29PM -0500, Shawn Webb wrote:
> > Hey All,
> > 
> > Many of you know that I've been working on Capsicum support in Tor.
> > I've added a ports entry for it in the HardenedBSD ports tree,
> > security/tor-capsicum.
> > 
> > To enable capmode, you'll need to add "Sandbox 1" to your torrc. Note
> > that since libevent does not support Capsicum and creates sockets on
> > its own, using DNSPort (most commonly used in transparent proxy
> > setups) with capmode enabled is unsupported. I've filed a bug report
> > with libevent to start the discussion around adding a
> > Capsicum-friendly API for socket creation/maintenance.
> > 
> > On HardenedBSD 12-CURRENT/amd64, security/tor-capsicum is compiled with:
> >   - PIE
> >   - Full RELRO
> >   - CFI (without the cfi-icall scheme)
> >   - SafeStack
> >   - Retpoline
> >   - Capsicum support
> > 
> > Please test and let me know any success or failure stories.
> 
> I've now tested in relay mode. It appears there's a bug that prevents
> relay mode from working. I hope to have this resolved within a week.
> 
> So, don't run with Capsicum enabled if you're running a relay.
> However, please test if you're running simply as a client node.

This is due to Tor using libevent to handle DNS when in relay mode. As
noted above, libevent does not support Capsicum. So fixing relay mode
will require a Capsicum-friendly libevent.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20180227/87d7923f/attachment.bin>


More information about the Tor-BSD mailing list