[Tor-BSD] [CFT] HardenedBSD's security/tor-capsicum port

Shawn Webb shawn.webb at hardenedbsd.org
Tue Feb 27 15:35:47 EST 2018 

On Wed, Feb 28, 2018 at 07:31:35AM +1100, teor wrote:
> 
> > On 28 Feb 2018, at 06:03, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
> > 
> >> On Tue, Feb 27, 2018 at 01:44:00PM -0500, Shawn Webb wrote:
> >>> On Tue, Feb 27, 2018 at 12:48:29PM -0500, Shawn Webb wrote:
> >>> Hey All,
> >>> 
> >>> Many of you know that I've been working on Capsicum support in Tor.
> >>> I've added a ports entry for it in the HardenedBSD ports tree,
> >>> security/tor-capsicum.
> >>> 
> >>> To enable capmode, you'll need to add "Sandbox 1" to your torrc. Note
> >>> that since libevent does not support Capsicum and creates sockets on
> >>> its own, using DNSPort (most commonly used in transparent proxy
> >>> setups) with capmode enabled is unsupported. I've filed a bug report
> >>> with libevent to start the discussion around adding a
> >>> Capsicum-friendly API for socket creation/maintenance.
> >>> 
> >>> On HardenedBSD 12-CURRENT/amd64, security/tor-capsicum is compiled with:
> >>>  - PIE
> >>>  - Full RELRO
> >>>  - CFI (without the cfi-icall scheme)
> >>>  - SafeStack
> >>>  - Retpoline
> >>>  - Capsicum support
> >>> 
> >>> Please test and let me know any success or failure stories.
> >> 
> >> I've now tested in relay mode. It appears there's a bug that prevents
> >> relay mode from working. I hope to have this resolved within a week.
> >> 
> >> So, don't run with Capsicum enabled if you're running a relay.
> >> However, please test if you're running simply as a client node.
> > 
> > This is due to Tor using libevent to handle DNS when in relay mode. As
> > noted above, libevent does not support Capsicum. So fixing relay mode
> > will require a Capsicum-friendly libevent.
> 
> Does Capsicum work for non-exit relays?
> They shouldn't use DNS for anything important.

It doesn't. Tor is still calling the evdns_* API for some reason. I
need to do some extra digging to figure out the full call stack to see
why the tor daemon is doing DNS stuff in a non-exit relay
configuration.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20180227/8caa8334/attachment.bin>

More information about the Tor-BSD mailing list