[Whonix-devel] #25140 [Core Tor/Tor]: Parse only .torrc files in torrc.d directory

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 4 19:35:57 CEST 2019

#25140: Parse only .torrc files in torrc.d directory
 Reporter:  iry                                  |          Owner:
                                                 |  Jigsaw52
     Type:  task                                 |         Status:
                                                 |  needs_revision
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.4.1.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
 Severity:  Major                                |     Resolution:
 Keywords:  034-triage-20180328,                 |  Actual Points:
  035-removed-20180711                           |
Parent ID:                                       |         Points:
 Reviewer:  ahf                                  |        Sponsor:

Comment (by Jigsaw52):

 I was finally able to run Travis CI on my system and reproduce the

 The crash when reloading the configuration file with seccomp sandbox
 enabled was actually a bug that only happens with libc < 2.26. libc
 versions before 2.26 did not use openat to open files but used it on
 readdir. The previous seccomp rules for %included files and directories
 allowed them to be opened, which added either the rule for openat or for
 open, depending on your libc version. Because the initial %include sandbox
 rules were only tested on libc >= 2.26, where everything used openat, this
 was fine. When testing on libc < 2.26, only open (not openat) was allowed
 for the %included files and directories. Because readdir, which will be
 called for any %included directories, used openat, it caused tor to crash.

 The fix was always adding the openat rule for %included directories
 regardless of the libc version in use.

 Additionally, another problem was found and fixed: when tor is compiled
 with NSS, it will call getpeername and socket with some arguments that
 were not allowed by the sandbox rules. This caused tor to crash on
 startup. I've added the required rules and tor no longer crashes.

 Also, I have mixed feelings on adding an automatic test for the seccomp
 sandbox. While it is great that this functionally can now be tested
 automatically (and it caught two bugs already), the seccomp sandbox is, by
 its nature, very fragile and this test will easily break when people start
 running on systems with different configurations. What do you think?
 Should this test configuration enable the seccomp sandbox?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25140#comment:44>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the Whonix-devel mailing list