seccomp2
Tor should attempt to use seccomp2 - to that end - we should find a list of syscalls that we'd will ever expect tor to use and add them to a seccomp filter. We should also allow relays to have a much more restrictive seccomp filter set if they wish at compile time.
A good url for examples is here: http://outflux.net/teach-seccomp/
We may want to use libseccomp: http://sourceforge.net/projects/libseccomp/ http://sourceforge.net/p/libseccomp/libseccomp/ci/f08622cda8ff41d8d77d70ab034ab26413289013/tree/
In theory this will be a first line (zero being not having a bug) of defense against someone actually getting arbitrary code execution in tor or related libraries. The next line of defense would be a jail or a chroot. The next line would be some kind of kernel ACL/MAC like SELinux/AppArmor/GRSec/etc. I suppose in reality, it's all together as one but I'm pretending for the sake of simplicity.