(Sandbox) Caught a bad syscall attempt (syscall time) (__NR_time not defined?)
I tried to run a Tor v0.2.8.0-alpha-dev mid relay in Linux 3.16.0-4-amd64 with the torrc option "Sandbox 1", but I only got this:
[warn] This version of Tor was built without support for sandboxing. To build with support for sandboxing on Linux, you must have libseccomp and its necessary header files (e.g. seccomp.h).
Seccomp is a feature of the Linux kernel that is enabled in (most) contemporary Linux distributions. It restricts a thread to a small number of system calls: read(), write(), exit() and sigreturn() - If the thread calls any other system call, the entire process gets terminated. now Seccomp is deprecated.
Starting with Linux 3.16, the new seccomp.2 a.k.a. Seccomp-BPF has a Berkeley Packet Filter (BPF) with optional allowed syscalls other than the above mentioned four syscalls. At the developers choice and according with the application specific tasks.
- I want to know if the tor code is updated and ready for using the Seccomp-BPF to make the "Sandbox 1" operational and what exactly prerequisites and additional compiling parameters are needed to compile tor with the support for sandboxing.