seccomp sandbox is disabling speculative stores, which hurts performance and doesn't have a security benefit in this case
tor uses a seccomp sandbox (via libseccomp) and does not opt out of the Speculative Store Bypass mitigation.
The Speculative Store Bypass mitigation disables speculative stores on the CPU, which can have a very negative effect on CPU performance. e.g. in some Shadow simulations (not of tor), we saw a 50% performance penalty when this mitigation was enabled: https://github.com/shadow/shadow/issues/1489.
As a result, untrusted (possibly malicious) code can run within a sandbox and abuse store buffer speculation to read sensitive data from the sandbox itself.
IIUC, in tor's case, the code being sandboxed is hypothetical code injected via a buffer overflow etc. Such code can already read all of the tor process's memory, which means it has nothing further to gain through the speculative store bypass attack, which means tor has nothing to gain from the speculative store bypass mitigation.
I believe we should opt tor out of this mitigation, which can be achieved by calling
SCMP_FLTATR_CTL_SSB set to 1.