Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • T Torsocks
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 38
    • Issues 38
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Core
  • Torsocks
  • Issues
  • #21022
Closed
Open
Issue created Dec 18, 2016 by cypherpunks@cypherpunks

Add several syscalls to src/lib/syscall.c (Torsocks breaks seccomp)

It looks like Torsocks whitelists calls that are allowed to be made via the glibc syscall() function, but unfortunately the whitelist is too restrictive. For example seccomp() is not permitted, and that results in the syscall being denied (new kernels use that rather than prctl() to enable sandboxes). This results in any program that uses a seccomp sandbox being unsandboxed when used in combination with Torsocks!

Ideally, gettimeofday() and clock_gettime() would also be whitelisted, because they are harmless and calling them as syscalls directly is a handy way to avoid them being used as vDSOs. The same goes with fork(), where calling it directly is a handy way to avoid having to use the glibc wrapper, which uses clone() instead.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking