search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
16.43k stars 12.93k forks source link

tor on aarch64 is built without libseccomp (just for tracking; waiting for upstream sandbox fix) #193526

Open artemislena opened 1 year ago

artemislena commented 1 year ago

Describe the bug

L: Running Tor with sandbox enabled will make it emit the message [warn] This version of Tor was built without support for sandboxing. To build with support for sandboxing on Linux, you must have libseccomp and its necessary header files (e.g. seccomp.h).

Steps To Reproduce

Steps to reproduce the behavior:

  1. Put this in configuration.nix: 
    {
services.tor = {
enable = true;
settings.Sandbox = true;
};
}
  2. nixos-rebuild switch
  3. journalctl -u tor.service

Expected behavior

Tor shouldn't complain about missing libseccomp, and the sandbox setting should make it sandbox itself.

Additional context

AIUI, seccomp does syscall filtering, so it might be possible to reproduce similar functionality with systemd's per-unit syscall filter, but uh, Tor's own sandbox would be more appropriate, as it would have a filter that's customized to Tor's needs specifically, and also work when calling manually (especially relevant on non-NixOS platforms), or with custom systemd units.

Notify maintainers

@thoughtpolice @joachifm @prusnak

Metadata

prusnak commented 1 year ago

According to tor/default.nix:

# sandbox is broken on aarch64-linux https://gitlab.torproject.org/tpo/core/tor/-/issues/40599

But the upstream issue is now closed and hopefully the latest stable release already contains the fix. Will check and send PR if that's the case.

artemislena commented 1 year ago

L: Oh, alright. Didn't actually check the Nix file, sorry. Seems like latest release (0.4.7) doesn't have the fix yet ‒ commits from https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574/commits haven't arrived in https://gitlab.torproject.org/tpo/core/tor/-/commits/release-0.4.7/src/lib/sandbox/sandbox.c yet.