Open artemislena opened 1 year ago
According to tor/default.nix:
# sandbox is broken on aarch64-linux https://gitlab.torproject.org/tpo/core/tor/-/issues/40599
But the upstream issue is now closed and hopefully the latest stable release already contains the fix. Will check and send PR if that's the case.
L: Oh, alright. Didn't actually check the Nix file, sorry. Seems like latest release (0.4.7) doesn't have the fix yet ‒ commits from https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574/commits haven't arrived in https://gitlab.torproject.org/tpo/core/tor/-/commits/release-0.4.7/src/lib/sandbox/sandbox.c yet.
Describe the bug
L: Running Tor with sandbox enabled will make it emit the message
[warn] This version of Tor was built without support for sandboxing. To build with support for sandboxing on Linux, you must have libseccomp and its necessary header files (e.g. seccomp.h).
Steps To Reproduce
Steps to reproduce the behavior:
configuration.nix
:nixos-rebuild switch
journalctl -u tor.service
Expected behavior
Tor shouldn't complain about missing libseccomp, and the sandbox setting should make it sandbox itself.
Additional context
AIUI, seccomp does syscall filtering, so it might be possible to reproduce similar functionality with systemd's per-unit syscall filter, but uh, Tor's own sandbox would be more appropriate, as it would have a filter that's customized to Tor's needs specifically, and also work when calling manually (especially relevant on non-NixOS platforms), or with custom systemd units.
Notify maintainers
@thoughtpolice @joachifm @prusnak
Metadata
"aarch64-linux"
Linux 5.15.67-hardened1, NixOS, 22.11 (Raccoon), 22.11pre411613.7e52b35fe98
yes
yes
nix-env (Nix) 2.11.0
"nixos"
/nix/var/nix/profiles/per-user/root/channels/nixos