Thanks.
@Patrick I don’t think it is risky for us to publish Host Kernel Hardening while awaiting madaidan’s website changes - we have his permission on this forum after all.
Also, Since Tor’s sandbox feature seems perpetually broken/non-functional can/should we run Tor in a chroot jail, or at least provides wiki instructions to do so as an optional configuration?
No idea if this would work in Whonix configuration. (On a side note there is a lot of the Arch wiki we could rip off for security-related matters in our own wiki. TODO)
Tor - ArchWiki
For security purposes, it may be desirable to run Tor in a chroot. The following script will create an appropriate chroot in /opt/torchroot:
~/torchroot-setup.sh
#!/bin/bash
export TORCHROOT=/opt/torchroot
mkdir -p $TORCHROOT
mkdir -p $TORCHROOT/etc/tor
mkdir -p $TORCHROOT/dev
mkdir -p $TORCHROOT/usr/bin
mkdir -p $TORCHROOT/usr/lib
mkdir -p $TORCHROOT/usr/share/tor
mkdir -p $TORCHROOT/var/lib
mkdir -p $TORCHROOT/var/log/tor/
ln -s /usr/lib $TORCHROOT/lib
cp /etc/hosts $TORCHROOT/etc/
cp /etc/host.conf $TORCHROOT/etc/
cp /etc/localtime $TORCHROOT/etc/
cp /etc/nsswitch.conf $TORCHROOT/etc/
cp /etc/resolv.conf $TORCHROOT/etc/
cp /usr/bin/tor $TORCHROOT/usr/bin/
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-.so /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
cp $(ldd /usr/bin/tor | awk ‘{print $3}’|grep --color=never “^/”) $TORCHROOT/usr/lib/
/var/log/tor/notices.log is only needed if you run hidden services
cp /var/log/tor/notices.log $TORCHROOT/var/log/tor/
cp -r /var/lib/tor $TORCHROOT/var/lib/
cp /etc/tor/torrc $TORCHROOT/etc/tor/
chown tor:tor $TORCHROOT
chmod 700 $TORCHROOT
chown -R tor:tor $TORCHROOT/var/lib/tor
chown -R tor:tor $TORCHROOT/var/log/tor
sh -c “grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd”
sh -c “grep --color=never ^tor /etc/group > $TORCHROOT/etc/group”
mknod -m 644 $TORCHROOT/dev/random c 1 8
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
mknod -m 666 $TORCHROOT/dev/null c 1 3
if [[ “$(uname -m)” == “x86_64” ]]; then
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
ln -sr /usr/lib64 $TORCHROOT/lib64
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
fi
After running the script as root, Tor can be launched in the chroot with the command:
chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor
or, if you use systemd, overload the service:
/etc/systemd/system/tor.service.d/chroot.conf
[Service]
User=root
ExecStart=
ExecStart=/usr/bin/sh -c “chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc”
KillSignal=SIGINT