dfri/ sysadm/ tor-op

Tor operations

List of relays

DFRI0 mesh @ amnesia DFRI1 x0 @ anastasia DFRI3 memento @ unlinkable DFRI4 x1 @ anastasia DFRI5 mesh2 @ amnesia DFRI6 terri @ kallocain DFRI7 matrix @ kallocain

Running tor in a full jail

Installation of tor from ports

We use openssl, libevent2 and tor-devel from ports.

When bulding tor a second time, some stuff will be biba/low and the install script will fail. Stop any running tor and do

setpmac biba/equal setfmac -R biba/equal /var/log/tor /var/run/tor /var/db/tor

before portmaster -d security/tor-devel is run. Then, before starting tor, do

setpmac biba/equal setfmac -R biba/low /var/log/tor /var/run/tor /var/db/tor

The procedure might look something like the following

# in the jail
make -C /usr/ports/security/tor-devel clean all    # compile before stopping tor
setpmac biba/low sh -c "cat /var/run/tor/tor.pid | xargs kill"   # die die
setpmac biba/equal setfmac -R biba/equal /var/log/tor /var/run/tor /var/db/tor
portmaster -d -C security/tor-devel                # install without cleaning first
setpmac biba/equal setfmac -R biba/low /var/log/tor /var/run/tor /var/db/tor

# in the mothership
/usr/local/dfri/tor-start-in-jail.sh memento  # start tor

Starting tor in a jail

To start tor in a different security context (which isn't allowed inside of a jail), we create a script that runs jexec(8) with a different security context. Example from lethe:/etc/rc.conf:

jail_memento_exec_poststart0="/usr/local/dfri/tor-start-in-jail.sh memento

The script is short, and mostly takes care of finding the correct jid to start tor in. Tor will run in partition/1 biba/low (so don't forget to load mac_partition.ko).

This means that to be able to see processes, network connections etc, the sec contexts needs to be correct. Some examples:

  • setpmac biba/low netstat -an
  • setpmac biba/low kill -HUP $torpid
  • setpmac biba/low sockstat -l4

Upgrade tor in a jail with biba/low

Enter the jail foo and upgrade.

jexec foo sh
pkg update
setpmac biba/low sh -c "cat /var/run/tor/tor.pid | xargs kill"
setpmac biba/equal setfmac -R biba/equal /var/log/tor /var/run/tor /var/db/tor
pkg upgrade
setpmac biba/equal setfmac -R biba/low /var/log/tor /var/run/tor /var/db/tor
exit # exit the jail and restart it
service jail restart foo
jexec foo setpmac biba/low tail -n 30 /var/log/tor/tor.log

ugidfw

We run ugidfw to additionaly place contraints on the tor process. To check the current ruleset, run

 ugidfw list

To modify the rules, edit /etc/rc.bsdextended-amnesia, and then run /etc/rc.d/ugidfw restart. This should hopefully be unneccesary.

MyFamily

# DFRI0 DD8BD7307017407FCC36F8D04A688F74A0774C02
# DFRI1 A10C4F666D27364036B562823E5830BC448E046A
# DFRI3 EC84E23249F74BFFBC82B4E63CDA295CCC0292A0
# DFRI4 A478E421F83194C114F41E94F95999672AED51FE
# DFRI5 185663B7C12777F052B2C2D23D7A239D8DA88A0F
# Lule FFA72BD683BC2FCF988356E6BEC1E490F313FB07
# maatuska BD6A829255CB08E66FBE7D3748363586E46B3810
# ndnr1 32EE911D968BE3E016ECA572BB1ED0A9EE43FC2F
MyFamily \
    $DD8BD7307017407FCC36F8D04A688F74A0774C02,\
    $A10C4F666D27364036B562823E5830BC448E046A,\
    $EC84E23249F74BFFBC82B4E63CDA295CCC0292A0,\
    $A478E421F83194C114F41E94F95999672AED51FE,\
    $185663B7C12777F052B2C2D23D7A239D8DA88A0F,\
    $FFA72BD683BC2FCF988356E6BEC1E490F313FB07,\
    $BD6A829255CB08E66FBE7D3748363586E46B3810,\
    $32EE911D968BE3E016ECA572BB1ED0A9EE43FC2F

Current Tor version?

To see our relays version run:

curl 'https://onionoo.torproject.org/details?contact=1Muz37TfXVBiJKRJkAqTNo7MnEZN8hhmJQ&fields=platform,nickname'

or check locally on each machine with 'pkg info tor'