Tor operations
List of relays
DFRI0 mesh @ amnesia DFRI1 x0 @ anastasia DFRI3 memento @ unlinkable DFRI4 x1 @ anastasia DFRI5 mesh2 @ amnesia DFRI6 terri @ kallocain DFRI7 matrix @ kallocain
Running tor in a full jail
Installation of tor from ports
We use openssl, libevent2 and tor-devel from ports.
When bulding tor a second time, some stuff will be biba/low and the install script will fail. Stop any running tor and do
setpmac biba/equal setfmac -R biba/equal /var/log/tor /var/run/tor /var/db/tor
before portmaster -d security/tor-devel is run. Then, before starting tor, do
setpmac biba/equal setfmac -R biba/low /var/log/tor /var/run/tor /var/db/tor
The procedure might look something like the following
# in the jail
make -C /usr/ports/security/tor-devel clean all # compile before stopping tor
setpmac biba/low sh -c "cat /var/run/tor/tor.pid | xargs kill" # die die
setpmac biba/equal setfmac -R biba/equal /var/log/tor /var/run/tor /var/db/tor
portmaster -d -C security/tor-devel # install without cleaning first
setpmac biba/equal setfmac -R biba/low /var/log/tor /var/run/tor /var/db/tor
# in the mothership
/usr/local/dfri/tor-start-in-jail.sh memento # start tor
Starting tor in a jail
To start tor in a different security context (which isn't allowed
inside of a jail), we create a script that runs jexec(8) with a
different security context. Example from lethe:/etc/rc.conf
:
jail_memento_exec_poststart0="/usr/local/dfri/tor-start-in-jail.sh memento
The script is short, and mostly takes care of finding the correct jid to start tor in. Tor will run in partition/1 biba/low (so don't forget to load mac_partition.ko).
This means that to be able to see processes, network connections etc, the sec contexts needs to be correct. Some examples:
- setpmac biba/low netstat -an
- setpmac biba/low kill -HUP $torpid
- setpmac biba/low sockstat -l4
Upgrade tor in a jail with biba/low
Enter the jail foo and upgrade.
jexec foo sh
pkg update
setpmac biba/low sh -c "cat /var/run/tor/tor.pid | xargs kill"
setpmac biba/equal setfmac -R biba/equal /var/log/tor /var/run/tor /var/db/tor
pkg upgrade
setpmac biba/equal setfmac -R biba/low /var/log/tor /var/run/tor /var/db/tor
exit # exit the jail and restart it
service jail restart foo
jexec foo setpmac biba/low tail -n 30 /var/log/tor/tor.log
ugidfw
We run ugidfw to additionaly place contraints on the tor process. To check the current ruleset, run
ugidfw list
To modify the rules, edit /etc/rc.bsdextended-amnesia, and then run /etc/rc.d/ugidfw restart. This should hopefully be unneccesary.
MyFamily
# DFRI0 DD8BD7307017407FCC36F8D04A688F74A0774C02
# DFRI1 A10C4F666D27364036B562823E5830BC448E046A
# DFRI3 EC84E23249F74BFFBC82B4E63CDA295CCC0292A0
# DFRI4 A478E421F83194C114F41E94F95999672AED51FE
# DFRI5 185663B7C12777F052B2C2D23D7A239D8DA88A0F
# Lule FFA72BD683BC2FCF988356E6BEC1E490F313FB07
# maatuska BD6A829255CB08E66FBE7D3748363586E46B3810
# ndnr1 32EE911D968BE3E016ECA572BB1ED0A9EE43FC2F
MyFamily \
$DD8BD7307017407FCC36F8D04A688F74A0774C02,\
$A10C4F666D27364036B562823E5830BC448E046A,\
$EC84E23249F74BFFBC82B4E63CDA295CCC0292A0,\
$A478E421F83194C114F41E94F95999672AED51FE,\
$185663B7C12777F052B2C2D23D7A239D8DA88A0F,\
$FFA72BD683BC2FCF988356E6BEC1E490F313FB07,\
$BD6A829255CB08E66FBE7D3748363586E46B3810,\
$32EE911D968BE3E016ECA572BB1ED0A9EE43FC2F
Current Tor version?
To see our relays version run:
curl 'https://onionoo.torproject.org/details?contact=1Muz37TfXVBiJKRJkAqTNo7MnEZN8hhmJQ&fields=platform,nickname'
or check locally on each machine with 'pkg info tor'