From 2aac39a779c125dbc0cc510d0c306e9df83b33c4 Mon Sep 17 00:00:00 2001 From: Jacob Appelbaum Date: Wed, 21 Oct 2009 21:21:57 -0700 Subject: Implement DisableAllSwap to avoid putting secret info in page files. This commit implements a new config option: 'DisableAllSwap' This option probably only works properly when Tor is started as root. We added two new functions: tor_mlockall() and tor_set_max_memlock(). tor_mlockall() attempts to mlock() all current and all future memory pages. For tor_mlockall() to work properly we set the process rlimits for memory to RLIM_INFINITY (and beyond) inside of tor_set_max_memlock(). We behave differently from mlockall() by only allowing tor_mlockall() to be called one single time. All other calls will result in a return code of 1. It is not possible to change DisableAllSwap while running. A sample configuration item was added to the torrc.complete.in config file. A new item in the man page for DisableAllSwap was added. Thanks to Moxie Marlinspike and Chris Palmer for their feedback on this patch. Please note that we make no guarantees about the quality of your OS and its mlock/mlockall implementation. It is possible that this will do nothing at all. It is also possible that you can ulimit the mlock properties of a given user such that root is not required. This has not been extensively tested and is unsupported. I have included some comments for possible ways we can handle this on win32. --- src/or/config.c | 18 ++++++++++++++++++ src/or/or.h | 3 +++ 2 files changed, 21 insertions(+) (limited to 'src/or') diff --git a/src/or/config.c b/src/or/config.c index 5a0ced29d5..b6a52a85de 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -195,6 +195,7 @@ static config_var_t _option_vars[] = { OBSOLETE("DirRecordUsageSaveInterval"), V(DirReqStatistics, BOOL, "0"), VAR("DirServer", LINELIST, DirServers, NULL), + V(DisableAllSwap, BOOL, "0"), V(DNSPort, UINT, "0"), V(DNSListenAddress, LINELIST, NULL), V(DownloadExtraInfo, BOOL, "0"), @@ -456,6 +457,8 @@ static config_var_description_t options_description[] = { { "DirServer", "Tor only trusts directories signed with one of these " "servers' keys. Used to override the standard list of directory " "authorities." }, + { "DisableAllSwap", "Tor will attempt a simple memory lock that " + "will prevent leaking of all information in memory to the swap file." }, /* { "FastFirstHopPK", "" }, */ /* FetchServerDescriptors, FetchHidServDescriptors, * FetchUselessDescriptors */ @@ -1115,6 +1118,15 @@ options_act_reversible(or_options_t *old_options, char **msg) } #endif + /* Attempt to lock all current and future memory with mlockall() only once */ + if (options->DisableAllSwap) { + if (tor_mlockall() == -1) { + *msg = tor_strdup("DisableAllSwap failure. Do you have proper " + "permissions?"); + goto done; + } + } + /* Setuid/setgid as appropriate */ if (options->User) { if (switch_id(options->User) != 0) { @@ -3834,6 +3846,12 @@ options_transition_allowed(or_options_t *old, or_options_t *new_val, return -1; } + if (old->DisableAllSwap != new_val->DisableAllSwap) { + *msg = tor_strdup("While Tor is running, changing DisableAllSwap " + "is not allowed."); + return -1; + } + return 0; } diff --git a/src/or/or.h b/src/or/or.h index bf415d8393..767ad95720 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2287,6 +2287,9 @@ typedef struct { * stop building circuits? */ int StrictEntryNodes; /**< Boolean: When none of our EntryNodes are up, do we * stop building circuits? */ + int DisableAllSwap; /**< Boolean: Attempt to call mlockall() on our + * process for all current and future memory. */ + routerset_t *ExcludeNodes;/**< Structure containing nicknames, digests, * country codes and IP address patterns of ORs * not to use in circuits. */ -- cgit v1.2.3-54-g00ecf