Add ricochet

[ioerror]

It would be nice if by default, it was possible to run ricochet on SGOS. This is complicated by a number of factors - one of them is that the ricochet-im packages are compiled with ASAN/UBSAN.

This means we need to rebuild it:

 git diff
diff --git a/hardened.pri b/hardened.pri
index 1b6c3b0..26a95ff 100644
--- a/hardened.pri
+++ b/hardened.pri
@@ -2,11 +2,11 @@ load(configure)
 # Define common variables; these are used by config tests _and_ the actual build

 # Supported in gcc 4.8+
-HARDENED_SANITIZE_FLAGS = -fsanitize=address
+#HARDENED_SANITIZE_FLAGS = -fsanitize=address
 # Supported in gcc 4.9+
-HARDENED_SANITIZE_UBSAN_FLAGS = -fsanitize=undefined -fsanitize=integer-divide-by-zero -fsanitize=bounds -fsanitize=alignment -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize-recover
+#HARDENED_SANITIZE_UBSAN_FLAGS = -fsanitize=undefined -fsanitize=integer-divide-by-zero -fsanitize=bounds -fsanitize=alignment -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize-recover
 # Supported in gcc 5.0+
-HARDENED_SANITIZE_UBSAN_MORE_FLAGS = -fsanitize=vptr -fsanitize=object-size
+#HARDENED_SANITIZE_UBSAN_MORE_FLAGS = -fsanitize=vptr -fsanitize=object-size
 # vtable-verify requires some OS support; see https://bugzilla.novell.com/show_bug.cgi?id=877239
 HARDENED_VTABLE_VERIFY_FLAGS = -fvtable-verify=std

That is only the start of integration - it also expects to run a copy of Tor (or to use ADD_ONION) with a newer version of Tor. This requires control port access. It may be possible to simply use Ricochet with Tor over Tor as a proof of concept but it clearly can't be shipping to users in that configuration.

[ioerror]

I heard that @special has a branch that uses the system Tor and ADD_ONION - with the ASAN stuff above removed and with that branch, I think we could easily sandbox Ricochet in SGOS.

[special]

Once ricochet-im/ricochet#385 and ricochet-im/ricochet#386 are merged, Ricochet will use ADD_ONION automatically, and will use an external instance of Tor if TOR_CONTROL_PORT is defined in the environment.

Is that sufficient to start getting it working on Subgraph? Is there anything else I can do? I might try to learn how to get it running myself, if I have time.

[ioerror]

Dear @special - can you also disable ASAN and related flags to ensure that ricochet works out of the box with sgos's grsec kernel?

[dma]

We will need to make our own package for SGOS. Compile time options needed:

CONFIG+=debug or CONFIG+=release, CONFIG+=no-hardened, DEFINES+=RICOCHET_NO_PORTABLE

[special]

@dma CONFIG+=no-hardened is only necessary if you're building <=1.1.2 and don't apply ricochet-im/ricochet@3031a56

It has some effects other than disabling ASAN.

[dma]

Ricochet is now packagable for SGOS, there are several things left that need to be done:

1. Need update to paxrat config to include ricochet by default (created issue for this in paxrat repo)
2. Need new roflcoptor package with improved ricochet filter (commit f6d4ca8d965ce3eb6bbdc5bb977e8b4fc047c5bc)
3. Need new subgraph-oz-profiles package with seccomp update to ricochet whitelist
4. Need to put ricochet package into SGOS repo

[mckinney-subgraph]

This was done a long time ago. Closing issue.