[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torjail - run programs in tor network namespace

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] torjail - run programs in tor network namespace
From: Casey Callendrello <c1@xxxxxxxxxx>
Date: Thu, 26 Jul 2018 20:49:00 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 26 Jul 2018 14:49:16 -0400
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=caseyc.net; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=caseyc.net; bh=MvlU+/ asTgNk1zYA8HiB7Xdix9M=; b=Bpq0+FyBvhKZxwR/qGeQ7wWcKt787qPc5YRlcx RmX11I7lmVOiYdJhTpve3v9e9FkahRgaHYSmX5EovtUJtHtUlU0lmN65h1NTZr13 gC3uHdC8eggrvxsxzK+r8CqEpRA3kTRxxH4H4uWyScAWEafS9il+bzlHtUy4CNS6 TVUB8=
In-reply-to: <20180723075153.gnwfrvy56dko3i6q@nolla>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20180723075153.gnwfrvy56dko3i6q@nolla>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 07/23/2018 09:51 AM, bic wrote:

Hello,

I want to share a project made in _to hacklab.

https://github.com/torjail/torjail


Hi there!

I wrote something similar a few years back, but didn't publicize it widely:
https://github.com/squeed/orbox

It does the same basic thing, but uses golang instead of bash. It alsouses the tor API port, rather than spinning up a new daemon. Someadvantages, some disadvantages.

Ultimately, something makes me uncomfortable about the iptables rulesthat redirect traffic from the container's interface. I just don'tsomehow trust their ability to block everything. I'd really like a wayto do this without a bunch of annoying iptables work.


I've been looking at two new ways that might be able to avoid this.

Have you looked in to flatpak's portals? On the one hand, Flatpak can dorootless / unpriveleged isolation. On the other hand, it relies onunprivileged user namespaces, which have been huge sources of nastykernel exploits. grsecurity and debian disable them, and with good reason.

In the containerization world, the crazy people at Cilium have written acool bpf program that connects two TCP sockets directly, without everneeding to be routed. They're doing it for performance reasons, but Ithink it would be even more useful for doing tor-style isolation.

Given that you can now attach bpf programs to individual cgroups, I feellike this might finally be the way forward.


Thoughts?

--cdc.


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] torjail - run programs in tor network namespace
  - From: bic

Prev by Author: [tor-talk] DDream Woeld bannd me after two purhases n esow and now cannot acesses the ste, let aone m y acount WHat Gves+ s Ths a scam???HELP!!!!!!
Next by Author: Re: [tor-talk] .onion eat http 413 errors
Previous by thread: Re: [tor-talk] torjail - run programs in tor network namespace
Next by thread: [tor-talk] Possible onion service V3 bug
Index(es):
- Author
- Thread