[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torjail - run programs in tor network namespace

On 07/23/2018 09:51 AM, bic wrote:

I want to share a project made in _to hacklab.


Hi there!

I wrote something similar a few years back, but didn't publicize it widely:
It does the same basic thing, but uses golang instead of bash. It also uses the tor API port, rather than spinning up a new daemon. Some advantages, some disadvantages.

Ultimately, something makes me uncomfortable about the iptables rules that redirect traffic from the container's interface. I just don't somehow trust their ability to block everything. I'd really like a way to do this without a bunch of annoying iptables work.

I've been looking at two new ways that might be able to avoid this.

Have you looked in to flatpak's portals? On the one hand, Flatpak can do rootless / unpriveleged isolation. On the other hand, it relies on unprivileged user namespaces, which have been huge sources of nasty kernel exploits. grsecurity and debian disable them, and with good reason.

In the containerization world, the crazy people at Cilium have written a cool bpf program that connects two TCP sockets directly, without ever needing to be routed. They're doing it for performance reasons, but I think it would be even more useful for doing tor-style isolation.

Given that you can now attach bpf programs to individual cgroups, I feel like this might finally be the way forward.



tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to