[tor-talk] torjail - run programs in tor network namespace

Casey Callendrello c1 at caseyc.net
Thu Jul 26 18:49:00 UTC 2018

On 07/23/2018 09:51 AM, bic wrote:
> Hello,
> I want to share a project made in _to hacklab.
> https://github.com/torjail/torjail

Hi there!

I wrote something similar a few years back, but didn't publicize it widely:
It does the same basic thing, but uses golang instead of bash. It also 
uses the tor API port, rather than spinning up a new daemon. Some 
advantages, some disadvantages.

Ultimately, something makes me uncomfortable about the iptables rules 
that redirect traffic from the container's interface. I just don't 
somehow trust their ability to block everything. I'd really like a way 
to do this without a bunch of annoying iptables work.

I've been looking at two new ways that might be able to avoid this.

Have you looked in to flatpak's portals? On the one hand, Flatpak can do 
rootless / unpriveleged isolation. On the other hand, it relies on 
unprivileged user namespaces, which have been huge sources of nasty 
kernel exploits. grsecurity and debian disable them, and with good reason.

In the containerization world, the crazy people at Cilium have written a 
cool bpf program that connects two TCP sockets directly, without ever 
needing to be routed. They're doing it for performance reasons, but I 
think it would be even more useful for doing tor-style isolation.

Given that you can now attach bpf programs to individual cgroups, I feel 
like this might finally be the way forward.



More information about the tor-talk mailing list