[tor-talk] torjail - run programs in tor network namespace
Casey Callendrello
c1 at caseyc.net
Thu Jul 26 18:49:00 UTC 2018
On 07/23/2018 09:51 AM, bic wrote:
> Hello,
>
> I want to share a project made in _to hacklab.
>
> https://github.com/torjail/torjail
>
Hi there!
I wrote something similar a few years back, but didn't publicize it widely:
https://github.com/squeed/orbox
It does the same basic thing, but uses golang instead of bash. It also
uses the tor API port, rather than spinning up a new daemon. Some
advantages, some disadvantages.
Ultimately, something makes me uncomfortable about the iptables rules
that redirect traffic from the container's interface. I just don't
somehow trust their ability to block everything. I'd really like a way
to do this without a bunch of annoying iptables work.
I've been looking at two new ways that might be able to avoid this.
Have you looked in to flatpak's portals? On the one hand, Flatpak can do
rootless / unpriveleged isolation. On the other hand, it relies on
unprivileged user namespaces, which have been huge sources of nasty
kernel exploits. grsecurity and debian disable them, and with good reason.
In the containerization world, the crazy people at Cilium have written a
cool bpf program that connects two TCP sockets directly, without ever
needing to be routed. They're doing it for performance reasons, but I
think it would be even more useful for doing tor-style isolation.
Given that you can now attach bpf programs to individual cgroups, I feel
like this might finally be the way forward.
Thoughts?
--cdc.
More information about the tor-talk
mailing list