Managing programs without Tor DNS Support / orjail

HulaHoop · February 12, 2018, 4:35pm

Now we’re talkin

Sounds good. I’ll look into it. Many Whonix programs are very specialized for our own purposes anyhow. At least you write once, run everywhere later. It will really give us flexibility to expand our software selection without having to compromise on stream isolation or butt heads against upstream limitations.

HulaHoop · February 12, 2018, 8:05pm

Aside from the author’s opinion and the fact that badvpn is not packed in Debian, he gives a clue on how to use namespaces to redirect inidiviual processes with redsocks.

github.com

phillipberndt/scripts/blob/master/tunsocks/tunsocks.cc

// tunsocks -- Tunnel a process through a socks server
// Copyright (c) 2016, Phillip Berndt
//
// This is a new approach: The program sets up a TUN device inside an anonymous
// network namespace and relays all traffic through that device to the proxy.
// The device is set as the namespace's default route. The target process is
// then started within said namespace.
//
// This has some benefits over existing solutions:
//
// tsocks uses LD_PRELOAD to patch the socket() etc. calls. This can be easily
// circumvented.
//
// redsocks does transparent proxying by using iptables' REDIRECT. This is
// feasible for system-wide redirection, but it is hard to isolate a single
// process. The only options to to that were either to use a different UID,
// which is pretty secure, but also restricts what you can to with the
// process in other ways, or to use network namespaces with virtual devices,
// and to set up the rule only for traffic from the endpoint in the global
// namespace. It is a pain to configure this.

This file has been truncated. show original

// redsocks does transparent proxying by using iptables’ REDIRECT. This is
// feasible for system-wide redirection, but it is hard to isolate a single
// process. The only options to to that were either to use a different UID,
// which is pretty secure, but also restricts what you can to with the
// process in other ways, or to use network namespaces with virtual devices,
// and to set up the rule only for traffic from the endpoint in the global
// namespace. It is a pain to configure this.

EDIT:

Found an intro on network namespaces

Patrick · February 12, 2018, 10:04pm

Yes.

Also did you mention another torification tool lately? That had even a bit shorter code. Was written in C and used iptables commands internally if I remember right.

I guess such a tool could be written in bash or python. At the moment I see no reason to go for C.

HulaHoop · February 13, 2018, 6:02pm

You mean ttdnsd : The TOR TCP DNS Daemon ? It uses LD_PRELOAD instead of iptables AFAICT. I am not sure it can do application specific routing by itself. solutions that use LD_PRELOAD are said to be easily circumvented by the tunsocks author. I don’t know if he meant accidental or deliberate malicious actions. If we are talking malfeasance then we have bigger problems. Also we wouldn’t ever install a malicious program on purpose so it s a moot point.

IMO tunsocks is our best bet since it does all the program specific namespace redirection leg work. Though it does not support UDP, it is able to encapsulate DNS with TCP and forward it to the socks server you want.

(tunsocks should not be confused with tun2socks - the latter a part of a feature rich suite known as badvpn)

Depending on the re-write difficulty, I wouldn’t worry much about language safety because it runs in the WS.

Patrick · February 14, 2018, 10:41am

No, I meant AORTA a transparent Tor proxy for Linux programs.

It uses iptables internally.

In Source code search for

"-t nat -A aorta -d 127.0.0.0/8 -p udp -m udp ! --dport 53 -j RETURN",

etc.

Patrick · February 28, 2018, 5:08pm

That might require to modify $HOME variable and allowing the other linux user account name to write to user user’s folder. Probably solvable.

Patrick · May 22, 2018, 2:03am

Solution: multiple Tor TransPorts and DnsPorts pre-configured.

Patrick · May 22, 2018, 2:07am

Summary way forward:

As uwt/torsocks replacement…

Run application either

a) under its own linux user name (problematic linux access rights) OR
b) under its own linux network namespace (strongly preferred)

then redirect to pre-configured Tor TransPorts or DnsPorts.

(Similar to how we currently pre-configure multiple Tor SocksPorts currently.)

Patrick · August 7, 2018, 11:31am

Looks like the following does almost that. Untested. Looks interesting.

https://orjail.github.io/

https://lists.torproject.org/pipermail/tor-talk/2018-July/044330.html

Patrick · August 7, 2018, 11:57am

orjail doesn’t have stream isolation support yet but that should be doable to add.

.

HulaHoop · August 8, 2018, 1:39am

Bonus: it integrates with firejail too

Patrick · August 8, 2018, 7:53am

github.com/orjail/orjail

add stream isolation support

opened 07:53AM - 08 Aug 18 UTC

closed 12:36AM - 13 Aug 18 UTC

adrelanos

enhancement

* `TransPort` is currently hardcoded to `9040` * `DnsPort` is currently hardcod…ed to `5354` It would be good to make that configurable. By using distinct `TransPort` / `DnsPort` ports per application you would gain stream isolation. `torsocks` supports `IsolatePID`. ``` # Set Torsocks to use an automatically generated SOCKS5 username/password based # on the process ID and current time, that makes the connections to Tor use a # different circuit from other existing streams in Tor on a per-process basis. # If set, the SOCKS5Username and SOCKS5Password options must not be set. # (Default: 0) IsolatePID 1 ``` Which then results in using Tor's [`IsolateSOCKSAuth`](https://www.torproject.org/docs/tor-manual.html.en). >Don’t share circuits with streams for which different SOCKS authentication was provided. (For HTTPTunnelPort connections, this option looks at the Proxy-Authorization and X-Tor-Stream-Isolation headers. On by default; you can disable it with NoIsolateSOCKSAuth.) `TransPort` / `DnsPort` doesn't support user auth credentials which would lead to stream isolation so the only way is to use distinct ports.

.

Patrick · August 14, 2018, 6:54pm

.

Patrick · August 19, 2018, 3:03pm

github.com/orjail/orjail

Debian packaging

orjail:master ← adrelanos:initial-deb-packaging

opened 03:01PM - 19 Aug 18 UTC

adrelanos

+982 -5

In future, would like to see orjail ending up in: * 1) Whonix's deb repositor…y, (so it can be installed in Whonix, likely installed by default, [...]) * 2) in debian.org's repository, (so as much people as possible start using this) * 3) elsewhere as other distributions and their packagers are welcome to step up To aid this, I created the Debian packaging. One additional dependency, [genmkfile](https://github.com/Whonix/genmkfile). Implements #24. ----- Just run ``` make deb-pkg ``` and a `../orjail_1.0-1_all.deb` will be created . Then you can install it using: ``` sudo dpkg -i ../orjail_1.0-1_all.deb ``` Will then be installed to `/usr/sbin/orjail`. And remove: ``` sudo apt-get purge orjail ``` Then everything will be removed. Lintian warning free, so Debian policy conform. --- Other makefile features: ``` make help ``` ``` make help Show this help. make dist Create package-version.tar.gz from source files in $DISTDIR (default ".."). make undist Delete package-version.tar.gz from source files in $DISTDIR (default ".."). make debdist Create debian.tar.gz from source files in $DISTDIR (default ".."). make undebdist Delete debian.tar.gz from source files in $DISTDIR (default ".."). make manpages Create man page from man source folder, which will be stored in debian/tmp-man folder. make uch Store upstream changelog from git log in debian/changelog.upstream. make install Copying the files from the source tree to system-wide directories. make installsim Simulate copying the files from the source tree to system-wide directories. make deb-pkg Create a deb, which will be stored in parent folder. make deb-pkg-install Create a deb, which will be stored in parent folder, and install it. make deb-install Install deb from parent folder. make deb-icup Combination of make deb-pkg, make deb-pkg-install and make deb-pkg-cleanup. make deb-remove apt-get remove make_source_package_name make deb-purge apt-get purge make_source_package_name make deb-clean Delete temporary debhelper files. make deb-cleanup Same as make deb-clean and deletes debuild artifacts from parent folder. make dput-ubuntu-ppa Upload to Ubuntu ppa. Requires functional .dput.cf. make clean Currently same as make deb-clean. make distclean Currently same as make clean. make checkout Fetch from git. make installcheck Check if source files match installed files. make uninstallcheck Check if make uninstall removed all files. make uninstall Delete all installed files. make uninstallsim Simulate what make uninstall would do. make deb-chl-bumpup Bump upstream version number in debian/changelog. make git-tag-sign git tag (-s) sign latest pkg_version_with_revision from debian/changelog. Only a repository sanity check. Not for security purposes! make git-tag-verify git tag (-v) verify latest pkg_version_with_revision from debian/changelog. Only a repository sanity check. Not for security purposes! make git-tag-check Check if current git head is a signed git tag. Only a repository sanity check. Not for security purposes! make git-commit-verify Check if current git head is a signed git commit. Only a repository sanity check. Not for security purposes! make git-verify Combination of tag-check and commit-verify. Only a repository sanity check. Not for security purposes! ```

.

Patrick · August 19, 2018, 3:25pm

github.com/orjail/orjail

exit with exit code of the application / use cleanup trap

opened 03:18PM - 19 Aug 18 UTC

closed 09:06PM - 25 Aug 18 UTC

adrelanos

``` # use firejail as security container if [ $USEFIREJAIL = y ]; then if [… "$SUDOBIN" ]; then $SUDOBIN -u "$USERNAME" "$FIREJAILBIN" "${FIREJAILARGS[@]}" --dns="$IPHOST" --netns="$NAME" "$@" else su "$USERNAME" -c "$FIREJAILBIN ${FIREJAILARGS[*]} --dns=$IPHOST --netns=$NAME $*" fi else #or without ip netns exec "$NAME" \ unshare --ipc --fork --pid --mount --mount-proc \ "$0" --inside "$USERNAME" "$RESOLVEFILE" "$VERBOSE" "$@" || \ die "Failed to execute the inside part of this script" fi # clean some shit cleanup # All done! ``` Running `cleanup` by writing `cleanup` at the end leads to the exit code of the application being forgotten. Using... trap "cleanup" EXIT would be much nicer. That way your cleanup code gets run on any termination as well as you don't need something like `exit_code=$?`, `exit $exit_code`. Why? This would be useful for use use in scripts. A wrapper should interfere with the wrapped application as little as possible, i.e. no extraneous output in most cases (unless debug, unless some special error) and forwarding the exit code of the wrapped application.

github.com/orjail/orjail

check iptables exit codes

opened 03:23PM - 19 Aug 18 UTC

closed 11:05PM - 28 Aug 18 UTC

adrelanos

``` # REJECT all traffic coming from orjail # this is needed to avoid reac…hing other interfaces iptables -I INPUT -i in-"$NAME" -p udp --destination "$IPHOST" --dport "$DNSPORT" -j ACCEPT && iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPHOST" --dport "$TRANSPORT" -j ACCEPT && if [[ $HIDDENSERVICE = y ]]; then iptables -I INPUT -i in-"$NAME" -p tcp --source "$IPNETNS" --sport "$HSERVICEPORT" -j ACCEPT && iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPNETNS" --dport "$HSERVICEPORT" -j ACCEPT fi ``` Usually you're using `die "Failed to configure the iptable for accepting connection"` but there you don't. For consistency would it be better to cover these as well?

.

Patrick · August 27, 2018, 6:08am

github.com/orjail/orjail

extrarenous output by orjail on abort (CTRL + C / signal sigterm)

opened 06:08AM - 27 Aug 18 UTC

closed 08:22PM - 28 Aug 18 UTC

adrelanos

How to reproduce: Run `sudo orjail -y curl https://check.torproject.org`, pre…ss CTRL + C to abort. ---- Actual result: Output by orjail. ``` ^C * Received breakout signal cat: /tmp/orjail-orjail/pid: No such file or directory cat: /tmp/orjail-orjail/pid: No such file or directory rm: cannot remove '/tmp/tornJ6klJ': No such file or directory Cannot find device "in-orjail" Cannot remove namespace file "/var/run/netns/orjail": No such file or directory iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: Bad rule (does a matching rule exist in that chain?). iptables: Bad rule (does a matching rule exist in that chain?). iptables: Bad rule (does a matching rule exist in that chain?). iptables: Bad rule (does a matching rule exist in that chain?). rm: cannot remove '/tmp/resolvetxKF6i': No such file or directory ``` ---- Expected result: No extra output by orjail.

Patrick · August 27, 2018, 6:54am

github.com/orjail/orjail

support for ephemeral Tor hidden services / local listener support / onionshare

opened 06:54AM - 27 Aug 18 UTC

closed 04:04PM - 12 Feb 19 UTC

adrelanos

onionshare https://onionshare.org/ https://github.com/micahflee/onionshare…/raw/develop/screenshots/server.png * uses ephemeral Tor onion services * it creates a local listener (mini http server serving the file to be shared) ---- ephemeral Tor onion services * This basically means, that it uses the Tor ControlProtocol to create the hidden service. Not using torrc modifications. * Yes, ephemeral Tor hidden services can also persist between application starts. After creating it with add_onion new, you get the hidden service private key, can store it, and restore it later. * This can be done using python-stem. - https://packages.debian.org/stretch/python3-stem ---- `sudo orjail -y onionshare COPYING ` ``` Onionshare 1.3 | https://onionshare.org/ Traceback (most recent call last): File "/usr/lib/python3/dist-packages/onionshare/common.py", line 208, in get_available_port tmpsock.bind(("127.0.0.1", random.randint(min_port, max_port))) OSError: [Errno 99] Cannot assign requested address During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/onionshare/onion.py", line 193, in connect self.tor_socks_port = common.get_available_port(1000, 65535) File "/usr/lib/python3/dist-packages/onionshare/common.py", line 211, in get_available_port raise OSError(e) OSError: [Errno 99] Cannot assign requested address During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/onionshare", line 22, in <module> onionshare.main() File "/usr/lib/python3/dist-packages/onionshare/__init__.py", line 86, in main onion.connect(settings=False, config=config) File "/usr/lib/python3/dist-packages/onionshare/onion.py", line 195, in connect raise OSError(strings._('no_available_port')) OSError: Could not start the Onion service as there was no available port ```

Patrick · August 28, 2018, 8:52pm

github.com/orjail/orjail

--yes should be default?

opened 08:48PM - 28 Aug 18 UTC

closed 11:14PM - 28 Aug 18 UTC

adrelanos

Without -y / --yes orjail interactively asks "Do you want to create it? [y/n]" I… don't see if I am using orjail and running "sudo orjail program-name" why I would want "no"? What's the use case for that? Could you please kindly consider dropping "-y" and making that the default? orjail is already very good. Besides the open issues, there is little until it's perfect. Requiring to type the `-y` is such an imperfection. I am coming form a perspective of orjail being a torsocks on steroids drop-in alternative.

Patrick · August 28, 2018, 9:08pm

github.com/orjail/orjail

allow running orjail without sudo by having orjail run sudo internally

opened 09:08PM - 28 Aug 18 UTC

adrelanos

The flowing is a bit strange. sudo orjail -y touch a Will the file be …owned by `root` or `user`? -> `user` But why since the whole command runs under `sudo`? A bit unexpected. vs sudo orjail -y sudo touch a Will the file be owned by `root` or `user`? -> `root` That syntax is a bit long though. ---- So I was wondering why not run `orjail` without `sudo`, and then `orjail` would internally use `sudo` whenever required? Maybe `orjail` could be running under user `orjail` and user `orjail` would have `/etc/sudoers.d/orjail` exceptions to run the required commands (`ip`, `iptables`, ...) under `root` using `sudo`. The end result could be: * `sudo orjail -y touch a` -> owned by `root` * `orjail -y touch a` -> owned by `user` If you're interested in this, I could try to come up with a pull request since I have some experiences running applications under user `something` and then having `/etc/sudoers.d/` exceptions to allow user `something` do run required commands as root.

Patrick · August 31, 2018, 8:32am

github.com/orjail/orjail

why do we need all those checks (on iptables)? - use ERR trap

opened 08:14AM - 31 Aug 18 UTC

closed 01:01PM - 04 Sep 18 UTC

adrelanos

Instead of individual error handling per command.... ``` iptables -I FORWARD… -i in-"$NAME" -j DROP || \ die "Failed to disable forwarding on in-$NAME interface" ``` May I suggest please using a general ERR trap? ``` error_handler() { local last_failed_exit_code="$?" local last_failed_bash_command="$BASH_COMMAND" die "$last_failed_bash_command failed with exit_code $last_failed_exit_code" } trap error_handler ERR ``` (Perfection would be reached by additionally using `set -e` (for the unlikely cases for the ERR trap not working or for cases of errors during ERR trap).)

github.com/orjail/orjail

use and reconfigure the host's Tor / circumvention/bridges support / keep existing Tor config

opened 08:27AM - 31 Aug 18 UTC

closed 04:06PM - 12 Feb 19 UTC

adrelanos

https://github.com/orjail/orjail/issues/45 made me wonder. Would it be sane t…o use the host's Tor? That would have several advantages: * user could maintain Tor's `Seccomp 1` security setting * (user could maintain Tor's AppArmor profile (already the case?)) * circumvention / Bridges settings would be preserved * Tor already running, and connected (responsibility of the user / sysadmin) * preserving any other user settings ([many](https://www.torproject.org/docs/tor-manual.html.en)) To make things more leak proof, would it be an option to use Tor unix domain socket files rather than listening ports? (#47) A new Tor `TransPort` / `DnsPort` could be dynamically added to the running Tor by using [Tor control protocol](https://gitweb.torproject.org/torspec.git/tree/control-spec.txt) using Tor's `ControlPort` or `ControlSocket`. If that is not sane, what about preserving Tor's config? (Simply copying /etc/tor/torrc would be imperfect due to Tor feature:) > Configuration options can be imported from files or folders using the `%include` option with the value being a path.