TBB's use of SocksSocket will break Whonix's Tor Browser implementation

phabricator-migrator · February 19, 2024, 5:51pm

Information

ID: 192
PHID: PHID-TASK-dgxin42roeqwl3f5ai5g
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

Impact:

Tor Browser developers plan changes that would break Whonix’s Tor over Tor prevention. Changes, that would make it hard for manually downloaded, unmodified TBB tarballs to work in Whonix out of the box while preventing Tor over Tor.

Details:

The current implementation of anon-ws-disable-stacked-tor using rinetd (design documentation, see footnote) will not work forever.

Tor implemented SocksSocket option (unix domain sockets) version 0.2.6.3-alpha. Tor Browser will start using . (Reference)

To make things worse, currently the environment variables TOR_SOCKS_HOST and TOR_SOCKS_PORT are broken. (upstream bug report)

Related Upstream Bug:

~~torrc’s SocksSocket breaks tor-service-defaults-torrc’s SocksPort~~

Solution?

We might be able to solve this using socat. Because socat is apparently able to man-in-the-middle unix domain sockets. By using something like this (untested). (source)

sudo mv /path/to/sock /path/to/sock.original
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

We might be able to redirect that unix domain socket to Whonix-Gateway.

Either directly to Whonix-Gateway (if we want to abolish rinetd).

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork TCP4:10.152.152.10:9150

Or to existing rinetd to keep things simpler for custom gateway IP’s and #qubes.

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork TCP4:127.0.0.1:9150

Timing the renaming of TBB’s unix domain socket file so we can intercept and redirect it seems difficult and error prone. Therefore it would be best if TBB supported an environment variable to connect to existing unix domain socket files. → upstream feature request

Dev Test Toolbox:

For installation of Tor that comes with the SocksSocket option. /etc/apt/sources.list.d/torproject.list

deb http://deb.torproject.org/torproject.org tor-experimental-0.2.6.x-wheezy main

/etc/apparmor.d/local/system_tor AppArmor permission.

  /{,var/}run/tor/socket rw,

/etc/tor/torrc

SocksSocketsGroupWritable 1
SocksPort unix:/var/run/tor/socket

Test if the socket can be talked to.

socat - UNIX-CONNECT:/var/run/tor/socket
GET

Create unix domain socket file /home/user/test.socket and forward to /var/run/tor/socket as proof of concept.

sudo socat -t100 -x -v UNIX-LISTEN:/home/user/test.socket,mode=777,reuseaddr,fork UNIX-CONNECT:/var/run/tor/socket

Test if the socket can be talked to.

socat - UNIX-CONNECT:./test.socket
GET

Proof of concept is functional.

Forum user support thread:
https://forums.whonix.org/t/tor-browser-6-5a4-connectivity-broken-blocked-by-apparmor-profile-since-tbb-changed-to-sockssocket

Comments

Patrick

2015-08-20 03:15:07 UTC

    Try to cope up with planned changes by the Tor Browser Bundle (TBB) developers. Try keeping Tor Browser being able to connect while preventing Tor over Tor.
    The Tor Project (TPO) plans ( https://trac.torproject.org/projects/tor/ticket/14270 ) to modify TBB to use unix domain sockets (Tor SocksSocket option) instead of TCP to talk to Tor.
    To make things worse, currently the environment variables TOR_SOCKS_HOST and TOR_SOCKS_PORT are broken. ( upstream bug report: https://trac.torproject.org/projects/tor/ticket/8336 )
    Therefore creating unix domain sockets using socat in folder /var/run/anon-ws-disable-stacked-tor that are forwarded rinetd on localhost which forwards them to the gateway.
    (Not directly forwarding those to the gateway to make the Qubes implementation simpler. This way no IP replacement is required.)
    Optimistically setting environment variables to configure TBB in hope that those are later implemented by TPO.
    export TOR_PRE_EXIST_UNIX_SOCKET_SOCKS="/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
    export TOR_PRE_EXIST_UNIX_SOCKET_CONTROL="/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"
    As long it is ignored, there is no harm.
    And once Tor Browser supports it, chances are better that it is still able to make connections See also:
    - https://trac.torproject.org/projects/tor/ticket/14272#comment:3
    - https://phabricator.whonix.org/T192

Try to cope up with planned changes by the Tor Browser Bundle (TBB) d… · Whonix/anon-ws-disable-stacked-tor@c246d61 · GitHub

Patrick

2015-08-20 03:18:52 UTC

Patrick

2015-09-09 00:30:35 UTC

Patrick

2016-03-28 13:40:45 UTC

marmarek

2016-03-29 00:52:27 UTC

Patrick

2016-03-29 15:29:03 UTC

marmarek (Marek Marczykowski-Górecki):

How is Tor started in TBB?

In a nutshell:

Tor Browser (which is a Firefox with patches by TPO) starts with its
main window hidden by default.

Tor Launcher (which is a Firefox addon) provides the connection
wizard window.

Then Tor Launcher starts Tor and allows Tor Browser to open its main
window.

Then Tor Browser uses 127.0.0.1 9150 (Socks) / 9151 (Control).

In Whonix-Workstation we redirect these local ports to the
Whonix-Gateway.

(
Tor Browser Essentials
)

If it is possible to disable it (I hope
so),

We are already disabling the bundled Tor that comes with Tor Browser.

( Tor Browser Essentials )

there should be no race condition with it.

No race condition indeed.

When user start TBB,
the socket should be already there,

Yes, Tor Browser would require the socket to be already existing.

and wont be overwritten because
Tor is disabled. Right?

Yes.

Now the problem is, when they implement this, they might expect the
socket to be existing in
~/.tb/tor-browser/Browser/TorBrowser/Data/Tor/. Writing into the home
folder is troublesome. And in past they changed the folder structure
quite often so things could break.

To keep things stable connected, I requested the following environment
variables.

TOR_PRE_EXIST_UNIX_SOCKET_SOCKS

TOR_PRE_EXIST_UNIX_SOCKET_CONTROL

Make Tor Launcher work with Unix Domain Socket option (#14272) · Issues · Legacy / Trac · GitLab

At the moment I can only wait what TPO says / does next.

HulaHoop

2016-04-03 18:59:57 UTC

Patrick

2016-09-11 13:50:27 UTC

Patrick

2016-09-13 20:39:00 UTC

Patrick

2016-11-17 18:39:03 UTC

Patrick

2016-11-26 14:51:54 UTC

Patrick

2016-11-27 23:50:07 UTC