Information
ID: 192
PHID: PHID-TASK-dgxin42roeqwl3f5ai5g
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal
Description
Impact:
Tor Browser developers plan changes that would break Whonix’s Tor over Tor prevention. Changes, that would make it hard for manually downloaded, unmodified TBB tarballs to work in Whonix out of the box while preventing Tor over Tor.
Details:
The current implementation of anon-ws-disable-stacked-tor
using rinetd
(design documentation, see footnote) will not work forever.
Tor implemented SocksSocket
option (unix domain sockets) version 0.2.6.3-alpha
. Tor Browser will start using . (Reference)
To make things worse, currently the environment variables TOR_SOCKS_HOST
and TOR_SOCKS_PORT
are broken. (upstream bug report)
Related Upstream Bug:
torrc’s SocksSocket breaks tor-service-defaults-torrc’s SocksPort
Solution?
We might be able to solve this using socat
. Because socat
is apparently able to man-in-the-middle unix domain sockets. By using something like this (untested). (source)
sudo mv /path/to/sock /path/to/sock.original
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original
We might be able to redirect that unix domain socket to Whonix-Gateway.
Either directly to Whonix-Gateway (if we want to abolish rinetd
).
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork TCP4:10.152.152.10:9150
Or to existing rinetd
to keep things simpler for custom gateway IP’s and #qubes.
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork TCP4:127.0.0.1:9150
Timing the renaming of TBB’s unix domain socket file so we can intercept and redirect it seems difficult and error prone. Therefore it would be best if TBB supported an environment variable to connect to existing unix domain socket files. → upstream feature request
Dev Test Toolbox:
For installation of Tor that comes with the SocksSocket option. /etc/apt/sources.list.d/torproject.list
deb http://deb.torproject.org/torproject.org tor-experimental-0.2.6.x-wheezy main
/etc/apparmor.d/local/system_tor AppArmor permission.
/{,var/}run/tor/socket rw,
/etc/tor/torrc
SocksSocketsGroupWritable 1
SocksPort unix:/var/run/tor/socket
Test if the socket can be talked to.
socat - UNIX-CONNECT:/var/run/tor/socket
GET
Create unix domain socket file /home/user/test.socket and forward to /var/run/tor/socket as proof of concept.
sudo socat -t100 -x -v UNIX-LISTEN:/home/user/test.socket,mode=777,reuseaddr,fork UNIX-CONNECT:/var/run/tor/socket
Test if the socket can be talked to.
socat - UNIX-CONNECT:./test.socket
GET
Proof of concept is functional.
Forum user support thread:
https://forums.whonix.org/t/tor-browser-6-5a4-connectivity-broken-blocked-by-apparmor-profile-since-tbb-changed-to-sockssocket
Comments
Patrick
2015-08-20 03:15:07 UTC
Patrick
2015-08-20 03:18:52 UTC
Patrick
2015-09-09 00:30:35 UTC
Patrick
2016-03-28 13:40:45 UTC
marmarek
2016-03-29 00:52:27 UTC
Patrick
2016-03-29 15:29:03 UTC
HulaHoop
2016-04-03 18:59:57 UTC
Patrick
2016-09-11 13:50:27 UTC
Patrick
2016-09-13 20:39:00 UTC
Patrick
2016-11-17 18:39:03 UTC
Patrick
2016-11-26 14:51:54 UTC
Patrick
2016-11-27 23:50:07 UTC