b5f279e

I'm adding IPv6 support on torjail with a --ipv6 | -6 option, but when I start the script, the Tor instance doesn't run together with it, I must hit $ /usr/sbin/tor --quiet -f /tmp/torXXXXX on a terminal windows for starting Tor.

What is wrong here?

How to reproduce:

Run sudo orjail -y curl https://check.torproject.org, press CTRL + C to abort.

Actual result:

Output by orjail.

^C * Received breakout signal
cat: /tmp/orjail-orjail/pid: No such file or directory
cat: /tmp/orjail-orjail/pid: No such file or directory
rm: cannot remove '/tmp/tornJ6klJ': No such file or directory
Cannot find device "in-orjail"
Cannot remove namespace file "/var/run/netns/orjail": No such file or directory
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
rm: cannot remove '/tmp/resolvetxKF6i': No such file or directory

Expected result:

No extra output by orjail.

Instead of individual error handling per command....

iptables -I FORWARD -i in-"$NAME" -j DROP || \
    die "Failed to disable forwarding on in-$NAME interface"

May I suggest please using a general ERR trap?

error_handler() {
   local last_failed_exit_code="$?"
   local last_failed_bash_command="$BASH_COMMAND"
   die "$last_failed_bash_command failed with exit_code $last_failed_exit_code"
}

trap error_handler ERR

(Perfection would be reached by additionally using set -e (for the unlikely cases for the ERR trap not working or for cases of errors during ERR trap).)

$ sudo orjail ls
/usr/bin/orjail: line 550: /tmp/torjH8Tug: Permission denied
[Error] in command: cat >> "$TORCONFIGFILE" <<EOF
  DataDirectory /tmp/orjail-${NAME}
  AutomapHostsSuffixes .onion,.exit
  AutomapHostsOnResolve 1
  PidFile      /tmp/orjail-${NAME}/pid
  User         ${USERNAME}
  VirtualAddrNetworkIPv4 ${IPNETNS}/16
  TransPort ${IPHOST}:${TRANSPORT}
  DNSPort ${IPHOST}:${DNSPORT}
  SOCKSPort 0
  RunAsDaemon 1      
EOF

[Error] Enable verbose mode to debug (using -v)

Already solved by #71, but wanted to make the issue more discoverable on the bug tracker (I couldn't find it until I started looking into making a PR myself).

I update my cryptocurrencies often with Orjail, some of them require the loopback interface (lo) to be up; many programs follow the same.

For example, when I update my Monero's blockchain I have to start in this way with Orjail:

sudo orjail -- sh -c "sudo ip li set lo up; monerod --hide-my-port --p2p-bind-ip 127.0.0.1 --max-concurrency 8 --prep-blocks-threads 8"

Of course I added this feature to my Orjail to avoid the second "sudo".

It's ok to bring loopback interface up, since it doesn't route anything out of netns sandbox.

iptables DROP rules needed

When /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf no replacement and dns leaking via systemd-resolved nameserver 127.0.0.53.

Would it make sense to add torsocks to the execution anyhow? To make it "even more leak proof"? --torsocks?

It could be more leak proof since using torsocks but also having higher attack surface since involving torsocks's C code?

Or would that be nonsense?

sudo orjail -y curl https://check.torproject.org
curl: (6) Could not resolve host: check.torproject.org
Execution failed.

Actually execution did not fail. It was just a temporary network issue.
Not showing "Execution failed." would ease using orjail in scripts. (Those scripts which parse output.)

/tmp remain full of torXXXX and resolvXXXX on ctrl+c

I know that using any browser with Torjail prevents the real IP from being exposed by WebRTC because Torjail builds a local NAT between the program and Tor. NAT breaks WebRTC (and it's good for anonymity).

But the hardware IDs remain the same either using Torjail or not.

The test can be made here: https://browserleaks.com/webrtc

When I start Opera using my direct connection and after use it with Torjail, all the unique hardware identifiers remain the same, I know WebRTC can be disabled in any browser manually, but this issue could easily be exploitable by an attacker.

Is there any fix for this?

torjail zsh
torjail -n otherns zsh

interfaces ip of namespace torjail and otherns are the same, only the first one will work.

seccomp-bpf allows you to filter which syscalls an application is allowed to use.

Firejail and bubblewrap (#62) both have seccomp support. Firejail also has a seccomp guide.

Orjail shouldn't use a very restrictive filter as that'd break many applications running inside it but it can use a simple blacklist that blocks certain dangerous syscalls.

Firejail has a default seccomp blacklist that can be enabled via the --seccomp flag. See the --seccomp part at the man page.

Some examples (not suggesting these as is, just for reference).

ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck
SocksPort unix:/var/run/tor/socks WorldWritable
CookieAuthFile /var/run/tor/control.authcookie

Dunno if it's possible for Tor TransPort / DnsPort.

If you like, I could implement it.

Similar to how I implemented it for kloak, see:

vmonaco/kloak#5

The flowing is a bit strange.

sudo orjail -y touch a

Will the file be owned by root or user? -> user But why since the whole command runs under sudo? A bit unexpected.

vs

sudo orjail -y sudo touch a

Will the file be owned by root or user? -> root That syntax is a bit long though.

So I was wondering why not run orjail without sudo, and then orjail would internally use sudo whenever required?

Maybe orjail could be running under user orjail and user orjail would have /etc/sudoers.d/orjail exceptions to run the required commands (ip, iptables, ...) under root using sudo.

The end result could be:

• sudo orjail -y touch a -> owned by root
• orjail -y touch a -> owned by user

If you're interested in this, I could try to come up with a pull request since I have some experiences running applications under user something and then having /etc/sudoers.d/ exceptions to allow user something do run required commands as root.

  # REJECT all traffic coming from orjail
  # this is needed to avoid reaching other interfaces
  iptables -I INPUT -i in-"$NAME" -p udp --destination "$IPHOST" --dport "$DNSPORT" -j ACCEPT &&
  iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPHOST" --dport "$TRANSPORT" -j ACCEPT &&
  if [[ $HIDDENSERVICE = y ]]; then
    iptables -I INPUT -i in-"$NAME" -p tcp --source "$IPNETNS" --sport "$HSERVICEPORT" -j ACCEPT &&
    iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPNETNS" --dport "$HSERVICEPORT" -j ACCEPT
  fi

Usually you're using die "Failed to configure the iptable for accepting connection" but there you don't. For consistency would it be better to cover these as well?

# use firejail as security container
if [ $USEFIREJAIL = y ]; then
  if [ "$SUDOBIN" ]; then
    $SUDOBIN -u "$USERNAME" "$FIREJAILBIN" "${FIREJAILARGS[@]}" --dns="$IPHOST" --netns="$NAME" "$@"
  else
    su "$USERNAME" -c "$FIREJAILBIN ${FIREJAILARGS[*]} --dns=$IPHOST --netns=$NAME $*"
  fi
else #or without
  ip netns exec "$NAME" \
    unshare --ipc --fork --pid --mount --mount-proc \
    "$0" --inside "$USERNAME" "$RESOLVEFILE" "$VERBOSE" "$@" || \
    die "Failed to execute the inside part of this script"
fi

# clean some shit
cleanup

# All done!

Running cleanup by writing cleanup at the end leads to the exit code of the application being forgotten. Using...

trap "cleanup" EXIT

would be much nicer. That way your cleanup code gets run on any termination as well as you don't need something like exit_code=$?, exit $exit_code.

Why? This would be useful for use use in scripts. A wrapper should interfere with the wrapped application as little as possible, i.e. no extraneous output in most cases (unless debug, unless some special error) and forwarding the exit code of the wrapped application.

For instance, --private --net=eth0 --machine-id, or other per instance parameters to customize torjails?

see #5 (comment)

If an orjail shell is launched and the namespace is created, then it is not possible to just use firejail to join apps in this namespace.

ps aux is not showing them in the orjail shell and the joined app has no connection to the tor network.

Whats prevents this situation from working correct?
Is the problem PID based or firewall based?

Without -y / --yes orjail interactively asks "Do you want to create it? [y/n]" I don't see if I am using orjail and running "sudo orjail program-name" why I would want "no"? What's the use case for that?

Could you please kindly consider dropping "-y" and making that the default?

orjail is already very good. Besides the open issues, there is little until it's perfect. Requiring to type the -y is such an imperfection. I am coming form a perspective of orjail being a torsocks on steroids drop-in alternative.

The documentation is quite outdated and there are many examples that should be added.

• installation
• clear project's description (#35)
• brief workflow description (tor, namespaces, etc)
• complete configuration
• examples, examples, examples!

Hi, could you submit official PKGBUILD, AUR submission guidelines.

Can help:

• old release: https://aur.archlinux.org/packages/orjail/
• git: PKGBUILD

  # Maintainer: Your Name <address at domain dot tld>
  pkgname=orjail-git
  pkgver=1.1.r22.ga0b9e6c
  pkgrel=1
  pkgdesc='A more secure way to force programs to exclusively use tor network'
  arch=('x86_64')
  
  url='https://github.com/orjail/orjail'
  license=('WTFPL')
  
  depends=(
      'tor'
      'iproute2'
      'iptables'
      'bc'
      'coreutils'
      'grep'
      'glibc'
      'util-linux'
      'sudo'
  )
  optdepends=('firejail: additional security sandbox')
  makedepends=()
  
  provides=('orjail')
  conflicts=('orjail')
  
  source=($pkgname::git+$url.git#branch=master)
  sha256sums=('SKIP')
  
  pkgver() {
      cd "$pkgname"
      git describe --long --tags | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g'
  }
  
  build() {
      cd "$pkgname"
      make
  }
  
  package() {
      cd "$pkgname"
      make DESTDIR="$pkgdir/" install
      mv $pkgdir/usr/sbin $pkgdir/usr/bin
  }
  

I am wondering what is the main focus of your project?

a) Adding torification to applications which don't come with native torification or
b) better guaranteed torification (absence of leaks going through clearnet) by launching applications isolated in Linux network namespaces?

we need to specify which firejail release is supported

DNS over TCP is supported by Linux since 2015-05-07: https://web.archive.org/web/20150518063349/http://man7.org:80/linux/man-pages/man5/resolv.conf.5.html

All that is needed is TCP support by the resolver. I tested many of this list: https://www.publicdns.xyz/
^^ ~ 95% of them work well with TCP, it wasn't the same 5 years ago as most DNS servers didn't support TCP DNS.

I was having trouble with that annoying "Google captcha" when browsing with Firefox in orjail, and after tests with some DNS servers I realized that DNS resolvers were the cause, perhaps because Tor changes the resolvers often in the middle of some accesses. The most stable DNS resolvers I found are anycast.censurfridns.dk (91.239.100.100 | 2001:67c:28a4::) and unicast.censurfridns.dk (89.233.43.71 | 2a01:3a0:53:53::), I didn't got any error.

The trick is easy, /etc/resolv.conf (or /etc/netns/namespace/resolv.conf) should be:

options use-vc
nameserver <some_server>

Testing with orjail:

sudo orjail -s
sudo echo -e "options use-vc \nnameserver 89.233.43.71 \n" > /etc/resolv.conf
dig +tcp github.com | grep 'SERVER:'
curl ifconfig.me

^^ Works well, and should be the same with any transparent proxy as long as TCP port 53 is unblocked by the upstream server. The only disadvantage is that .onion sites will be not reachable with this scheme.

Could you clarify license please?

I am interested to package this tool for Whonix.

• TransPort is currently hardcoded to 9040
• DnsPort is currently hardcoded to 5354

It would be good to make that configurable.

By using distinct TransPort / DnsPort ports per application you would gain stream isolation.

torsocks supports IsolatePID.

# Set Torsocks to use an automatically generated SOCKS5 username/password based
# on the process ID and current time, that makes the connections to Tor use a
# different circuit from other existing streams in Tor on a per-process basis.
# If set, the SOCKS5Username and SOCKS5Password options must not be set.
# (Default: 0)
IsolatePID 1

Which then results in using Tor's IsolateSOCKSAuth.

Don’t share circuits with streams for which different SOCKS authentication was provided. (For HTTPTunnelPort connections, this option looks at the Proxy-Authorization and X-Tor-Stream-Isolation headers. On by default; you can disable it with NoIsolateSOCKSAuth.)

TransPort / DnsPort doesn't support user auth credentials which would lead to stream isolation so the only way is to use distinct ports.

It would be nice to be able to use orjail as a generic network namespace container, to isolate programs from the rest of the local network traffic on the machine, regardless of whether you want to use Tor or not. For that reason I suggest a command-line parameter that would simply skip the firewall rules that are specific to the Tor functionality, such as DNS redirection and blocking of all but the Tor specific ports. I assume this would also require adding a MASQUERADE nat rule instead to enable clearnet access?

I started off using many of my hours analyzing the way this guy did it from https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/

But theres 3 questions i have about this.

1. I couldnt understand the last cmd he posted:
   iptables -t nat -A PREROUTING -i tornet -p tcp -m tcp --dport 9050 -j DNAT --to-destination 127.0.0.1:9050
   This is for Applications supporting SOCKS5, Im not sure why this traffic needs to be redirected if we have already created a separate SOCKS5 proxy 127.0.0.1:9040 ??
   How could apps that support SOCKS5 still connect through the bridge?

2. I did a lot of tests, and it seems that if you run for example xterm in firejail using that bridge, if you decide to stop the tor service, and if the app (in this case xterm) is malicious and isnt able to connect to their servers (you can still ping from the jail by the way), it can try to ping their own servers, and they could analyze with tcpdump on their end where the ping is coming from. The ping reveals the users REAL IP address. I have tried to block icmp to/from the bridge tornet using iptables, but the jail STILL is able to ping outside, even though there is no resolving of any kind.
   Does anyone know why this happens here?
   How is orjail different from this? Does it block icmp and any connectivity in the namespace when TOR service is stopped?

3. How is creating a network namespace different from a bridge when being used with TOR and firejail?

Thank you in advance

So the Tor connection itself is forced through an existing Linux network namespace. This would be a useful feature.

In the readme are missing the instructions about how to install the script.

Running make, it returns the error:
$ make Makefile:21: /usr/share/genmkfile/makefile-full: No such file or directory make: *** No rule to make target '/usr/share/genmkfile/makefile-full'. Stop.

Know shellcheck? It's available as a free online tool as well as Free Software downloadable software. Also packaged for Debian etc.

Shows some warnings for your scripts.

Not necessarily something bad, but useful to run through it and then you can decide if it suggests anything worth fixing.

With latest orjail from git I get the following error

sudo orjail -v -s
[sudo] password for user: 
User user: invalid name or no home directory.
[Error] in command: exit 1
 * Remove Tor temporary configuration
 * Killing Tor process 
 * Killed 
 * Remove Tor DataDirectory: /tmp/orjail-orjail
 * Remove in-orjail network interface
Cannot find device "in-orjail"
 * Delete network namespace orjail
Cannot remove namespace file "/var/run/netns/orjail": No such file or directory
 * Cleaning up iptables rules...

User password is entered correctly. Older torjail script still works as expected. This occurs on two separate systems.

Firejail has way too large attack surface that has led to many privilege escalations and sandbox escapes in the past.

It would be better if orjail used bubblewrap instead which is similar to firejail but has minimal attack surface.

I can create a pull request that implements most of the same functionality as firejail but using bubblewrap instead if this is something you're interested in. The only things I don't know how to replicate with bubblewrap are the --dns=, --name= and --netns= options.

Tor has an option to use an ipv6 gateway:

$ man tor
[...]
VirtualAddrNetworkIPv6 [Address]/bits
When Tor needs to assign a virtual (unused) address because of a
MAPADDRESS command from the controller or the AutomapHostsOnResolve
feature, Tor picks an unassigned address from this range.
(Defaults: 127.192.0.0/10 and [FE80::]/10 respectively.)

       When providing proxy server service to a network of computers using
       a tool like dns-proxy-tor, change the IPv4 network to
       "10.192.0.0/10" or "172.16.0.0/12" and change the IPv6 network to
       "[FC00::]/7". The default VirtualAddrNetwork address ranges on a
       properly configured machine will route to the loopback or
       link-local interface. The maximum number of bits for the network
       prefix is set to 104 for IPv6 and 16 for IPv4. However, a wider
       network - smaller prefix length

       ·   is preferable since it reduces the chances for an attacker to
           guess the used IP. For local use, no change to the default
           VirtualAddrNetwork setting is needed.

[...]

I was thinking on hacking Torjail and add this option manually here. Could you add it?

so, I've tried the script but it returns only error.

this what I've done:
git clone https://github.com/orjail/orjail.git cd orjail/user/sbin sudo ./orjail -v

it returns:
``
[Error] exit ""

• Remove Tor temporary configuration
• Killing Tor process
• Killed
• Remove Tor DataDirectory: /tmp/orjail-orjail
• Remove in-orjail network interface
  Cannot find device "in-orjail"
• Delete network namespace orjail
  Cannot remove namespace file "/var/run/netns/orjail": No such file or directory
• Cleaning up iptables rules...
  ``

please HALP!

onionshare

https://onionshare.org/

https://github.com/micahflee/onionshare/raw/develop/screenshots/server.png

• uses ephemeral Tor onion services
• it creates a local listener (mini http server serving the file to be shared)

ephemeral Tor onion services

• This basically means, that it uses the Tor ControlProtocol to create the hidden service. Not using torrc modifications.
• Yes, ephemeral Tor hidden services can also persist between application starts. After creating it with add_onion new, you get the hidden service private key, can store it, and restore it later.
• This can be done using python-stem. - https://packages.debian.org/stretch/python3-stem

sudo orjail -y onionshare COPYING

Onionshare 1.3 | https://onionshare.org/
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/onionshare/common.py", line 208, in get_available_port
    tmpsock.bind(("127.0.0.1", random.randint(min_port, max_port)))
OSError: [Errno 99] Cannot assign requested address

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/onionshare/onion.py", line 193, in connect
    self.tor_socks_port = common.get_available_port(1000, 65535)
  File "/usr/lib/python3/dist-packages/onionshare/common.py", line 211, in get_available_port
    raise OSError(e)
OSError: [Errno 99] Cannot assign requested address

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/onionshare", line 22, in <module>
    onionshare.main()
  File "/usr/lib/python3/dist-packages/onionshare/__init__.py", line 86, in main
    onion.connect(settings=False, config=config)
  File "/usr/lib/python3/dist-packages/onionshare/onion.py", line 195, in connect
    raise OSError(strings._('no_available_port'))
OSError: Could not start the Onion service as there was no available port

Firejail uses a bridge network to create net namespace on wifi adapters. On my system, this bypasses orjail's Tor TUN which renders Firejail unusable with orjail on a WIFI adapter.

Is there any simple work around?

I tried running orjail with doas, and while it worked the subcommand ran as root instead of dropping privileges.

So, maybe add doas support/detection or fail if it's not sudo/su.

I finding the orjail shell very useful and handy,
it would be nice to have some sort of feedback in its prompt,
in this way it will be easier avoid mistakes typing in the wrong shell window.

tnx
g

IP forwarding is needed to be activated sometimes.

When net.ipv4.conf.all.forwarding and net.ipv4.conf.default.forwarding are enabled (with sysctl), all non-Tor packets are visible in the main network stack coming from orjail, that is, the internal packets inside sandbox.

I really don't know if the packets leaks through router and reaches the Internet IP which is destined, but if there is an adversary controlling the router, yes, he can capture all of them!

$ orjail -v -u root ping 1.1.1.1
$ orjail -v deluge magnet:?xt=urn:btih:f4e3cc2db4163e3b1ff77b3e23b76b85a1d4ee1f&tr=https://ipleak.net/announce.php%3Fh%3Df4e3cc2db4163e3b1ff77b3e23b76b85a1d4ee1f&dn=ipleak.net+torrent+detection # Torrent leak test from ipleak.net

Running tcpdump show this:

$ tcpdump -vv -i in-orjail | grep 10.200.1.2

Running inside a separate namespace prove that the main router can see the leaked packets:

$ ip netns add nsx
$ ip link add vethx type veth peer name peerx
$ ip link set peerx netns nsx
$ ip addr add 10.100.1.1/24 dev vethx
$ ip link set vethx up
$ ip netns exec nsx ip addr add 10.100.1.2/24 dev peerx
$ ip netns exec nsx ip li set peerx up
$ ip netns exec nsx ip route add default via 10.100.1.1 dev peerx
$ iptables -t nat POSTROUTING -s 10.100.1.0/24 -o eth0 -j MASQUERADE
$ ip netns exec nsx orjail -s -u root ping 1.1.1.1

$ tcpdump -vv -i in-orjail | grep 10.200.1.2
$ tcpdump -vv -i eth0 | grep 10.200.1.2

Yes, leaked packets pass through virtual interface vethx from the network namespace nsx and reaches the upside router.

There is a simple fix for this:

$ iptables -I FORWARD 1 -i in-orjail -j DROP
$ iptables -I FORWARD 1 -o in-orjail -j DROP
$ sysctl -w -q net.ipv4.conf.in-orjail.forwarding=0

Now none of the packets leaks.

Some additional iptables rules for protection:

$ iptables -t nat -I POSTROUTING 1 ! -o in-orjail -s 10.200.1.0/24 -j RETURN
$ iptables -t nat -I PREROUTING 1 ! -i in-orjail -d 10.200.1.0/24 -j RETURN

$ iptables -t nat -A PREROUTING -i in-torjail -j RETURN

$ iptables -A INPUT ! -i in-orjail -s 10.200.1.0/24 -j DROP
$ iptables -A INPUT ! -i in-orjail -d 10.200.1.0/24 -j DROP

I’m pretty sure orjail isn’t sdwdate. That should probably be changed.

for nf_cmd in 'iptables' 'iptables -t nat'; do
$nf_cmd -S | grep "in-$NAME" | while read line; do $nf_cmd ${line//-A/-D} &>/dev/null; done
done

^^ Less lines of code.

grep is omnipresent in linux distributions, it shouldn't be a problem.

I've been getting error trying to launch orjail:

 * Creating a orjail namespace...
 * Creating a veth link...
 * Sharing the veth interface...
 * Setting up IP address of host interface...
 * Setting up IP address of peer interface...
 * Default routing up...
 * Resolving via Tor
 * Traffic via Tor...
 * Creating the Tor configuration file...
 * Tor version is 05 16 1.3.6 1.3.8. 0.3.4.9
 * Copying host's tor cache
cp: cannot stat '/var/lib/tor/*': No such file or directory
[Error] in command: cp -d -R /var/lib/tor/* "/tmp/orjail-${NAME}/"

Appears tor is no longer located in /var/lib/tor/, Fedora 29. Reinstalled Tor from Fedora repo.

If there is a already running Tor in the system or it's used sometimes, why don't reuse its cache for making orjail load faster?

if [ -d "/var/lib/tor" ]; then
mkdir /tmp/orjail-$NAME
if [ -f /tmp/orjail-$NAME/lock ]; then
rm /tmp/orjail-$NAME/lock
fi
cp -d -R /var/lib/tor/* /tmp/orjail-$NAME/
chmod -R 700 /tmp/orjail-$NAME/
chown -R "$USERNAME:$USERNAME" /tmp/orjail-$NAME/
fi

In a script I created here, Tor gets connected in less than 5 seconds by reusing the cache, while not using takes 30~40 seconds.

=)

#45 made me wonder.

Would it be sane to use the host's Tor?

That would have several advantages:

• user could maintain Tor's Seccomp 1 security setting
• (user could maintain Tor's AppArmor profile (already the case?))
• circumvention / Bridges settings would be preserved
• Tor already running, and connected (responsibility of the user / sysadmin)
• preserving any other user settings (many)

To make things more leak proof, would it be an option to use Tor unix domain socket files rather than listening ports? (#47)

A new Tor TransPort / DnsPort could be dynamically added to the running Tor by using Tor control protocol using Tor's ControlPort or ControlSocket.

If that is not sane, what about preserving Tor's config?

(Simply copying /etc/tor/torrc would be imperfect due to Tor feature:)

Configuration options can be imported from files or folders using the %include option with the value being a path.

I am trying to launch a Flatpak in a torjail but get a command not found error. Is there some syntax that might work?

[user@localhost ~]$ sudo torjail '/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/vlc --file-forwarding org.videolan.VLC --started-from-file @@u %U @@'
[sudo] password for user: 
sudo: /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/vlc --file-forwarding org.videolan.VLC --started-from-file @@u %U @@: command not found
Execution failed.