orjail / orjail Goto Github PK
View Code? Open in Web Editor NEWa more secure way to force programs to exclusively use tor network
Home Page: https://orjail.github.io
License: Do What The F*ck You Want To Public License
a more secure way to force programs to exclusively use tor network
Home Page: https://orjail.github.io
License: Do What The F*ck You Want To Public License
Without -y / --yes orjail interactively asks "Do you want to create it? [y/n]" I don't see if I am using orjail and running "sudo orjail program-name" why I would want "no"? What's the use case for that?
Could you please kindly consider dropping "-y" and making that the default?
orjail is already very good. Besides the open issues, there is little until it's perfect. Requiring to type the -y
is such an imperfection. I am coming form a perspective of orjail being a torsocks on steroids drop-in alternative.
for nf_cmd in 'iptables' 'iptables -t nat'; do
$nf_cmd -S | grep "in-$NAME" | while read line; do
done
^^ Less lines of code.
grep is omnipresent in linux distributions, it shouldn't be a problem.
I finding the orjail shell very useful and handy,
it would be nice to have some sort of feedback in its prompt,
in this way it will be easier avoid mistakes typing in the wrong shell window.
tnx
g
With latest orjail from git I get the following error
sudo orjail -v -s
[sudo] password for user:
User user: invalid name or no home directory.
[Error] in command: exit 1
* Remove Tor temporary configuration
* Killing Tor process
* Killed
* Remove Tor DataDirectory: /tmp/orjail-orjail
* Remove in-orjail network interface
Cannot find device "in-orjail"
* Delete network namespace orjail
Cannot remove namespace file "/var/run/netns/orjail": No such file or directory
* Cleaning up iptables rules...
User password is entered correctly. Older torjail script still works as expected. This occurs on two separate systems.
I tried running orjail with doas, and while it worked the subcommand ran as root instead of dropping privileges.
So, maybe add doas
support/detection or fail if it's not sudo
/su
.
Would it make sense to add torsocks to the execution anyhow? To make it "even more leak proof"? --torsocks
?
It could be more leak proof since using torsocks but also having higher attack surface since involving torsocks's C code?
Or would that be nonsense?
so, I've tried the script but it returns only error.
this what I've done:
git clone https://github.com/orjail/orjail.git cd orjail/user/sbin sudo ./orjail -v
it returns:
``
[Error] exit ""
please HALP!
onionshare
https://github.com/micahflee/onionshare/raw/develop/screenshots/server.png
ephemeral Tor onion services
sudo orjail -y onionshare COPYING
Onionshare 1.3 | https://onionshare.org/
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/onionshare/common.py", line 208, in get_available_port
tmpsock.bind(("127.0.0.1", random.randint(min_port, max_port)))
OSError: [Errno 99] Cannot assign requested address
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/onionshare/onion.py", line 193, in connect
self.tor_socks_port = common.get_available_port(1000, 65535)
File "/usr/lib/python3/dist-packages/onionshare/common.py", line 211, in get_available_port
raise OSError(e)
OSError: [Errno 99] Cannot assign requested address
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/onionshare", line 22, in <module>
onionshare.main()
File "/usr/lib/python3/dist-packages/onionshare/__init__.py", line 86, in main
onion.connect(settings=False, config=config)
File "/usr/lib/python3/dist-packages/onionshare/onion.py", line 195, in connect
raise OSError(strings._('no_available_port'))
OSError: Could not start the Onion service as there was no available port
Tor has an option to use an ipv6 gateway:
$ man tor
[...]
VirtualAddrNetworkIPv6 [Address]/bits
When Tor needs to assign a virtual (unused) address because of a
MAPADDRESS command from the controller or the AutomapHostsOnResolve
feature, Tor picks an unassigned address from this range.
(Defaults: 127.192.0.0/10 and [FE80::]/10 respectively.)
When providing proxy server service to a network of computers using
a tool like dns-proxy-tor, change the IPv4 network to
"10.192.0.0/10" or "172.16.0.0/12" and change the IPv6 network to
"[FC00::]/7". The default VirtualAddrNetwork address ranges on a
properly configured machine will route to the loopback or
link-local interface. The maximum number of bits for the network
prefix is set to 104 for IPv6 and 16 for IPv4. However, a wider
network - smaller prefix length
· is preferable since it reduces the chances for an attacker to
guess the used IP. For local use, no change to the default
VirtualAddrNetwork setting is needed.
[...]
I was thinking on hacking Torjail and add this option manually here. Could you add it?
The documentation is quite outdated and there are many examples that should be added.
+ '[' -f /usr/lib/pre.bsh ']'
+ set -e
+ set -o pipefail
+ make_function_run make_init
+ local function_name function_name_return_code
+ function_name=make_init
+ shift
+ type -t make_init_hook_pre
+ true
+ make_init
+ cd ''
+ function_name_return_code=0
+ '[' '!' 0 = 0 ']'
+ type -t make_init_hook_post
+ make_function_run make_source_overrides_file install
+ local function_name function_name_return_code
+ function_name=make_source_overrides_file
+ shift
+ type -t make_source_overrides_file_hook_pre
+ true
+ make_source_overrides_file install
+ '[' -x ./make-helper-overrides.bsh ']'
+ function_name_return_code=0
+ '[' '!' 0 = 0 ']'
+ type -t make_source_overrides_file_hook_post
+ make_function_run make_source_overrides_folder install
+ local function_name function_name_return_code
+ function_name=make_source_overrides_folder
+ shift
+ type -t make_source_overrides_folder_hook_pre
+ true
+ make_source_overrides_folder install
+ '[' -d ./make-helper-overrides.d ']'
+ function_name_return_code=0
+ '[' '!' 0 = 0 ']'
+ type -t make_source_overrides_folder_hook_post
+ make_function_run make_parse_cmd install
+ local function_name function_name_return_code
+ function_name=make_parse_cmd
+ shift
+ type -t make_parse_cmd_hook_pre
+ true
+ make_parse_cmd install
+ local matched=false
+ local deb
+ :
+ case $1 in
+ matched=true
+ make_function_run make_install
+ local function_name function_name_return_code
+ function_name=make_install
+ shift
+ type -t make_install_hook_pre
+ true
+ make_install
+ make_install_=true
+ make_function_run make_helper
+ local function_name function_name_return_code
+ function_name=make_helper
+ shift
+ type -t make_helper_hook_pre
+ true
+ make_helper
+ make_function_run make_get_destdir
+ local function_name function_name_return_code
+ function_name=make_get_destdir
+ shift
+ type -t make_get_destdir_hook_pre
+ true
+ make_get_destdir
+ '[' / = '' ']'
+ type -t make_hook_at_the_end_of_get_destdir
+ function_name_return_code=0
+ '[' '!' 0 = 0 ']'
+ type -t make_get_destdir_hook_post
+ '[' -n '' ']'
+ make_folder_list_for_un_and_install='bin boot dev etc home lib opt sbin srv sys usr var'
+ shopt -s globstar dotglob nullglob
+ local d source_file file_without_pwd file_with_destdir
+ for d in $make_folder_list_for_un_and_install
+ '[' -d bin ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d boot ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d dev ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d etc ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d home ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d lib ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d opt ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d sbin ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d srv ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d sys ']'
+ for d in $make_folder_list_for_un_and_install
+ '[' -d usr ']'
+ for source_file in "$PWD/$d"/**
+ '[' true = true ']'
+ '[' '!' -d / ']'
+ cp -R usr /
cp: cannot overwrite non-directory '/usr/sbin' with directory 'usr/sbin'
make: *** [Makefile:44: install] Error 1
If there is a already running Tor in the system or it's used sometimes, why don't reuse its cache for making orjail load faster?
if [ -d "/var/lib/tor" ]; then
mkdir /tmp/orjail-$NAME
if [ -f /tmp/orjail-$NAME/lock ]; then
rm /tmp/orjail-$NAME/lock
fi
cp -d -R /var/lib/tor/* /tmp/orjail-$NAME/
chmod -R 700 /tmp/orjail-$NAME/
chown -R "$USERNAME:$USERNAME" /tmp/orjail-$NAME/
fi
In a script I created here, Tor gets connected in less than 5 seconds by reusing the cache, while not using takes 30~40 seconds.
=)
$ sudo orjail ls
/usr/bin/orjail: line 550: /tmp/torjH8Tug: Permission denied
[Error] in command: cat >> "$TORCONFIGFILE" <<EOF
DataDirectory /tmp/orjail-${NAME}
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
PidFile /tmp/orjail-${NAME}/pid
User ${USERNAME}
VirtualAddrNetworkIPv4 ${IPNETNS}/16
TransPort ${IPHOST}:${TRANSPORT}
DNSPort ${IPHOST}:${DNSPORT}
SOCKSPort 0
RunAsDaemon 1
EOF
[Error] Enable verbose mode to debug (using -v)
Already solved by #71, but wanted to make the issue more discoverable on the bug tracker (I couldn't find it until I started looking into making a PR myself).
sudo orjail -y curl https://check.torproject.org
curl: (6) Could not resolve host: check.torproject.org
Execution failed.
Actually execution did not fail. It was just a temporary network issue.
Not showing "Execution failed." would ease using orjail in scripts. (Those scripts which parse output.)
I know that using any browser with Torjail prevents the real IP from being exposed by WebRTC because Torjail builds a local NAT between the program and Tor. NAT breaks WebRTC (and it's good for anonymity).
But the hardware IDs remain the same either using Torjail or not.
The test can be made here: https://browserleaks.com/webrtc
When I start Opera using my direct connection and after use it with Torjail, all the unique hardware identifiers remain the same, I know WebRTC can be disabled in any browser manually, but this issue could easily be exploitable by an attacker.
Is there any fix for this?
So the Tor connection itself is forced through an existing Linux network namespace. This would be a useful feature.
I am trying to launch a Flatpak in a torjail but get a command not found error.
Is there some syntax that might work?
[user@localhost ~]$ sudo torjail '/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/vlc --file-forwarding org.videolan.VLC --started-from-file @@u %U @@'
[sudo] password for user:
sudo: /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/vlc --file-forwarding org.videolan.VLC --started-from-file @@u %U @@: command not found
Execution failed.
/tmp remain full of torXXXX and resolvXXXX on ctrl+c
In the readme are missing the instructions about how to install the script.
Running make, it returns the error:
$ make Makefile:21: /usr/share/genmkfile/makefile-full: No such file or directory make: *** No rule to make target '/usr/share/genmkfile/makefile-full'. Stop.
It would be nice to be able to use orjail as a generic network namespace container, to isolate programs from the rest of the local network traffic on the machine, regardless of whether you want to use Tor or not. For that reason I suggest a command-line parameter that would simply skip the firewall rules that are specific to the Tor functionality, such as DNS redirection and blocking of all but the Tor specific ports. I assume this would also require adding a MASQUERADE nat rule instead to enable clearnet access?
IP forwarding is needed to be activated sometimes.
When net.ipv4.conf.all.forwarding and net.ipv4.conf.default.forwarding are enabled (with sysctl), all non-Tor packets are visible in the main network stack coming from orjail, that is, the internal packets inside sandbox.
I really don't know if the packets leaks through router and reaches the Internet IP which is destined, but if there is an adversary controlling the router, yes, he can capture all of them!
$ orjail -v -u root ping 1.1.1.1
$ orjail -v deluge magnet:?xt=urn:btih:f4e3cc2db4163e3b1ff77b3e23b76b85a1d4ee1f&tr=https://ipleak.net/announce.php%3Fh%3Df4e3cc2db4163e3b1ff77b3e23b76b85a1d4ee1f&dn=ipleak.net+torrent+detection # Torrent leak test from ipleak.net
Running tcpdump show this:
$ tcpdump -vv -i in-orjail | grep 10.200.1.2
Running inside a separate namespace prove that the main router can see the leaked packets:
$ ip netns add nsx
$ ip link add vethx type veth peer name peerx
$ ip link set peerx netns nsx
$ ip addr add 10.100.1.1/24 dev vethx
$ ip link set vethx up
$ ip netns exec nsx ip addr add 10.100.1.2/24 dev peerx
$ ip netns exec nsx ip li set peerx up
$ ip netns exec nsx ip route add default via 10.100.1.1 dev peerx
$ iptables -t nat POSTROUTING -s 10.100.1.0/24 -o eth0 -j MASQUERADE
$ ip netns exec nsx orjail -s -u root ping 1.1.1.1
$ tcpdump -vv -i in-orjail | grep 10.200.1.2
$ tcpdump -vv -i eth0 | grep 10.200.1.2
Yes, leaked packets pass through virtual interface vethx from the network namespace nsx and reaches the upside router.
There is a simple fix for this:
$ iptables -I FORWARD 1 -i in-orjail -j DROP
$ iptables -I FORWARD 1 -o in-orjail -j DROP
$ sysctl -w -q net.ipv4.conf.in-orjail.forwarding=0
Now none of the packets leaks.
Some additional iptables rules for protection:
$ iptables -t nat -I POSTROUTING 1 ! -o in-orjail -s 10.200.1.0/24 -j RETURN
$ iptables -t nat -I PREROUTING 1 ! -i in-orjail -d 10.200.1.0/24 -j RETURN
$ iptables -t nat -A PREROUTING -i in-torjail -j RETURN
$ iptables -A INPUT ! -i in-orjail -s 10.200.1.0/24 -j DROP
$ iptables -A INPUT ! -i in-orjail -d 10.200.1.0/24 -j DROP
iptables DROP rules needed
# use firejail as security container
if [ $USEFIREJAIL = y ]; then
if [ "$SUDOBIN" ]; then
$SUDOBIN -u "$USERNAME" "$FIREJAILBIN" "${FIREJAILARGS[@]}" --dns="$IPHOST" --netns="$NAME" "$@"
else
su "$USERNAME" -c "$FIREJAILBIN ${FIREJAILARGS[*]} --dns=$IPHOST --netns=$NAME $*"
fi
else #or without
ip netns exec "$NAME" \
unshare --ipc --fork --pid --mount --mount-proc \
"$0" --inside "$USERNAME" "$RESOLVEFILE" "$VERBOSE" "$@" || \
die "Failed to execute the inside part of this script"
fi
# clean some shit
cleanup
# All done!
Running cleanup
by writing cleanup
at the end leads to the exit code of the application being forgotten. Using...
trap "cleanup" EXIT
would be much nicer. That way your cleanup code gets run on any termination as well as you don't need something like exit_code=$?
, exit $exit_code
.
Why? This would be useful for use use in scripts. A wrapper should interfere with the wrapped application as little as possible, i.e. no extraneous output in most cases (unless debug, unless some special error) and forwarding the exit code of the wrapped application.
Could you clarify license please?
I am interested to package this tool for Whonix.
If an orjail shell is launched and the namespace is created, then it is not possible to just use firejail to join apps in this namespace.
ps aux is not showing them in the orjail shell and the joined app has no connection to the tor network.
Whats prevents this situation from working correct?
Is the problem PID based or firewall based?
I started off using many of my hours analyzing the way this guy did it from https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/
But theres 3 questions i have about this.
I couldnt understand the last cmd he posted:
iptables -t nat -A PREROUTING -i tornet -p tcp -m tcp --dport 9050 -j DNAT --to-destination 127.0.0.1:9050
This is for Applications supporting SOCKS5, Im not sure why this traffic needs to be redirected if we have already created a separate SOCKS5 proxy 127.0.0.1:9040 ??
How could apps that support SOCKS5 still connect through the bridge?
I did a lot of tests, and it seems that if you run for example xterm in firejail using that bridge, if you decide to stop the tor service, and if the app (in this case xterm) is malicious and isnt able to connect to their servers (you can still ping from the jail by the way), it can try to ping their own servers, and they could analyze with tcpdump on their end where the ping is coming from. The ping reveals the users REAL IP address. I have tried to block icmp to/from the bridge tornet using iptables, but the jail STILL is able to ping outside, even though there is no resolving of any kind.
Does anyone know why this happens here?
How is orjail different from this? Does it block icmp and any connectivity in the namespace when TOR service is stopped?
How is creating a network namespace different from a bridge when being used with TOR and firejail?
Thank you in advance
How to reproduce:
Run sudo orjail -y curl https://check.torproject.org
, press CTRL + C to abort.
Actual result:
Output by orjail.
^C * Received breakout signal
cat: /tmp/orjail-orjail/pid: No such file or directory
cat: /tmp/orjail-orjail/pid: No such file or directory
rm: cannot remove '/tmp/tornJ6klJ': No such file or directory
Cannot find device "in-orjail"
Cannot remove namespace file "/var/run/netns/orjail": No such file or directory
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
rm: cannot remove '/tmp/resolvetxKF6i': No such file or directory
Expected result:
No extra output by orjail.
The flowing is a bit strange.
sudo orjail -y touch a
Will the file be owned by root
or user
? -> user
But why since the whole command runs under sudo
? A bit unexpected.
vs
sudo orjail -y sudo touch a
Will the file be owned by root
or user
? -> root
That syntax is a bit long though.
So I was wondering why not run orjail
without sudo
, and then orjail
would internally use sudo
whenever required?
Maybe orjail
could be running under user orjail
and user orjail
would have /etc/sudoers.d/orjail
exceptions to run the required commands (ip
, iptables
, ...) under root
using sudo
.
The end result could be:
sudo orjail -y touch a
-> owned by root
orjail -y touch a
-> owned by user
If you're interested in this, I could try to come up with a pull request since I have some experiences running applications under user something
and then having /etc/sudoers.d/
exceptions to allow user something
do run required commands as root.
For instance, --private --net=eth0 --machine-id
, or other per instance parameters to customize torjails?
When /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
no replacement and dns leaking via systemd-resolved nameserver 127.0.0.53
.
Lines 227 to 229 in a0b9e6c
torjail zsh
torjail -n otherns zsh
interfaces ip of namespace torjail
and otherns
are the same, only the first one will work.
#45 made me wonder.
Would it be sane to use the host's Tor?
That would have several advantages:
Seccomp 1
security settingTo make things more leak proof, would it be an option to use Tor unix domain socket files rather than listening ports? (#47)
A new Tor TransPort
/ DnsPort
could be dynamically added to the running Tor by using Tor control protocol using Tor's ControlPort
or ControlSocket
.
If that is not sane, what about preserving Tor's config?
(Simply copying /etc/tor/torrc would be imperfect due to Tor feature:)
Configuration options can be imported from files or folders using the
%include
option with the value being a path.
Know shellcheck? It's available as a free online tool as well as Free Software downloadable software. Also packaged for Debian etc.
Shows some warnings for your scripts.
Not necessarily something bad, but useful to run through it and then you can decide if it suggests anything worth fixing.
Firejail has way too large attack surface that has led to many privilege escalations and sandbox escapes in the past.
It would be better if orjail used bubblewrap instead which is similar to firejail but has minimal attack surface.
I can create a pull request that implements most of the same functionality as firejail but using bubblewrap instead if this is something you're interested in. The only things I don't know how to replicate with bubblewrap are the --dns=
, --name=
and --netns=
options.
seccomp-bpf allows you to filter which syscalls an application is allowed to use.
Firejail and bubblewrap (#62) both have seccomp support. Firejail also has a seccomp guide.
Orjail shouldn't use a very restrictive filter as that'd break many applications running inside it but it can use a simple blacklist that blocks certain dangerous syscalls.
Firejail has a default seccomp blacklist that can be enabled via the --seccomp
flag. See the --seccomp
part at the man page.
see #5 (comment)
DNS over TCP is supported by Linux since 2015-05-07: https://web.archive.org/web/20150518063349/http://man7.org:80/linux/man-pages/man5/resolv.conf.5.html
All that is needed is TCP support by the resolver. I tested many of this list: https://www.publicdns.xyz/
^^ ~ 95% of them work well with TCP, it wasn't the same 5 years ago as most DNS servers didn't support TCP DNS.
I was having trouble with that annoying "Google captcha" when browsing with Firefox in orjail, and after tests with some DNS servers I realized that DNS resolvers were the cause, perhaps because Tor changes the resolvers often in the middle of some accesses. The most stable DNS resolvers I found are anycast.censurfridns.dk (91.239.100.100 | 2001:67c:28a4::) and unicast.censurfridns.dk (89.233.43.71 | 2a01:3a0:53:53::), I didn't got any error.
The trick is easy, /etc/resolv.conf (or /etc/netns/namespace/resolv.conf) should be:
options use-vc
nameserver <some_server>
Testing with orjail:
sudo orjail -s
sudo echo -e "options use-vc \nnameserver 89.233.43.71 \n" > /etc/resolv.conf
dig +tcp github.com | grep 'SERVER:'
curl ifconfig.me
^^ Works well, and should be the same with any transparent proxy as long as TCP port 53 is unblocked by the upstream server. The only disadvantage is that .onion sites will be not reachable with this scheme.
TransPort
is currently hardcoded to 9040
DnsPort
is currently hardcoded to 5354
It would be good to make that configurable.
By using distinct TransPort
/ DnsPort
ports per application you would gain stream isolation.
torsocks
supports IsolatePID
.
# Set Torsocks to use an automatically generated SOCKS5 username/password based
# on the process ID and current time, that makes the connections to Tor use a
# different circuit from other existing streams in Tor on a per-process basis.
# If set, the SOCKS5Username and SOCKS5Password options must not be set.
# (Default: 0)
IsolatePID 1
Which then results in using Tor's IsolateSOCKSAuth
.
Don’t share circuits with streams for which different SOCKS authentication was provided. (For HTTPTunnelPort connections, this option looks at the Proxy-Authorization and X-Tor-Stream-Isolation headers. On by default; you can disable it with NoIsolateSOCKSAuth.)
TransPort
/ DnsPort
doesn't support user auth credentials which would lead to stream isolation so the only way is to use distinct ports.
Hi, could you submit official PKGBUILD, AUR submission guidelines.
Can help:
# Maintainer: Your Name <address at domain dot tld>
pkgname=orjail-git
pkgver=1.1.r22.ga0b9e6c
pkgrel=1
pkgdesc='A more secure way to force programs to exclusively use tor network'
arch=('x86_64')
url='https://github.com/orjail/orjail'
license=('WTFPL')
depends=(
'tor'
'iproute2'
'iptables'
'bc'
'coreutils'
'grep'
'glibc'
'util-linux'
'sudo'
)
optdepends=('firejail: additional security sandbox')
makedepends=()
provides=('orjail')
conflicts=('orjail')
source=($pkgname::git+$url.git#branch=master)
sha256sums=('SKIP')
pkgver() {
cd "$pkgname"
git describe --long --tags | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g'
}
build() {
cd "$pkgname"
make
}
package() {
cd "$pkgname"
make DESTDIR="$pkgdir/" install
mv $pkgdir/usr/sbin $pkgdir/usr/bin
}
I am wondering what is the main focus of your project?
a) Adding torification to applications which don't come with native torification or
b) better guaranteed torification (absence of leaks going through clearnet) by launching applications isolated in Linux network namespaces?
I've been getting error trying to launch orjail:
* Creating a orjail namespace...
* Creating a veth link...
* Sharing the veth interface...
* Setting up IP address of host interface...
* Setting up IP address of peer interface...
* Default routing up...
* Resolving via Tor
* Traffic via Tor...
* Creating the Tor configuration file...
* Tor version is 05 16 1.3.6 1.3.8. 0.3.4.9
* Copying host's tor cache
cp: cannot stat '/var/lib/tor/*': No such file or directory
[Error] in command: cp -d -R /var/lib/tor/* "/tmp/orjail-${NAME}/"
Appears tor is no longer located in /var/lib/tor/, Fedora 29. Reinstalled Tor from Fedora repo.
Firejail uses a bridge network to create net namespace on wifi adapters. On my system, this bypasses orjail's Tor TUN which renders Firejail unusable with orjail on a WIFI adapter.
Is there any simple work around?
we need to specify which firejail release is supported
Some examples (not suggesting these as is, just for reference).
ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck
SocksPort unix:/var/run/tor/socks WorldWritable
CookieAuthFile /var/run/tor/control.authcookie
Dunno if it's possible for Tor TransPort
/ DnsPort
.
I'm adding IPv6 support on torjail with a --ipv6 | -6 option, but when I start the script, the Tor instance doesn't run together with it, I must hit $ /usr/sbin/tor --quiet -f /tmp/torXXXXX on a terminal windows for starting Tor.
What is wrong here?
Instead of individual error handling per command....
iptables -I FORWARD -i in-"$NAME" -j DROP || \
die "Failed to disable forwarding on in-$NAME interface"
May I suggest please using a general ERR trap?
error_handler() {
local last_failed_exit_code="$?"
local last_failed_bash_command="$BASH_COMMAND"
die "$last_failed_bash_command failed with exit_code $last_failed_exit_code"
}
trap error_handler ERR
(Perfection would be reached by additionally using set -e
(for the unlikely cases for the ERR trap not working or for cases of errors during ERR trap).)
I’m pretty sure orjail isn’t sdwdate. That should probably be changed.
# REJECT all traffic coming from orjail
# this is needed to avoid reaching other interfaces
iptables -I INPUT -i in-"$NAME" -p udp --destination "$IPHOST" --dport "$DNSPORT" -j ACCEPT &&
iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPHOST" --dport "$TRANSPORT" -j ACCEPT &&
if [[ $HIDDENSERVICE = y ]]; then
iptables -I INPUT -i in-"$NAME" -p tcp --source "$IPNETNS" --sport "$HSERVICEPORT" -j ACCEPT &&
iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPNETNS" --dport "$HSERVICEPORT" -j ACCEPT
fi
Usually you're using die "Failed to configure the iptable for accepting connection"
but there you don't. For consistency would it be better to cover these as well?
I update my cryptocurrencies often with Orjail, some of them require the loopback interface (lo) to be up; many programs follow the same.
For example, when I update my Monero's blockchain I have to start in this way with Orjail:
sudo orjail -- sh -c "sudo ip li set lo up; monerod --hide-my-port --p2p-bind-ip 127.0.0.1 --max-concurrency 8 --prep-blocks-threads 8"
Of course I added this feature to my Orjail to avoid the second "sudo".
It's ok to bring loopback interface up, since it doesn't route anything out of netns sandbox.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.