Skip to content

GitLab

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Created by Jacob Appelbaum@ioerror

Implement new option SocksSocket

Hi,

I've implemented a new way for client applications to speak to Tor. I wanted to lock down applications like web browsers to ensure that they cannot even make AF_INET or AF_INET6 sockets. There is one problem: all those clients need AF_INET to talk to Tor! This patch fixes this issue - if a client is able to make an AF_UNIX socket and it talks to a Tor that supports AF_UNIX, it will be able to use SOCKS to connect to the internet.

I plan to write a patch to torsocks to implement this as a generic client. Later, I suspect we can add support to other applications very easily and then we can lock down those applications or even entire unix uids from being able to make AF_INET/AF_INET6 sockets.

This helps us with AppArmor like issues - AppArmor doesn't have the ability to permit traffic to 127.0.0.1:9050 and to deny it for other addresses. With this implementation, we can simply deny all AF_INET and the application can still communicate with Tor as long as it has AF_UNIX permissions.

This also helps us with iptables issues - there are no generally open TCP/IP sockets for anyone who is able to connect to (for example) 127.0.0.1:9050 - we can control who can read and write to the SocksSocket with unix uid/gid controls.

I've spent about two days testing (on Tails 1.0.1) these patches and loading it with the following configuration file:

Socks5Proxy 127.0.0.1:9050
WarnUnsafeSocks 0
SocksPort 0
Log debug stderr
SocksSocket /tmp/testing/SocksSocket
SocksSocket /tmp/testing/SocksSocket1
SocksSocket /tmp/testing/SocksSocket2
SocksSocket /tmp/testing/SocksSocket3
AvoidDiskWrites 1

I've been running it in valgrind like so:

valgrind --log-file=/tmp/SocksSocket-valgrind-005-with-three-SocksSockets.log -v --leak-check=full --track-origins=yes ./src/or/tor -f torrc.test

As I haven't yet implemented the torsocks client side of this, I've been using socat like so:

socat -v UNIX-CONNECT:/tmp/testing/SocksSocket TCP-LISTEN:6667,fork,RETRY,reuseaddr,end-close;

Finally, I use curl like so to fetch a web page through this totally convoluted mess of AF_*:

curl --socks5-hostname 127.0.0.1:6667 https://check.torproject.org;

Valgrind reports the following:

==15187== Memcheck, a memory error detector
==15187== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==15187== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==15187== Command: ./src/or/tor -f torrc.test
==15187== Parent PID: 29356
==15187== 
--15187-- 
--15187-- Valgrind options:
--15187--    --suppressions=/usr/lib/valgrind/debian-libc6-dbg.supp
--15187--    --log-file=/tmp/SocksSocket-valgrind-005-with-three-SocksSockets.log
--15187--    -v
--15187--    --leak-check=full
--15187--    --track-origins=yes
--15187-- Contents of /proc/version:
--15187--   Linux version 3.14-1-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.3 (Debian 4.8.3-2) ) #1 SMP Debian 3.14.5-1 (2014-06-05)
--15187-- Arch and hwcaps: X86, x86-sse1-sse2
--15187-- Page sizes: currently 4096, max supported 4096
--15187-- Valgrind library directory: /usr/lib/valgrind
--15187-- Reading syms from /home/amnesia/Persistent/src/tor/src/or/tor (0x108000)
--15187-- Reading syms from /lib/ld-2.11.3.so (0x4400000)
--15187--   Considering /lib/ld-2.11.3.so ..
--15187--   .. CRC mismatch (computed 19231304 wanted 2b6c260a)
--15187--   Considering /usr/lib/debug/lib/ld-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- Reading syms from /usr/lib/valgrind/memcheck-x86-linux (0x38000000)
--15187--    object doesn't have a dynamic symbol table
--15187-- Reading suppressions file: /usr/lib/valgrind/debian-libc6-dbg.supp
--15187-- Reading suppressions file: /usr/lib/valgrind/default.supp
--15187-- REDIR: 0x4416490 (index) redirected to 0x3803eda3 (vgPlain_x86_linux_REDIR_FOR_index)
--15187-- Reading syms from /usr/lib/valgrind/vgpreload_core-x86-linux.so (0xabcb000)
--15187-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so (0xabd1000)
==15187== WARNING: new redirection conflicts with existing -- ignoring it
--15187--     new: 0x04416490 (index               ) R-> 0x0abd4cb0 index
--15187-- REDIR: 0x4416670 (strlen) redirected to 0xabd50f0 (strlen)
--15187-- Reading syms from /usr/lib/libz.so.1.2.3.4 (0xccc3000)
--15187--   Considering /usr/lib/libz.so.1.2.3.4 ..
--15187--   .. CRC mismatch (computed 7be92cfa wanted 329326cb)
--15187--    object doesn't have a symbol table
--15187-- Reading syms from /lib/libm-2.11.3.so (0xccdf000)
--15187--   Considering /lib/libm-2.11.3.so ..
--15187--   .. CRC mismatch (computed 0116a1b2 wanted cca4fc2f)
--15187--   Considering /usr/lib/debug/lib/libm-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- Reading syms from /usr/lib/libevent-1.4.so.2.1.3 (0xcd09000)
--15187--    object doesn't have a symbol table
--15187-- Reading syms from /usr/lib/i686/cmov/libssl.so.0.9.8 (0xcd20000)
--15187--   Considering /usr/lib/i686/cmov/libssl.so.0.9.8 ..
--15187--   .. CRC mismatch (computed 7cd446f3 wanted 6aaecd6b)
--15187--    object doesn't have a symbol table
--15187-- Reading syms from /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xcd70000)
--15187--   Considering /usr/lib/i686/cmov/libcrypto.so.0.9.8 ..
--15187--   .. CRC mismatch (computed a803f391 wanted 934b1db6)
--15187--    object doesn't have a symbol table
--15187-- Reading syms from /lib/librt-2.11.3.so (0xcecd000)
--15187--   Considering /lib/librt-2.11.3.so ..
--15187--   .. CRC mismatch (computed 11db8d18 wanted 4837ea6c)
--15187--   Considering /usr/lib/debug/lib/librt-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- Reading syms from /lib/libdl-2.11.3.so (0xceda000)
--15187--   Considering /lib/libdl-2.11.3.so ..
--15187--   .. CRC mismatch (computed 3740dd8b wanted 09c06eb3)
--15187--   Considering /usr/lib/debug/lib/libdl-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- Reading syms from /lib/libc-2.11.3.so (0xcede000)
--15187--   Considering /lib/libc-2.11.3.so ..
--15187--   .. CRC mismatch (computed 4ef5e22d wanted 481f3942)
--15187--   Considering /usr/lib/debug/lib/libc-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- Reading syms from /lib/libpthread-2.11.3.so (0xd027000)
--15187--   Considering /lib/libpthread-2.11.3.so ..
--15187--   .. CRC mismatch (computed d08a9725 wanted 0065618d)
--15187--   Considering /usr/lib/debug/lib/libpthread-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- Reading syms from /lib/libnsl-2.11.3.so (0xd040000)
--15187--   Considering /lib/libnsl-2.11.3.so ..
--15187--   .. CRC mismatch (computed 65a29afd wanted f8853f76)
--15187--   Considering /usr/lib/debug/lib/libnsl-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- Reading syms from /lib/libresolv-2.11.3.so (0xd05b000)
--15187--   Considering /lib/libresolv-2.11.3.so ..
--15187--   .. CRC mismatch (computed 66a703f9 wanted 6378a0ac)
--15187--   Considering /usr/lib/debug/lib/libresolv-2.11.3.so ..
--15187--   .. CRC is valid
--15187-- REDIR: 0xcf50950 (index) redirected to 0xabd4c20 (index)
--15187-- REDIR: 0xcf52750 (memchr) redirected to 0xabd5830 (memchr)
--15187-- REDIR: 0xcf513f0 (rindex) redirected to 0xabd4b60 (rindex)
--15187-- REDIR: 0xcf51040 (strlen) redirected to 0xabd50b0 (strlen)
--15187-- REDIR: 0xcf4d7c0 (malloc) redirected to 0xabd3ecb (malloc)
--15187-- REDIR: 0xcf52ed0 (memcpy) redirected to 0xabd5870 (memcpy)
--15187-- REDIR: 0xcf55830 (strchrnul) redirected to 0xabd6590 (strchrnul)
--15187-- REDIR: 0xcf4d6e0 (free) redirected to 0xabd3ae5 (free)
--15187-- REDIR: 0xcf52a20 (mempcpy) redirected to 0xabd6600 (mempcpy)
--15187-- REDIR: 0xcf4ced0 (calloc) redirected to 0xabd31af (calloc)
--15187-- Reading syms from /lib/libgcc_s.so.1 (0xd483000)
--15187--   Considering /lib/libgcc_s.so.1 ..
--15187--   .. CRC mismatch (computed 5efc9915 wanted ece5a7a0)
--15187--    object doesn't have a symbol table
--15187-- REDIR: 0xcf4e760 (realloc) redirected to 0xabd3f7a (realloc)
--15187-- REDIR: 0xcf51230 (strncmp) redirected to 0xabd55d0 (strncmp)
--15187-- REDIR: 0xcf52bd0 (stpcpy) redirected to 0xabd6120 (stpcpy)
--15187-- REDIR: 0xcf51310 (strncpy) redirected to 0xabd52f0 (strncpy)
--15187-- REDIR: 0xcf50ac0 (strcmp) redirected to 0xabd56b0 (strcmp)
--15187-- REDIR: 0xcf529c0 (memset) redirected to 0xabd64a0 (memset)
--15187-- REDIR: 0xcf50b40 (strcpy) redirected to 0xabd5130 (strcpy)
--15187-- REDIR: 0xcf55760 (rawmemchr) redirected to 0xabd65c0 (rawmemchr)
--15187-- REDIR: 0xcf52910 (memmove) redirected to 0xabd6510 (memmove)
--15187-- REDIR: 0xcfbc620 (__memcpy_chk) redirected to 0xabd69b0 (__memcpy_chk)
==15187== Conditional jump or move depends on uninitialised value(s)
==15187==    at 0x1E8C04: connection_ap_expire_beginning (connection_edge.c:600)
==15187==    by 0x13669D: second_elapsed_callback (main.c:1501)
==15187==    by 0x25E572: periodic_timer_cb (compat_libevent.c:538)
==15187==    by 0xCD0EEE3: event_base_loop (in /usr/lib/libevent-1.4.so.2.1.3)
==15187==    by 0x1318E0: do_main_loop (main.c:2028)
==15187==    by 0x133BDC: tor_main (main.c:2998)
==15187==    by 0x12F7D2: main (tor_main.c:30)
==15187==  Uninitialised value was created by a stack allocation
==15187==    at 0x1DE763: connection_handle_listener_read (connection.c:1454)
==15187== 
--15187-- Discarding syms at 0xd485350-0xd49d738 in /lib/libgcc_s.so.1 due to munmap()
==15187== 
==15187== HEAP SUMMARY:
==15187==     in use at exit: 3,565 bytes in 29 blocks
==15187==   total heap usage: 353,781 allocs, 353,752 frees, 85,358,749 bytes allocated
==15187== 
==15187== Searching for pointers to 29 not-freed blocks
==15187== Checked 276,744 bytes
==15187== 
==15187== LEAK SUMMARY:
==15187==    definitely lost: 0 bytes in 0 blocks
==15187==    indirectly lost: 0 bytes in 0 blocks
==15187==      possibly lost: 0 bytes in 0 blocks
==15187==    still reachable: 3,565 bytes in 29 blocks
==15187==         suppressed: 0 bytes in 0 blocks
==15187== Reachable blocks (those to which a pointer was found) are not shown.
==15187== To see them, rerun with: --leak-check=full --show-reachable=yes
==15187== 
==15187== ERROR SUMMARY: 660 errors from 1 contexts (suppressed: 37 from 12)
==15187== 
==15187== 660 errors in context 1 of 1:
==15187== Conditional jump or move depends on uninitialised value(s)
==15187==    at 0x1E8C04: connection_ap_expire_beginning (connection_edge.c:600)
==15187==    by 0x13669D: second_elapsed_callback (main.c:1501)
==15187==    by 0x25E572: periodic_timer_cb (compat_libevent.c:538)
==15187==    by 0xCD0EEE3: event_base_loop (in /usr/lib/libevent-1.4.so.2.1.3)
==15187==    by 0x1318E0: do_main_loop (main.c:2028)
==15187==    by 0x133BDC: tor_main (main.c:2998)
==15187==    by 0x12F7D2: main (tor_main.c:30)
==15187==  Uninitialised value was created by a stack allocation
==15187==    at 0x1DE763: connection_handle_listener_read (connection.c:1454)
==15187== 
--15187-- 
--15187-- used_suppression:     37 dl-hack3-cond-1
==15187== 
==15187== ERROR SUMMARY: 660 errors from 1 contexts (suppressed: 37 from 12)

I think that other than that single conditional jump in connection_ap_expire_beginning, there aren't any serious valgrind issues that are related to my patch. Though I admit, I'm not entirely sure of why that valgrind issue is showing up and I'm starting to dig into it now.

I've based my patch on 48d7fceee5e6041ccdd4316f51de0d6b5e1818ed; I'm happy to rebase it if that is useful.

Feedback is appreciated!

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information