Hi, I've implemented a new way for client applications to speak to Tor. I wanted to lock down applications like web browsers to ensure that they cannot even make AF_INET or AF_INET6 sockets. There is one problem: all those clients need AF_INET to talk to Tor! This patch fixes this issue - if a client is able to make an AF_UNIX socket and it talks to a Tor that supports AF_UNIX, it will be able to use SOCKS to connect to the internet. I plan to write a patch to torsocks to implement this as a generic client. Later, I suspect we can add support to other applications very easily and then we can lock down those applications or even entire unix uids from being able to make AF_INET/AF_INET6 sockets. This helps us with AppArmor like issues - AppArmor doesn't have the ability to permit traffic to 127.0.0.1:9050 and to deny it for other addresses. With this implementation, we can simply deny all AF_INET and the application can still communicate with Tor as long as it has AF_UNIX permissions. This also helps us with iptables issues - there are no generally open TCP/IP sockets for anyone who is able to connect to (for example) 127.0.0.1:9050 - we can control who can read and write to the SocksSocket with unix uid/gid controls. I've spent about two days testing (on Tails 1.0.1) these patches and loading it with the following configuration file: ``` Socks5Proxy 127.0.0.1:9050 WarnUnsafeSocks 0 SocksPort 0 Log debug stderr SocksSocket /tmp/testing/SocksSocket SocksSocket /tmp/testing/SocksSocket1 SocksSocket /tmp/testing/SocksSocket2 SocksSocket /tmp/testing/SocksSocket3 AvoidDiskWrites 1 ``` I've been running it in valgrind like so: ``` valgrind --log-file=/tmp/SocksSocket-valgrind-005-with-three-SocksSockets.log -v --leak-check=full --track-origins=yes ./src/or/tor -f torrc.test ``` As I haven't yet implemented the torsocks client side of this, I've been using socat like so: ``` socat -v UNIX-CONNECT:/tmp/testing/SocksSocket TCP-LISTEN:6667,fork,RETRY,reuseaddr,end-close; ``` Finally, I use curl like so to fetch a web page through this totally convoluted mess of AF_*: ``` curl --socks5-hostname 127.0.0.1:6667 https://check.torproject.org; ``` Valgrind reports the following: ``` ==15187== Memcheck, a memory error detector ==15187== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. ==15187== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==15187== Command: ./src/or/tor -f torrc.test ==15187== Parent PID: 29356 ==15187== --15187-- --15187-- Valgrind options: --15187-- --suppressions=/usr/lib/valgrind/debian-libc6-dbg.supp --15187-- --log-file=/tmp/SocksSocket-valgrind-005-with-three-SocksSockets.log --15187-- -v --15187-- --leak-check=full --15187-- --track-origins=yes --15187-- Contents of /proc/version: --15187-- Linux version 3.14-1-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.3 (Debian 4.8.3-2) ) #1 SMP Debian 3.14.5-1 (2014-06-05) --15187-- Arch and hwcaps: X86, x86-sse1-sse2 --15187-- Page sizes: currently 4096, max supported 4096 --15187-- Valgrind library directory: /usr/lib/valgrind --15187-- Reading syms from /home/amnesia/Persistent/src/tor/src/or/tor (0x108000) --15187-- Reading syms from /lib/ld-2.11.3.so (0x4400000) --15187-- Considering /lib/ld-2.11.3.so .. --15187-- .. CRC mismatch (computed 19231304 wanted 2b6c260a) --15187-- Considering /usr/lib/debug/lib/ld-2.11.3.so .. --15187-- .. CRC is valid --15187-- Reading syms from /usr/lib/valgrind/memcheck-x86-linux (0x38000000) --15187-- object doesn't have a dynamic symbol table --15187-- Reading suppressions file: /usr/lib/valgrind/debian-libc6-dbg.supp --15187-- Reading suppressions file: /usr/lib/valgrind/default.supp --15187-- REDIR: 0x4416490 (index) redirected to 0x3803eda3 (vgPlain_x86_linux_REDIR_FOR_index) --15187-- Reading syms from /usr/lib/valgrind/vgpreload_core-x86-linux.so (0xabcb000) --15187-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so (0xabd1000) ==15187== WARNING: new redirection conflicts with existing -- ignoring it --15187-- new: 0x04416490 (index ) R-> 0x0abd4cb0 index --15187-- REDIR: 0x4416670 (strlen) redirected to 0xabd50f0 (strlen) --15187-- Reading syms from /usr/lib/libz.so.1.2.3.4 (0xccc3000) --15187-- Considering /usr/lib/libz.so.1.2.3.4 .. --15187-- .. CRC mismatch (computed 7be92cfa wanted 329326cb) --15187-- object doesn't have a symbol table --15187-- Reading syms from /lib/libm-2.11.3.so (0xccdf000) --15187-- Considering /lib/libm-2.11.3.so .. --15187-- .. CRC mismatch (computed 0116a1b2 wanted cca4fc2f) --15187-- Considering /usr/lib/debug/lib/libm-2.11.3.so .. --15187-- .. CRC is valid --15187-- Reading syms from /usr/lib/libevent-1.4.so.2.1.3 (0xcd09000) --15187-- object doesn't have a symbol table --15187-- Reading syms from /usr/lib/i686/cmov/libssl.so.0.9.8 (0xcd20000) --15187-- Considering /usr/lib/i686/cmov/libssl.so.0.9.8 .. --15187-- .. CRC mismatch (computed 7cd446f3 wanted 6aaecd6b) --15187-- object doesn't have a symbol table --15187-- Reading syms from /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xcd70000) --15187-- Considering /usr/lib/i686/cmov/libcrypto.so.0.9.8 .. --15187-- .. CRC mismatch (computed a803f391 wanted 934b1db6) --15187-- object doesn't have a symbol table --15187-- Reading syms from /lib/librt-2.11.3.so (0xcecd000) --15187-- Considering /lib/librt-2.11.3.so .. --15187-- .. CRC mismatch (computed 11db8d18 wanted 4837ea6c) --15187-- Considering /usr/lib/debug/lib/librt-2.11.3.so .. --15187-- .. CRC is valid --15187-- Reading syms from /lib/libdl-2.11.3.so (0xceda000) --15187-- Considering /lib/libdl-2.11.3.so .. --15187-- .. CRC mismatch (computed 3740dd8b wanted 09c06eb3) --15187-- Considering /usr/lib/debug/lib/libdl-2.11.3.so .. --15187-- .. CRC is valid --15187-- Reading syms from /lib/libc-2.11.3.so (0xcede000) --15187-- Considering /lib/libc-2.11.3.so .. --15187-- .. CRC mismatch (computed 4ef5e22d wanted 481f3942) --15187-- Considering /usr/lib/debug/lib/libc-2.11.3.so .. --15187-- .. CRC is valid --15187-- Reading syms from /lib/libpthread-2.11.3.so (0xd027000) --15187-- Considering /lib/libpthread-2.11.3.so .. --15187-- .. CRC mismatch (computed d08a9725 wanted 0065618d) --15187-- Considering /usr/lib/debug/lib/libpthread-2.11.3.so .. --15187-- .. CRC is valid --15187-- Reading syms from /lib/libnsl-2.11.3.so (0xd040000) --15187-- Considering /lib/libnsl-2.11.3.so .. --15187-- .. CRC mismatch (computed 65a29afd wanted f8853f76) --15187-- Considering /usr/lib/debug/lib/libnsl-2.11.3.so .. --15187-- .. CRC is valid --15187-- Reading syms from /lib/libresolv-2.11.3.so (0xd05b000) --15187-- Considering /lib/libresolv-2.11.3.so .. --15187-- .. CRC mismatch (computed 66a703f9 wanted 6378a0ac) --15187-- Considering /usr/lib/debug/lib/libresolv-2.11.3.so .. --15187-- .. CRC is valid --15187-- REDIR: 0xcf50950 (index) redirected to 0xabd4c20 (index) --15187-- REDIR: 0xcf52750 (memchr) redirected to 0xabd5830 (memchr) --15187-- REDIR: 0xcf513f0 (rindex) redirected to 0xabd4b60 (rindex) --15187-- REDIR: 0xcf51040 (strlen) redirected to 0xabd50b0 (strlen) --15187-- REDIR: 0xcf4d7c0 (malloc) redirected to 0xabd3ecb (malloc) --15187-- REDIR: 0xcf52ed0 (memcpy) redirected to 0xabd5870 (memcpy) --15187-- REDIR: 0xcf55830 (strchrnul) redirected to 0xabd6590 (strchrnul) --15187-- REDIR: 0xcf4d6e0 (free) redirected to 0xabd3ae5 (free) --15187-- REDIR: 0xcf52a20 (mempcpy) redirected to 0xabd6600 (mempcpy) --15187-- REDIR: 0xcf4ced0 (calloc) redirected to 0xabd31af (calloc) --15187-- Reading syms from /lib/libgcc_s.so.1 (0xd483000) --15187-- Considering /lib/libgcc_s.so.1 .. --15187-- .. CRC mismatch (computed 5efc9915 wanted ece5a7a0) --15187-- object doesn't have a symbol table --15187-- REDIR: 0xcf4e760 (realloc) redirected to 0xabd3f7a (realloc) --15187-- REDIR: 0xcf51230 (strncmp) redirected to 0xabd55d0 (strncmp) --15187-- REDIR: 0xcf52bd0 (stpcpy) redirected to 0xabd6120 (stpcpy) --15187-- REDIR: 0xcf51310 (strncpy) redirected to 0xabd52f0 (strncpy) --15187-- REDIR: 0xcf50ac0 (strcmp) redirected to 0xabd56b0 (strcmp) --15187-- REDIR: 0xcf529c0 (memset) redirected to 0xabd64a0 (memset) --15187-- REDIR: 0xcf50b40 (strcpy) redirected to 0xabd5130 (strcpy) --15187-- REDIR: 0xcf55760 (rawmemchr) redirected to 0xabd65c0 (rawmemchr) --15187-- REDIR: 0xcf52910 (memmove) redirected to 0xabd6510 (memmove) --15187-- REDIR: 0xcfbc620 (__memcpy_chk) redirected to 0xabd69b0 (__memcpy_chk) ==15187== Conditional jump or move depends on uninitialised value(s) ==15187== at 0x1E8C04: connection_ap_expire_beginning (connection_edge.c:600) ==15187== by 0x13669D: second_elapsed_callback (main.c:1501) ==15187== by 0x25E572: periodic_timer_cb (compat_libevent.c:538) ==15187== by 0xCD0EEE3: event_base_loop (in /usr/lib/libevent-1.4.so.2.1.3) ==15187== by 0x1318E0: do_main_loop (main.c:2028) ==15187== by 0x133BDC: tor_main (main.c:2998) ==15187== by 0x12F7D2: main (tor_main.c:30) ==15187== Uninitialised value was created by a stack allocation ==15187== at 0x1DE763: connection_handle_listener_read (connection.c:1454) ==15187== --15187-- Discarding syms at 0xd485350-0xd49d738 in /lib/libgcc_s.so.1 due to munmap() ==15187== ==15187== HEAP SUMMARY: ==15187== in use at exit: 3,565 bytes in 29 blocks ==15187== total heap usage: 353,781 allocs, 353,752 frees, 85,358,749 bytes allocated ==15187== ==15187== Searching for pointers to 29 not-freed blocks ==15187== Checked 276,744 bytes ==15187== ==15187== LEAK SUMMARY: ==15187== definitely lost: 0 bytes in 0 blocks ==15187== indirectly lost: 0 bytes in 0 blocks ==15187== possibly lost: 0 bytes in 0 blocks ==15187== still reachable: 3,565 bytes in 29 blocks ==15187== suppressed: 0 bytes in 0 blocks ==15187== Reachable blocks (those to which a pointer was found) are not shown. ==15187== To see them, rerun with: --leak-check=full --show-reachable=yes ==15187== ==15187== ERROR SUMMARY: 660 errors from 1 contexts (suppressed: 37 from 12) ==15187== ==15187== 660 errors in context 1 of 1: ==15187== Conditional jump or move depends on uninitialised value(s) ==15187== at 0x1E8C04: connection_ap_expire_beginning (connection_edge.c:600) ==15187== by 0x13669D: second_elapsed_callback (main.c:1501) ==15187== by 0x25E572: periodic_timer_cb (compat_libevent.c:538) ==15187== by 0xCD0EEE3: event_base_loop (in /usr/lib/libevent-1.4.so.2.1.3) ==15187== by 0x1318E0: do_main_loop (main.c:2028) ==15187== by 0x133BDC: tor_main (main.c:2998) ==15187== by 0x12F7D2: main (tor_main.c:30) ==15187== Uninitialised value was created by a stack allocation ==15187== at 0x1DE763: connection_handle_listener_read (connection.c:1454) ==15187== --15187-- --15187-- used_suppression: 37 dl-hack3-cond-1 ==15187== ==15187== ERROR SUMMARY: 660 errors from 1 contexts (suppressed: 37 from 12) ``` I think that other than that single conditional jump in connection_ap_expire_beginning, there aren't any serious valgrind issues that are related to my patch. Though I admit, I'm not entirely sure of why that valgrind issue is showing up and I'm starting to dig into it now. I've based my patch on 48d7fceee5e6041ccdd4316f51de0d6b5e1818ed; I'm happy to rebase it if that is useful. Feedback is appreciated!