Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement a Linux Namespaces wrapper #70

Open
JeremyRand opened this issue Dec 19, 2023 · 2 comments
Open

Implement a Linux Namespaces wrapper #70

JeremyRand opened this issue Dec 19, 2023 · 2 comments

Comments

@JeremyRand
Copy link
Member

As @adrelanos suggested on the Whonix forum, it would be desirable to implement a Linux Namespaces wrapper for Horklump, so that even if a malicious tracee escapes from the ptrace sandbox, it still won't be able to bypass the proxy.

(This is not a replacement for ptrace, just a defense-in-depth tactic.)
@JeremyRand
Copy link
Member Author

It sounds like @handpickencounter has some code sitting around for this purpose?

They also said:

suggestion - simply unshare the network namepsace (no interfaces, no listening ports) so no need to block any packets. utilize tor's ability to create unix domain sockets for socks5 listeners.

@handpickencounter
Copy link

handpickencounter commented Nov 4, 2024
edited
Loading

You can do

unshare --net -- socktrace ... -- app

The way I usually do it is with a more comprehensive setup for bwrap (bubblewrap) and unshare more things, apply seccomp, private writable /home dir etc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JeremyRand @handpickencounter