|
在推出隐私至关重要的应用和服务时,开发者希望确保每个数据包都只通过 Tor。一次错误的代理设置,或 SOCKS 包装器之外的一次系统调用,都可能让你的数据突然暴露在外。Vdw免费翻墙网
因此,今天我们非常高兴地推出oniux:一款小型命令行实用程序,为使用 Linux 命名空间的第三方应用程序提供 Tor 网络隔离。oniux 基于 Arti 和 onionmasq 构建,可将任何 Linux 程序直接迁移到其自己的网络命名空间,并通过 Tor 进行路由,从而消除数据泄露的可能性。如果您的工作、行动或研究需要坚如磐石的流量隔离,oniux 可以满足您的需求。Vdw免费翻墙网
Linux 命名空间是什么?🐧
命名空间是 Linux 内核中一项隔离功能,于 2000 年左右引入。它提供了一种安全的方式,将应用程序的某个部分与系统的其余部分隔离开来。命名空间有多种形式和形态。例如,网络命名空间、挂载命名空间、进程命名空间等等;每种命名空间都将一定量的系统资源与应用程序隔离开来。Vdw免费翻墙网
系统资源是什么意思?在 Linux 中,系统资源可供系统上的所有应用程序全局使用。最显著的例子可能是操作系统时钟,但还有很多其他资源,例如所有进程列表、文件系统和用户列表。Vdw免费翻墙网
命名空间将应用程序的某个部分与操作系统的其余部分隔离开来;这正是 Docker 用来提供隔离原语的方法。Vdw免费翻墙网
Tor + 命名空间 = ❤️
如上所述,命名空间是一项强大的功能,它使我们能够隔离任意应用程序对 Tor 网络的访问。我们将每个应用程序置于一个网络命名空间中,该命名空间不提供对系统级网络接口(例如 eth0)的访问,而是提供自定义网络接口 onion0。Vdw免费翻墙网
这使我们能够以软件层面最安全的方式隔离 Tor 上的任意应用程序,即依赖操作系统内核提供的安全原语。与 SOCKS 不同,应用程序不会因为无法通过配置的 SOCKS 建立连接而意外泄露数据,而这种情况可能由于开发人员的错误而发生。Vdw免费翻墙网
oniux 与 torsocks
您可能也听说过一个目标类似的工具,名为torsocks,它的工作原理是覆盖所有与网络相关的 libc 函数,以便通过 Tor 提供的 SOCKS 代理路由流量。虽然这种方法更具有跨平台性,但它有一个明显的缺点:不通过动态链接的 libc 进行系统调用的应用程序(无论是否出于恶意)都会泄露数据。最值得注意的是,这排除了对 Zig 生态系统中纯静态二进制文件和应用程序的支持。Vdw免费翻墙网
下面提供了oniux与torsocks的基本比较:Vdw免费翻墙网
| 奥纽克斯 |
躯干袜 |
| 独立应用程序 |
需要运行 Tor 守护进程 |
| 使用 Linux 命名空间 |
使用 ld.so 预加载 hack |
| 适用于所有应用程序 |
仅适用于通过 libc 进行系统调用的应用程序 |
| 恶意应用程序无法泄漏 |
恶意应用程序可以通过原始汇编进行系统调用来泄漏 |
| 仅限 Linux |
跨平台 |
| 新的和实验性的 |
经过超过 15 年的实战检验 |
| 使用 Arti 作为引擎 |
使用 CTor 作为引擎 |
| 用 Rust 编写 |
用 C 语言编写 |
我该如何使用oniux?🧅
首先,你需要一个安装了 Rust 工具链的 Linux 系统。之后,你可以使用以下命令安装oniux :Vdw免费翻墙网
$ cargo install --git https://gitlab.torproject.org/tpo/core/oniux oniux@0.4.0
一旦完成,您就可以开始使用oniux了!🙂Vdw免费翻墙网
使用oniux非常简单:Vdw免费翻墙网
# 使用 oniux 执行简单的 HTTPS 查询!
$ oniux curl https://icanhazip.com
<A TOR 出口节点 IP 地址>
# oniux 当然也支持 IPv6!
$ oniux curl -6 https://ipv6.icanhazip.com
<A TOR出口节点IPv6地址>
# 没有洋葱服务的 Tor 就像没有引擎的汽车……
$ oniux curl http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/index.html
# 如果你是个书呆子,你也可以启用日志记录。🤓
$ RUST_LOG = debug oniux curl https://icanhazip.com
# 如果您愿意,您可以“torify”您的整个 shell,隔离其中的所有进程!
$ oniux bash
# 如果您处于桌面环境中,您也可以隔离图形应用程序!
$ oniux hexchat
这在内部是如何运作的?⚙️
oniux 的工作原理是使用系统调用立即生成一个子进程clone(2),该子进程在其自己的网络、挂载点、PID 和用户命名空间中被隔离。然后,该进程会挂载自己的副本,/proc并将 UID 和 GID 映射到父进程的相应 UID 和 GID。Vdw免费翻墙网
随后,它会创建一个包含名称服务器条目的临时文件,该文件随后会被绑定安装到/etc/resolv.conf,以便在其中运行的应用程序将使用支持通过 Tor 解析的自定义名称解析器。Vdw免费翻墙网
接下来,子进程利用onionmasq创建一个名为的 TUN 接口,onion0然后执行rtnetlink(7)设置接口所需的一些操作,例如分配 IP 地址。Vdw免费翻墙网
然后,子进程通过 Unix 域套接字将 TUN 接口的文件描述符发送给父进程,父进程自执行初始clone(2).Vdw免费翻墙网
一旦完成,子进程将放弃作为用户命名空间中的根进程所获得的所有功能。Vdw免费翻墙网
最后,使用 Rust 标准库提供的功能执行用户提供的命令。Vdw免费翻墙网
oniux是实验性的⚠️
虽然本节不应该阻止您使用oniux,但您应该记住,这是一个相对较新的功能,它使用新的 Tor 软件,例如Arti和onionmasq。Vdw免费翻墙网
虽然目前一切已经按预期进行,但诸如torsocks之类的工具已经存在了 15 年多,让他们在战场上拥有了更多的经验。Vdw免费翻墙网
但我们确实希望与 oniux 达到类似的状态,所以请继续检查!Vdw免费翻墙网
致谢
非常感谢的开发人员smoltcp,这是一个 Rust 板条箱,它在 Rust 中实现了完整的 IP 堆栈——我们大量使用它。Vdw免费翻墙网
还要非常感谢7ppKb5bW,他教我们如何在不使用的情况capabilities(7)下user_namespaces(7)正确使用来实现这一点。Vdw免费翻墙网
最后,同样重要的是,非常感谢所有在经济上支持 Tor 的个人和组织。Tor 项目公司 (The Tor Project, Inc.) 是一家 501(c)(3) 非营利组织,致力于通过免费软件和开放网络推进人权并捍卫在线隐私。oniux 版本由支持者社区提供支持。请考虑立即捐款,继续推进我们致力于隐私保护的工作。Vdw免费翻墙网
Vdw免费翻墙网
Vdw免费翻墙网
Vdw免费翻墙网
Introducing oniux: Kernel-level Tor isolation for any Linux appVdw免费翻墙网
by cve | May 14, 2025Vdw免费翻墙网
When launching privacy-critical apps and services, developers want to make sure that every packet really only goes through Tor. One mistyped proxy setting–or a single system-call outside the SOCKS wrapper–and your data is suddenly on the line.Vdw免费翻墙网
That's why today, we are excited to introduce oniux: a small command-line utility providing Tor network isolation for third-party applications using Linux namespaces. Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks. If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it.Vdw免费翻墙网
What are Linux namespaces? 🐧
Namespaces are an isolation feature found in the Linux kernel that were introduced around the year 2000. They provide a secure way of isolating a certain part of an application from the rest of the system. Namespaces come in various forms and shapes. Some examples include network namespaces, mount namespaces, process namespaces, and a few more; each of them isolating a certain amount of system resources from an application.Vdw免费翻墙网
What do we mean by system resources? In Linux, system resources are available globally by all applications on the system. The most notable example of this is probably your operating system clock, but there are many other areas as well, such as the list of all processes, the file system, and the list of users.Vdw免费翻墙网
Namespaces containerize a certain part of an application from the rest of the operating system; this is exactly what Docker uses in order to provide its isolation primitives.Vdw免费翻墙网
Tor + Namespaces = ❤️
As outlined above, namespaces are a powerful feature that gives us the ability to isolate Tor network access of an arbitrary application. We put each application in a network namespace that doesn't provide access to system-wide network interfaces (such as eth0), and instead provides a custom network interface onion0.Vdw免费翻墙网
This allows us to isolate an arbitrary application over Tor in the most secure way possible software-wise, namely by relying on a security primitive offered by the operating system kernel. Unlike SOCKS, the application cannot accidentally leak data by failing to make some connection via the configured SOCKS, which may happen due to a mistake by the developer.Vdw免费翻墙网
oniux vs. torsocks
You may have also heard of a tool with a similar goal, known as torsocks, which works by overwriting all network-related libc functions in a way to route traffic over a SOCKS proxy offered by Tor. While this approach is a bit more cross-platform, it has the notable downside that applications making system calls not through a dynamically linked libc, either with malicious intent or not, will leak data. Most notably, this excludes support for purely static binaries and applications from the Zig ecosystem.Vdw免费翻墙网
The following provides a basic comparison on oniux vs torsocks:Vdw免费翻墙网
| oniux |
torsocks |
| Standalone application |
Requires running Tor daemon |
| Uses Linux namespaces |
Uses an ld.so preload hack |
| Works on all applications |
Only works on applications making system calls through libc |
| Malicious application cannot leak |
Malicious application can leak by making a system call through raw assembly |
| Linux only |
Cross-platform |
| New and experimental |
Battle-proven for over 15 years |
| Uses Arti as its engine |
Uses CTor as its engine |
| Written in Rust |
Written in C |
How can I use oniux? 🧅
First, you need a Linux system with a Rust toolchain installed. Afterwards, you can install oniux with the following command:Vdw免费翻墙网
$ cargo install --git https://gitlab.torproject.org/tpo/core/oniux oniux@0.4.0
Once that is done, you are ready to go for using oniux! 🙂Vdw免费翻墙网
Using oniux is straightforward:Vdw免费翻墙网
# Perform a simple HTTPS query using oniux!
$ oniux curl https://icanhazip.com
<A TOR EXIT NODE IP ADDRESS>
# oniux also supports IPv6 of course!
$ oniux curl -6 https://ipv6.icanhazip.com
<A TOR EXIT NODE IPv6 ADDRESS>
# Tor without onion services is like a car without an engine ...
$ oniux curl http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/index.html
# You can also enable logging if you are a nerd. 🤓
$ RUST_LOG=debug oniux curl https://icanhazip.com
# If you want, you can "torify" your entire shell, isolating all processes within!
$ oniux bash
# If you are in a desktop environment, you can isolate graphical applications too!
$ oniux hexchat
How does this work internally? ⚙️
oniux works by immediately spawning a child process using the clone(2) system call, which is isolated in its own network, mount, PID, and user namespace. This process then mounts its own copy of /proc followed by UID and GID mappings to the respective UID and GID of the parent process.Vdw免费翻墙网
Afterwards, it creates a temporary file with nameserver entries which will then be bind mounted onto /etc/resolv.conf, so that applications running within will use a custom name resolver that supports resolving through Tor.Vdw免费翻墙网
Next, the child process utilizes onionmasq to create a TUN interface named onion0 followed by some rtnetlink(7) operations required to set up the interface, such as assigning IP addresses.Vdw免费翻墙网
Then, the child process sends the file descriptor of the TUN interface over a Unix Domain socket to the parent process, who has been waiting for this message ever since executing the initial clone(2).Vdw免费翻墙网
Once that is done, the child process drops all of its capabilities which were acquired as part of being the root process in the user namespace.Vdw免费翻墙网
Finally, the command supplied by the user is executed using facilities provided by the Rust standard library.Vdw免费翻墙网
oniux is experimental ⚠️
Although this section should not discourage you from using oniux, you should keep in mind that this is a relatively new feature which uses new Tor software, such as Arti and onionmasq.Vdw免费翻墙网
While things are already working as expected at the moment, tools such as torsocks have been around for over 15 years, giving them more experience on the battlefield.Vdw免费翻墙网
But we do want to reach a similar state with oniux, so please go ahead and check it out!Vdw免费翻墙网
Credits
Many thanks to the developers of smoltcp, which is a Rust crate that implements a full IP stack in Rust -- something, we make heavy use of.Vdw免费翻墙网
Also many thanks go to 7ppKb5bW, who taught us on how this can implemented without the use of capabilities(7) by using user_namespaces(7) properly.Vdw免费翻墙网
Last but not least, many thanks to all people and organizations who support Tor financially. The Tor Project, Inc. is a 501(c)(3) nonprofit advancing human rights and defending privacy online through free software and open networks. The oniux release is powered by a community of supporters. Please consider donating today to continue advancing our work that makes privacy possible.Vdw免费翻墙网
Vdw免费翻墙网
https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces/Vdw免费翻墙网
銆€
|
