Page MenuHomePhabricator

TBB's use of SocksSocket will break Whonix's Tor Browser implementation
Closed, ResolvedPublic

Description

Impact:

Tor Browser developers plan changes that would break Whonix's Tor over Tor prevention. Changes, that would make it hard for manually downloaded, unmodified TBB tarballs to work in Whonix out of the box while preventing Tor over Tor.

Details:

The current implementation of anon-ws-disable-stacked-tor using rinetd (design documentation, see footnote) will not work forever.

Tor implemented SocksSocket option (unix domain sockets) version 0.2.6.3-alpha. Tor Browser will start using . (Reference)

To make things worse, currently the environment variables TOR_SOCKS_HOST and TOR_SOCKS_PORT are broken. (upstream bug report)

Related Upstream Bug:

torrc's SocksSocket breaks tor-service-defaults-torrc's SocksPort

Solution?

We might be able to solve this using socat. Because socat is apparently able to man-in-the-middle unix domain sockets. By using something like this (untested). (source)

sudo mv /path/to/sock /path/to/sock.original
sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original

We might be able to redirect that unix domain socket to Whonix-Gateway.

Either directly to Whonix-Gateway (if we want to abolish rinetd).

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork TCP4:10.152.152.10:9150

Or to existing rinetd to keep things simpler for custom gateway IP's and Qubes.

sudo socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork TCP4:127.0.0.1:9150

Timing the renaming of TBB's unix domain socket file so we can intercept and redirect it seems difficult and error prone. Therefore it would be best if TBB supported an environment variable to connect to existing unix domain socket files. -> upstream feature request

Dev Test Toolbox:

For installation of Tor that comes with the SocksSocket option. /etc/apt/sources.list.d/torproject.list

deb http://deb.torproject.org/torproject.org tor-experimental-0.2.6.x-wheezy main

/etc/apparmor.d/local/system_tor AppArmor permission.

/{,var/}run/tor/socket rw,

/etc/tor/torrc

SocksSocketsGroupWritable 1
SocksPort unix:/var/run/tor/socket

Test if the socket can be talked to.

socat - UNIX-CONNECT:/var/run/tor/socket
GET

Create unix domain socket file /home/user/test.socket and forward to /var/run/tor/socket as proof of concept.

sudo socat -t100 -x -v UNIX-LISTEN:/home/user/test.socket,mode=777,reuseaddr,fork UNIX-CONNECT:/var/run/tor/socket

Test if the socket can be talked to.

socat - UNIX-CONNECT:./test.socket
GET

Proof of concept is functional.


Forum user support thread:
https://forums.whonix.org/t/tor-browser-6-5a4-connectivity-broken-blocked-by-apparmor-profile-since-tbb-changed-to-sockssocket

Details

Impact
High

Event Timeline

Patrick created this task.Feb 21 2015, 3:32 PM
Patrick updated the task description. (Show Details)
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)Feb 21 2015, 4:09 PM
Patrick updated the task description. (Show Details)Feb 21 2015, 5:00 PM
Patrick updated the task description. (Show Details)Feb 21 2015, 5:06 PM
Patrick updated the task description. (Show Details)Feb 21 2015, 5:09 PM
Patrick updated the task description. (Show Details)Feb 21 2015, 5:15 PM
Patrick updated the task description. (Show Details)Mar 13 2015, 8:38 PM
Patrick updated the task description. (Show Details)Mar 13 2015, 9:32 PM
Patrick removed a project: Whonix 11.
Patrick edited projects, added Whonix 13; removed Whonix 12.Aug 20 2015, 12:16 AM
Patrick set Impact to Needs Triage.
Patrick changed Impact from Needs Triage to High.Aug 20 2015, 3:28 AM
Try to cope up with planned changes by the Tor Browser Bundle (TBB) developers. Try keeping Tor Browser being able to connect while preventing Tor over Tor.
The Tor Project (TPO) plans ( https://trac.torproject.org/projects/tor/ticket/14270 ) to modify TBB to use unix domain sockets (Tor SocksSocket option) instead of TCP to talk to Tor.
To make things worse, currently the environment variables TOR_SOCKS_HOST and TOR_SOCKS_PORT are broken. ( upstream bug report: https://trac.torproject.org/projects/tor/ticket/8336 )
Therefore creating unix domain sockets using socat in folder /var/run/anon-ws-disable-stacked-tor that are forwarded rinetd on localhost which forwards them to the gateway.
(Not directly forwarding those to the gateway to make the Qubes implementation simpler. This way no IP replacement is required.)
Optimistically setting environment variables to configure TBB in hope that those are later implemented by TPO.
export TOR_PRE_EXIST_UNIX_SOCKET_SOCKS="/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
export TOR_PRE_EXIST_UNIX_SOCKET_CONTROL="/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"
As long it is ignored, there is no harm.
And once Tor Browser supports it, chances are better that it is still able to make connections See also:
- https://trac.torproject.org/projects/tor/ticket/14272#comment:3
- https://phabricator.whonix.org/T192

https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/c246d61189015f14e806fbb34bfade5d6cfe6e3c

Nothing else can be done here before The Tor Project proceeds.

Other crazy approaches:

  • a) ld preload magic
  • b) search and replace Tor binary

How is Tor started in TBB? If it is possible to disable it (I hope so), there should be no race condition with it. When user start TBB, the socket should be already there, and wont be overwritten because Tor is disabled. Right?

marmarek (Marek Marczykowski-Górecki):

How is Tor started in TBB?

In a nutshell:

  1. Tor Browser (which is a Firefox with patches by TPO) starts with its

main window hidden by default.

  1. Tor Launcher (which is a Firefox addon) provides the connection

wizard window.

  1. Then Tor Launcher starts Tor and allows Tor Browser to open its main

window.

  1. Then Tor Browser uses 127.0.0.1 9150 (Socks) / 9151 (Control).
  1. In Whonix-Workstation we redirect these local ports to the

Whonix-Gateway.

(
https://www.whonix.org/wiki/Tor_Browser#tor-launcher_vs_torbrowser-launcher
)

If it is possible to disable it (I hope
so),

We are already disabling the bundled Tor that comes with Tor Browser.

( https://www.whonix.org/wiki/Tor_Browser#tor-launcher )

there should be no race condition with it.

No race condition indeed.

When user start TBB,
the socket should be already there,

Yes, Tor Browser would require the socket to be already existing.

and wont be overwritten because
Tor is disabled. Right?

Yes.

Now the problem is, when they implement this, they might expect the
socket to be existing in
~/.tb/tor-browser/Browser/TorBrowser/Data/Tor/. Writing into the home
folder is troublesome. And in past they changed the folder structure
quite often so things could break.

To keep things stable connected, I requested the following environment
variables.

  • TOR_PRE_EXIST_UNIX_SOCKET_SOCKS
  • TOR_PRE_EXIST_UNIX_SOCKET_CONTROL

https://trac.torproject.org/projects/tor/ticket/14272#comment:3

At the moment I can only wait what TPO says / does next.

In latest torbutton version there already is environment variable TOR_CONTROL_SOCKET.

There will be another one for the path to socks socket file. Asked what path that will be.

Patrick changed the task status from Open to Review.Oct 13 2016, 1:57 AM
Patrick added a comment.EditedNov 17 2016, 7:38 PM

The variable names ended up being:

  • TOR_SOCKS_IPC_PATH
  • TOR_CONTROL_IPC_PATH

Happy to report that Whonix 14 with Tor Browser 6.5a4-hardened unix domain socket files redirection works for me.

Patrick closed this task as Resolved.Mar 7 2018, 2:04 AM
Patrick claimed this task.