Support tracee-launched Tor daemon

namecoin / sockstrace

Go port of Heteronculous (ptrace-based proxy leak detector). Outreachy project.

https://www.namecoin.org/

GNU General Public License v3.0

7 stars 3 forks source link

Support tracee-launched Tor daemon #62

Open JeremyRand opened 1 year ago

JeremyRand commented 1 year ago

Some applications (e.g. Tor Browser, Brave, and OnionShare) support launching their own bundled Tor instance. It would be nice if we could optionally detect such cases, and avoid treating connections issued by that Tor instance as a proxy leak.

JeremyRand commented 1 year ago

Since Horklump can see the process ID of each intercepted syscall, it seems that we should be able to key our behavior on that. Detecting the program name, given a PID, is doable in Linux AFAIK. So we should be able to detect the program name of the PID, and whitelist the PID if its program name is tor.

robertmin1 commented 1 year ago

pid := record.PID

// read the process name from /proc/<pid>/comm
commPath := fmt.Sprintf("/proc/%d/comm", pid)
commBytes, err := ioutil.ReadFile(commPath)
if err != nil {
     panic(err)
}
comm := string(commBytes)

 // check if the process name is "tor" and whitelist the PID if it is
if comm == "tor\n" {
      fmt.Printf("PID %d is a Tor process\n", pid)
      // whitelist the PID
}

robertmin1 commented 1 year ago

Alright, I was thinking of such as implementation. But for the tracee only right? Checking all sub-processes might be repetitive.

robertmin1 commented 1 year ago

@JeremyRand Suggested to use cmdline since it provides additional information, such as arguments