Delivery-Date: Fri, 12 Feb 2016 09:59:19 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id DAF481E04CB;
	Fri, 12 Feb 2016 09:59:16 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 7661638E36;
	Fri, 12 Feb 2016 14:59:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 684CB38E32
 for <tor-talk@lists.torproject.org>; Fri, 12 Feb 2016 14:59:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id X01oR2gzqiDX for <tor-talk@lists.torproject.org>;
 Fri, 12 Feb 2016 14:59:08 +0000 (UTC)
Received: from paulo.mayfirst.org (paulo.mayfirst.org [209.234.253.240])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 4A04A38E2F
 for <tor-talk@lists.torproject.org>; Fri, 12 Feb 2016 14:59:08 +0000 (UTC)
Received: from paulo.mayfirst.org (unknown [127.0.0.1])
 by paulo.mayfirst.org (Postfix) with ESMTP id 938163F3E
 for <tor-talk@lists.torproject.org>; Fri, 12 Feb 2016 09:59:05 -0500 (EST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender:
 nathanfreitas@paulo.mayfirst.org) with ESMTPSA id 8786B3F2A
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailauth.nyi.internal (Postfix) with ESMTP id 8FB1320C83
 for <tor-talk@lists.torproject.org>; Fri, 12 Feb 2016 09:59:04 -0500 (EST)
Received: from web5 ([10.202.2.215])
 by compute1.internal (MEProxy); Fri, 12 Feb 2016 09:59:04 -0500
Received: by web5.nyi.internal (Postfix, from userid 99)
 id 70F77A6E549; Fri, 12 Feb 2016 09:59:04 -0500 (EST)
Message-Id: <1455289144.341350.519470138.5713E1DD@webmail.messagingengine.com>
X-Sasl-Enc: FJHMpOzdvtzx05sh4D48mUpc+dLPZtACN7NgANmic8++ 1455289144
From: Nathan Freitas <nathan@freitas.net>
To: tor-talk@lists.torproject.org
MIME-Version: 1.0
X-Mailer: MessagingEngine.com Webmail Interface - ajax-e69f0414
Date: Fri, 12 Feb 2016 09:59:04 -0500
In-Reply-To: <512753.5398585f04067c1e899caaac554b15b0659d7902@popretr.messagingengine.com>
References: <512753.5398585f04067c1e899caaac554b15b0659d7902@popretr.messagingengine.com>
 <56BDDEB4.1070107@openmailbox.org>
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: Re: [tor-talk] orplug,
 an Android firewall with per-app Tor circuit isolation
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


Neat and thanks! Perhaps we can think about building this into Orbot,
since we already have a very basic VPN.

On Fri, Feb 12, 2016, at 08:31 AM, Rusty Bird wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> Maybe someone else will find this useful?
> https://github.com/rustybird/orplug
> 
> Rusty
> 
> 
> 
> orplug, an Android firewall with per-app Tor circuit isolation
> 
> Not affiliated with the Tor Project.
> 
> 
>     Short intro
> 
> - - No GUI, please write one ;)
> - - Default deny pretty much everything. Combinable access policies for
>   individual apps, whole Android user accounts, etc.: transparent
>   torification (circuit-isolated per app), fenced off access to Socks/
>   Polipo, LAN access, clearnet access
> - - Multi user account support
> - - Doesn't leak IPv6 traffic
> - - Clean DNS, but requires ANDROID_DNS_MODE=local ROM patch
> - - Logs blocked DNS queries and blocked other packets
> - - Input firewall allows sshd by default
> - - Should work with enforcing SELinux
> - - Includes the "--state INVALID" transproxy leak fix[1]
> - - Tested on CyanogenMod 13 (Android 6.0.1 Marshmallow)
> 
> 
>     Longer intro
> 
> Really no GUI, unfortunately I don't have any talent for that. There's a
> simple plain text configuration format[2] though, and the command line
> "orplug-reconf" script could work as a backend to a graphical app. (It
> accepts stdin as well as files for configuration.)
> 
> Unconfigured processes may only communicate with localhost and the
> loopback interface. You can configure an individual app, a Unix user/
> group, or an Android account:
> 
>   - to be transparently torified, with circuit isolation per rule
>   - to be allowed access to local TCP ports 9050/8118 for native Orbot
>     support
>   - to be allowed LAN access (except DNS)
>   - to be allowed full clearnet access
> 
> All of the above can be combined: Transparently torify a VoIP app as
> far as possible, but allow clearnet access for the remainder (UDP voice
> packets). Or, for a home media streaming app: transparent torification
> with LAN access.
> 
> Rules can apply to the primary Android device user account or to other
> accounts.
> 
> For incoming traffic, every port is blocked to the outside by default.
> But a hook loads files with raw ip(6)tables-restore rulesets, and one
> such ruleset allows TCP port 22 (sshd).
> 
> The init script uses "su -c", which seems to set up everything properly
> SELinux-wise on CM13. I'm not really sure because I don't have a device
> that's able to run in enforcing mode.
> 
> 
>     The DNS mess
> 
> Android 4.3+ mixes DNS requests of all apps together by default[3]; when
> a request finally appears in Netfilter, it's unknown where it came from.
> orplug takes a strict approach and blocks this sludge, so it needs a ROM
> patched[4] to export the environment variable ANDROID_DNS_MODE=local
> during early boot.
> 
> Unfortunately, ANDROID_DNS_MODE=local makes Android send DNS requests to
> 127.0.0.1, instead of the value of the net.dns1 property. Until this is
> somehow fixed, a rule has been added to redirect allowed clearnet IPv4
> DNS traffic to $ClearnetDNS (defaults to Google's 8.8.8.8).
> 
> orplug blocks disallowed DNS requests by sending them to a local dnsmasq
> instance that only logs queries (logcat | grep dnsmasq), but doesn't
> forward them. This is how I noticed that CM13 with "everything disabled"
> nevertheless attempts to connect to the hosts stats.cyanogenmod.org,
> account.cyngn.com, and shopvac.cyngn.com. (Via UID 1000, in this case
> the Settings package.)
> 
> 
>     Captive portals
> 
> Enable clearnet access for either UID 1000 (beware of the random stuff
> apparently floating around there), or for a dedicated browser (and run
> "settings put global captive_portal_detection_enabled 0" as root).
> 
> 
>     Installation
> 
> 0. Set up some independent way to check for leaks, e.g. corridor[5].
>    You've been warned...
> 1. Copy the orplug subdirectory to /data/local/ on your Android device.
>    "chmod 755" 00-orplug, orplug-start, and orplug-reconf (all in
>    /data/local/orplug/bin/).
> 2. Add the line ". /data/local/orplug/bin/00-orplug" (note the dot) to
>    /data/local/userinit.sh and run "chmod 755 userinit.sh".
> 3. Copy the contents of /data/local/orplug/torrc-custom-config.txt into
>    the clipboard, e.g. using File Manager. This file contains directives
>    for tor to open 99 different TransPort and DNSPort ports.
> 4. In Orbot's settings, paste the clipboard contents into "Torrc Custom
>    Config", disable "Transparent Proxying", disable "Request Root
>    Access", and choose "Proxy None" in "Select Apps" (that last one only
>    applies to current prereleases of Orbot).
> 5. Reboot your device.
> 6. Check that orplug has brought the firewall up: The output of
>    "getprop orplug.up" is supposed to say "true". Log files are in
>    /data/local/orplug/debug/ in case it didn't work.
> 7. Configure your apps by creating one ore more .conf file(s) in
>    /data/local/orplug/conf/ (there's a commented user.conf.example[2]).
> 8. Run "su -c /data/local/orplug/bin/orplug-reconf". The output is
>    supposed to say "orplug-reconf: populated". This will happen
>    automatically if you reboot.
> 
> 
>     Footnotes
> 
> 1. "--state INVALID" transproxy leak fix
> https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
> 
> 2. Example orplug configuration
> https://raw.githubusercontent.com/rustybird/orplug/master/orplug/conf/rules/90-user.conf.example
> 
> 3. Explanation of DNS in Android 4.3+
> http://forum.xda-developers.com/showthread.php?t=2386584
> 
> 4. ANDROID_DNS_MODE=local patch (affects only "make bootimage")
> https://raw.githubusercontent.com/rustybird/orplug/master/system-core-ANDROID_DNS_MODE.patch
> 
> 5. corridor, a Tor traffic whitelisting gateway
> https://github.com/rustybird/corridor
> 
> 
>     Redistribution
> 
> orplug is ISC licensed, see the LICENSE file for details.
> -----BEGIN PGP SIGNATURE-----
> 
> iQJ8BAEBCgBmBQJWvd60XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
> NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrflLIP/ip+sQ8Uc9eDIQfSxaYdt8hs
> STyf+q3qrDK6C9tnFu7o3cVlK18E2VJQWJ5CbpDYz6bC2Bw0Hn+fBaNppjeBD3sB
> NZg/Jj4BScoCn9ekt1UDMU1zBjUM0QTOlGHpHz04iaiwGZH5g44oIcI7bcabE4jA
> 16FY/qqsD4zweciIFFa3X3OTCZows+Md+q/9EXWhJJmSlSrnxJKg48iSsrWVWQy5
> i3VpS38iUrFqBPuAiMoGIYKWyS5xij3lxBDs4zHUX2owCmHIamfr5WqdewTCEQhH
> FM8s2u8DENC/6ri9paJ4JhqtbFm4SUi5HzHYTKbP7k7Oi83RI7fBdkI15erln+ND
> Zc+ka1cOP0Eje0X3BKXu1drVwAd1wKPCZQydYV31oe0AgxLPeLn6Ob63Y9DNkwh1
> LwLsT/aTKFVO1Lql8ONUrmIxK4i2KB8VLIL0Vt1b/il4zMwn3XUossFEBhsccr6q
> M7KBvQU6bKUAHmIen6WuVCiCXPOvlX07KsxDXtjUx/NZtChiAPd2LI3OoxrMSdzg
> IcLB8eu2+b+RnlzJ7DcyXKgIcQo7rogbP6N3ICFp8sDeyENBgD4VHdCsNu00doYx
> eWzcNRR5nF1bOYka49S1pwZjfEuWMryVIxBSnH+RMD5J1Mpam92CWc8YzpxNPH6y
> 5eyGTXgvcrwuNtkxepwN
> =vUeN
> -----END PGP SIGNATURE-----
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

