Mbox sandbox - tor-dev

26 May 2014

      On Fri, 16 May 2014, isis wrote:
...
Nicolas Vigier transcribed 2.6K bytes:
...

Looked at Mbox[2]: a sandboxing tool based on ptrace and seccomp/BPF.
This can be used in the test suite to get the list of files modified
by the browser after running a test, to check that it did not create
or modify files in unexpected places. This can also be used to log
all network connections, to check that everything goes through tor.
I was previously thinking about doing that using Docker, but now it
seems more simple with Mbox.

Mbox is neat! It looks like it's git based, right? Or at least includes some
sort of CVS system. Either way, great idea, testing for connections not
matching " -> 127.0.0.1" should be easy. :)
...
Yes, it's nice! It's not git or CVS based. But it stores all new and
modified files in a separate directory, doing copy-on-write when opening
files with write permissions, by hijacking arguments of system calls
which access files. And after running the program, asks you which copy
of the files you want to keep (or you can manually copy the files from
the sandbox directory). It can also be used to log in a file all network
connections opened.
Initially the filesystem sandoxing part didn't work with Tor Browser
because of some bugs in Mbox, but it's now fixed so we'll be able to use
it in the TBB test suite to monitor the files modified, created and
removed by Tor Browser, and network connections made.
Yesterday I also made a patch that allows filtering which connections
can be made:
https://github.com/tsgates/mbox/commit/6dd0e49202795564e627e9eeba664fc685b14...
It could be used for instance to make sure a program will not connect
anywhere without using tor.
This can be done like this:
$ cat tor.profile
    [fs]
      direct: /
    [network]
      block: 0.0.0.0
      allow: 127.0.0.1:9050
$ mbox -p ./tor.profile -- curl -I http://www.google.com/
    curl: (6) Could not resolve host: www.google.com
$ mbox -p ./tor.profile -- curl --socks5-hostname 127.0.0.1:9050 -I http://www.google.com/
    HTTP/1.1 302 Found
    Cache-Control: private
    Content-Type: text/html; charset=UTF-8
    Location: http://www.google.co.in/?gfe_rd=cr&ei=GoiDU-76DcSU-wbdy4HgDg
    Content-Length: 261
    Date: Mon, 26 May 2014 18:29:46 GMT
    Server: GFE/2.0
    Alternate-Protocol: 80:quic
$ mbox -o /dev/null -p ./tor.profile -- nmap localhost
    Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:32 CEST
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.0022s latency).
    Not shown: 999 closed ports
    PORT     STATE SERVICE
    9050/tcp open  tor-socks
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
$ nmap localhost
    Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:32 CEST
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.00048s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    25/tcp   open  smtp
    111/tcp  open  rpcbind
    631/tcp  open  ipp
    9050/tcp open  tor-socks
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
It's also possible to kill a process which does unallowed connections,
rather than just blocking those connections:
$ cat tor.profile
    [fs]
      direct: /
    [network]
      kill: 0.0.0.0
      allow: 127.0.0.1:9050
    $ mbox -o /dev/null -p ./tor.profile -- nmap localhost
    Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-26 20:37 CEST
Stop executing pid=5298: Connect to 127.0.0.1 port 80
However, a warning if some people want to use this: it's still alpha
quality software, so probably not a good idea to use it for something
where security is important without more review.