CyberSecurity news
FlagThis
dark6@Secure Bulletin
//
The Tor Project has launched oniux, a command-line utility designed to enhance privacy for Linux applications. Oniux provides kernel-enforced Tor isolation, routing all network traffic through the Tor network. This new tool leverages Linux namespaces, a kernel feature, to create isolated network environments for applications, ensuring robust traffic anonymity and preventing data leaks in high-risk scenarios. Oniux aims to provide a more secure and reliable alternative to traditional SOCKS-based Tor proxies like torsocks.
Oniux operates by spawning a child process with isolated network, mount, PID, and user namespaces, effectively containerizing the application. It then mounts its own /proc and maps UIDs/GIDs to match the parent process. A custom /etc/resolv.conf is injected via a mount namespace, ensuring all DNS queries are resolved through Tor. The tool utilizes onionmasq to create a TUN interface (onion0) for Tor-bound traffic routing and drops all elevated privileges after setup to minimize the attack surface. The target application executes within this sandboxed environment, guaranteeing all network traffic is forced through Tor.
Unlike torsocks, which intercepts network-related libc calls and can be bypassed by applications using raw system calls or static binaries, oniux enforces isolation at the kernel level. This makes it impossible for applications, even malicious or misconfigured ones, to route traffic outside of Tor. The kernel-level isolation provided by oniux eliminates the risk of data leaks, making it particularly relevant for adversarial binaries or research tools not designed with privacy in mind, solidifying oniux as a more robust privacy solution.
References :
Oniux operates by spawning a child process with isolated network, mount, PID, and user namespaces, effectively containerizing the application. It then mounts its own /proc and maps UIDs/GIDs to match the parent process. A custom /etc/resolv.conf is injected via a mount namespace, ensuring all DNS queries are resolved through Tor. The tool utilizes onionmasq to create a TUN interface (onion0) for Tor-bound traffic routing and drops all elevated privileges after setup to minimize the attack surface. The target application executes within this sandboxed environment, guaranteeing all network traffic is forced through Tor.
Unlike torsocks, which intercepts network-related libc calls and can be bypassed by applications using raw system calls or static binaries, oniux enforces isolation at the kernel level. This makes it impossible for applications, even malicious or misconfigured ones, to route traffic outside of Tor. The kernel-level isolation provided by oniux eliminates the risk of data leaks, making it particularly relevant for adversarial binaries or research tools not designed with privacy in mind, solidifying oniux as a more robust privacy solution.
Share:
References :
- bsky.app: The Tor Project has released oniux, a command-line utility providing Tor network isolation for third-party applications using Linux namespaces
- cyberinsider.com: Tor Launches ‘oniux’ Tool for Leak-Proof Routing on Linux
- Secure Bulletin: Oniux: Kernel-Level Tor isolation for Linux applications
- The DefendOps Diaries: Oniux: Enhancing Privacy for Linux Applications
- BleepingComputer: New Tor Oniux tool anonymizes any Linux app's network traffic
- securebulletin.com: The Tor Project has unveiled oniux, a new command-line utility designed to deliver robust, kernel-enforced Tor isolation for any Linux application-a significant advancement in the ongoing quest for airtight traffic anonymity and leak prevention in high-risk environments.
- bsky.app: The Tor Project has released oniux, a command-line utility providing Tor network isolation for third-party applications using Linux namespaces
Classification:
- HashTags: #Tor #Privacy #LinuxSecurity
- Company: Tor
- Target: Linux users
- Product: Oniux
- Feature: Kernel-Level Tor isolation
- Malware: Oniux
- Type: ProductUpdate
- Severity: Informative