oniux

A small command-line utility providing Tor network isolation for third-party applications using Linux namespaces. Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks. If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it.

Internal workings:

oniux works by immediately spawning a child process using the clone(2) system call, which is isolated in its own network, mount, PID, and user namespace. This process then mounts its own copy of /proc followed by UID and GID mappings to the respective UID and GID of the parent process.

Afterwards, it creates a temporary file with nameserver entries which will then be bind mounted onto /etc/resolv.conf, so that applications running within the namespace will use onionmasq's own DNS resolver. Next, the child process will create a TUN interface named onion0 followed by some rtnetlink(7) operations required to set up the interface, such as assigning IP addresses. Then, the child process will send the file descriptor of the TUN interface over a Unix Domain socket to the parent process, who has been waiting for this message ever since executing the clone(2) beforehand. Once that is done, the child process will drop all of its capabilities which were acquired as part of being the root process in the user namespace. Finally, the command supplied by the user will be executed using facilities provided by the Rust standard library.