Introducing oniux: Kernel-level Tor isolation for any Linux app

News
1

by cve | May 14, 2025

lead.png1200×675 11.7 KB

When launching privacy-critical apps and services, developers want to make sure that every packet really only goes through Tor. One mistyped proxy setting–or a single system-call outside the SOCKS wrapper–and your data is suddenly on the line.

That's why today, we are excited to introduce oniux: a small command-line utility providing Tor network isolation for third-party applications using Linux namespaces. Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks. If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it.

What are Linux namespaces? 🐧

Namespaces are an isolation feature found in the Linux kernel that were introduced around the year 2000. They provide a secure way of isolating a certain part of an application from the rest of the system. Namespaces come in various forms and shapes. Some examples include network namespaces, mount namespaces, process namespaces, and a few more; each of them isolating a certain amount of system resources from an application.

What do we mean by system resources? In Linux, system resources are available globally by all applications on the system. The most notable example of this is probably your operating system clock, but there are many other areas as well, such as the list of all processes, the file system, and the list of users.

Namespaces containerize a certain part of an application from the rest of the operating system; this is exactly what Docker uses in order to provide its isolation primitives.

Tor + Namespaces = ❤️

As outlined above, namespaces are a powerful feature that gives us the ability to isolate Tor network access of an arbitrary application. We put each application in a network namespace that doesn't provide access to system-wide network interfaces (such as eth0), and instead provides a custom network interface onion0.

This allows us to isolate an arbitrary application over Tor in the most secure way possible software-wise, namely by relying on a security primitive offered by the operating system kernel. Unlike SOCKS, the application cannot accidentally leak data by failing to make some connection via the configured SOCKS, which may happen due to a mistake by the developer.

oniux vs. torsocks

You may have also heard of a tool with a similar goal, known as torsocks, which works by overwriting all network-related libc functions in a way to route traffic over a SOCKS proxy offered by Tor. While this approach is a bit more cross-platform, it has the notable downside that applications making system calls not through a dynamically linked libc, either with malicious intent or not, will leak data. Most notably, this excludes support for purely static binaries and applications from the Zig ecosystem.

The following provides a basic comparison on oniux vs torsocks:

oniux torsocks Standalone application Requires running Tor daemon Uses Linux namespaces Uses an ld.so preload hack Works on all applications Only works on applications making system calls through libc Malicious application cannot leak Malicious application can leak by making a system call through raw assembly Linux only Cross-platform New and experimental Battle-proven for over 15 years Uses Arti as its engine Uses CTor as its engine Written in Rust Written in C

How can I use oniux? 🧅

First, you need a Linux system with a Rust toolchain installed. Afterwards, you can install oniux with the following command:

$ cargo install --git https://gitlab.torproject.org/tpo/core/oniux oniux@0.4.0

Once that is done, you are ready to go for using oniux! 🙂

Using oniux is straightforward:

# Perform a simple HTTPS query using oniux!
$ oniux curl https://icanhazip.com
<A TOR EXIT NODE IP ADDRESS>
# oniux also supports IPv6 of course!
$ oniux curl -6 https://ipv6.icanhazip.com
<A TOR EXIT NODE IPv6 ADDRESS>
# Tor without onion services is like a car without an engine ...
$ oniux curl http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/index.html
# You can also enable logging if you are a nerd. 🤓
$ RUST_LOG=debug oniux curl https://icanhazip.com
# If you want, you can "torify" your entire shell, isolating all processes within!
$ oniux bash
# If you are in a desktop environment, you can isolate graphical applications too!
$ oniux hexchat

How does this work internally? ⚙️

oniux works by immediately spawning a child process using the clone(2) system call, which is isolated in its own network, mount, PID, and user namespace. This process then mounts its own copy of /proc followed by UID and GID mappings to the respective UID and GID of the parent process.

Afterwards, it creates a temporary file with nameserver entries which will then be bind mounted onto /etc/resolv.conf, so that applications running within will use a custom name resolver that supports resolving through Tor.

Next, the child process utilizes onionmasq to create a TUN interface named onion0 followed by some rtnetlink(7) operations required to set up the interface, such as assigning IP addresses.

Then, the child process sends the file descriptor of the TUN interface over a Unix Domain socket to the parent process, who has been waiting for this message ever since executing the initial clone(2).

Once that is done, the child process drops all of its capabilities which were acquired as part of being the root process in the user namespace.

Finally, the command supplied by the user is executed using facilities provided by the Rust standard library.

oniux is experimental ⚠️

Although this section should not discourage you from using oniux, you should keep in mind that this is a relatively new feature which uses new Tor software, such as Arti and onionmasq.

While things are already working as expected at the moment, tools such as torsocks have been around for over 15 years, giving them more experience on the battlefield.

But we do want to reach a similar state with oniux, so please go ahead and check it out!

Credits

Many thanks to the developers of smoltcp, which is a Rust crate that implements a full IP stack in Rust -- something, we make heavy use of.

Also many thanks go to 7ppKb5bW, who taught us on how this can implemented without the use of capabilities(7) by using user_namespaces(7) properly.

Last but not least, many thanks to all people and organizations who support Tor financially. The Tor Project, Inc. is a 501(c)(3) nonprofit advancing human rights and defending privacy online through free software and open networks. The oniux release is powered by a community of supporters. Please consider donating today to continue advancing our work that makes privacy possible.

This is a companion discussion topic for the original entry at https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces
6 Likes
2

You seem to have a couple of truncated onion addresses here. The oniux GitLab repo is here (Clearnet The Tor Project / Core / oniux · GitLab). The curl command example has what looks like the first 53 characters of an onion address too.

Also, for users who do not have cargo set up to resolve .onion addresses you may want to explain how this is done as cargo install --git http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/tpo/core/oniux on my system results in a DNS error failed to resolve address.

Anyhow, after updating my rust toolchain (1.69.0 resulting in a dependency issue) I managed to build and install oniux. I look forward to trying out this utility, it looks very useful.

I just tried oniux wget -O - https://check.torproject.org and got

!doctype html>
<html lang="en_US">
<head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>
    
      Congratulations. This browser is configured to use Tor.
...

:grinning_face:

3

Are you using an old or patched version of curl?

curl refuses to resolve .onion domains to avoid leakage:

4

I got those errors while trying using oniux hexchat:

2025-05-16T12:36:19Z DEBUG oniux] spawned onion-tunnel thread
thread '<unnamed>' panicked at src/main.rs:174:18:
called `Result::unwrap()` on an `Err` value: ArtiSetup(Error { detail: StateMgrSetup(Error { source: Inaccessible(BadOwner("/", 65534)), action: Initializing, resource: Directory { dir: "/home/dirtyoldman/.local/share/arti/state" } }) })
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at src/main.rs:136:22:
called `Result::unwrap()` on an `Err` value: No such file or directory (os error 2)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at core/src/panicking.rs:221:5:
panic in a function that cannot unwind
stack backtrace:
   0:     0x5d24ed3ef36a - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h304520fd6a30aa07
   1:     0x5d24ed41ad5b - core::fmt::write::hf5713710ce10ff22
   2:     0x5d24ed3eb7a3 - std::io::Write::write_fmt::hda708db57927dacf
   3:     0x5d24ed3f07f2 - std::panicking::default_hook::{{closure}}::he1ad87607d0c11c5
   4:     0x5d24ed3f045e - std::panicking::default_hook::h81c8cd2e7c59ee33
   5:     0x5d24ed3f107f - std::panicking::rust_panic_with_hook::had2118629c312a4a
   6:     0x5d24ed3f0d33 - std::panicking::begin_panic_handler::{{closure}}::h7fa5985d111bafa2
   7:     0x5d24ed3ef849 - std::sys::backtrace::__rust_end_short_backtrace::h704d151dbefa09c5
   8:     0x5d24ed3f09f4 - rust_begin_unwind
   9:     0x5d24ec773fd5 - core::panicking::panic_nounwind_fmt::hc0ae93930ea8f76c
  10:     0x5d24ec774062 - core::panicking::panic_nounwind::h9f485ff9b02bac75
  11:     0x5d24ec7741a6 - core::panicking::panic_cannot_unwind::hea865182d7ce50af
  12:     0x5d24ed2f9f36 - nix::sched::sched_linux_like::clone::callback::h7d99c497d382c0d3
  13:     0x7ca9ce138684 - clone
  14:                0x0 - <unknown>
thread caused non-unwinding panic. aborting.

Any suggestions?