diff --git a/src/__init__.py b/src/__init__.py index b0b2f889..84cf10a2 100755 --- a/src/__init__.py +++ b/src/__init__.py @@ -1,12 +1,12 @@ #!/usr/bin/env python3 -''' +""" Onionr - Private P2P Communication This file initializes Onionr when ran to be a daemon or with commands Run with 'help' for usage. -''' -''' +""" +""" This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or @@ -19,7 +19,7 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . -''' +""" # Set the user's locale for encoding reasons import locale # noqa @@ -37,8 +37,12 @@ except ModuleNotFoundError as e: print('Onionr needs ' + str(e) + ' installed') # Onionr imports -from etc import onionrvalues # For different Onionr related constants such as versions -import onionrsetup as setup + +# For different Onionr related constants such as versions +from etc import onionrvalues # noqa + +import onionrexceptions # noqa +import onionrsetup as setup # noqa min_ver = onionrvalues.MIN_PY_VERSION @@ -51,10 +55,20 @@ if sys.version_info[0] == 2 or sys.version_info[1] < min_ver: from utils import createdirs createdirs.create_dirs() -from onionrcommands import parser -from onionrplugins import onionrevents as events +import bigbrother # noqa +from onionrcommands import parser # noqa +from onionrplugins import onionrevents as events # noqa setup.setup_config() + +import config # noqa + +if config.get('advanced.security_auditing', True): + try: + bigbrother.enable_ministries() + except onionrexceptions.PythonVersion: + pass + setup.setup_default_plugins() diff --git a/src/bigbrother/__init__.py b/src/bigbrother/__init__.py new file mode 100644 index 00000000..39a3c927 --- /dev/null +++ b/src/bigbrother/__init__.py @@ -0,0 +1,43 @@ +""" + Onionr - Private P2P Communication + + Processes interpreter hook events to detect security leaks +""" +import sys +from typing import Iterable + +from onionrexceptions import PythonVersion +from . import ministry +""" + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +""" + + +def _auditing_supported(): + try: + sys.audit + sys.addaudithook + except AttributeError: + raise PythonVersion('Auditing not supported interpreter') + + +def sys_hook_entrypoint(event, info): + if event == 'socket.connect': + ministry.ofcommunication.detect_socket_leaks(info) + + +def enable_ministries(disable_hooks: Iterable = []): + """Enable auditors""" + _auditing_supported() # raises PythonVersion exception if <3.8 + sys.addaudithook(sys_hook_entrypoint) diff --git a/src/bigbrother/ministry/__init__.py b/src/bigbrother/ministry/__init__.py new file mode 100644 index 00000000..a7e9380d --- /dev/null +++ b/src/bigbrother/ministry/__init__.py @@ -0,0 +1 @@ +from . import ofcommunication \ No newline at end of file diff --git a/src/bigbrother/ministry/ofcommunication.py b/src/bigbrother/ministry/ofcommunication.py new file mode 100644 index 00000000..e4683eff --- /dev/null +++ b/src/bigbrother/ministry/ofcommunication.py @@ -0,0 +1,38 @@ +""" + Onionr - Private P2P Communication + + Ensure sockets don't get made to non localhost +""" +import ipaddress + +import logger +""" + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +""" + + +def detect_socket_leaks(socket_event): + """is called by the big brother broker whenever + a socket connection happens. + raises exception & logs if not to loopback + """ + ip_address = socket_event[1][0] + + # validate is valid ip address (no hostname, etc) + # raises valueerror if not + ipaddress.ip_address(ip_address) + + if not ip_address.startswith('127'): + logger.warn(f'Conn made to {ip_address} outside of Tor/similar') + raise ValueError('Conn to non loopback IP, this is a privacy concern!') diff --git a/src/onionrexceptions.py b/src/onionrexceptions.py index ddb19d82..5dd6b1b5 100755 --- a/src/onionrexceptions.py +++ b/src/onionrexceptions.py @@ -104,3 +104,6 @@ class MissingAddress(Exception): class ContactDeleted(Exception): pass + +class PythonVersion(Exception): + pass