diff --git a/src/__init__.py b/src/__init__.py
index b0b2f889..84cf10a2 100755
--- a/src/__init__.py
+++ b/src/__init__.py
@@ -1,12 +1,12 @@
#!/usr/bin/env python3
-'''
+"""
Onionr - Private P2P Communication
This file initializes Onionr when ran to be a daemon or with commands
Run with 'help' for usage.
-'''
-'''
+"""
+"""
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
@@ -19,7 +19,7 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see .
-'''
+"""
# Set the user's locale for encoding reasons
import locale # noqa
@@ -37,8 +37,12 @@ except ModuleNotFoundError as e:
print('Onionr needs ' + str(e) + ' installed')
# Onionr imports
-from etc import onionrvalues # For different Onionr related constants such as versions
-import onionrsetup as setup
+
+# For different Onionr related constants such as versions
+from etc import onionrvalues # noqa
+
+import onionrexceptions # noqa
+import onionrsetup as setup # noqa
min_ver = onionrvalues.MIN_PY_VERSION
@@ -51,10 +55,20 @@ if sys.version_info[0] == 2 or sys.version_info[1] < min_ver:
from utils import createdirs
createdirs.create_dirs()
-from onionrcommands import parser
-from onionrplugins import onionrevents as events
+import bigbrother # noqa
+from onionrcommands import parser # noqa
+from onionrplugins import onionrevents as events # noqa
setup.setup_config()
+
+import config # noqa
+
+if config.get('advanced.security_auditing', True):
+ try:
+ bigbrother.enable_ministries()
+ except onionrexceptions.PythonVersion:
+ pass
+
setup.setup_default_plugins()
diff --git a/src/bigbrother/__init__.py b/src/bigbrother/__init__.py
new file mode 100644
index 00000000..39a3c927
--- /dev/null
+++ b/src/bigbrother/__init__.py
@@ -0,0 +1,43 @@
+"""
+ Onionr - Private P2P Communication
+
+ Processes interpreter hook events to detect security leaks
+"""
+import sys
+from typing import Iterable
+
+from onionrexceptions import PythonVersion
+from . import ministry
+"""
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+"""
+
+
+def _auditing_supported():
+ try:
+ sys.audit
+ sys.addaudithook
+ except AttributeError:
+ raise PythonVersion('Auditing not supported interpreter')
+
+
+def sys_hook_entrypoint(event, info):
+ if event == 'socket.connect':
+ ministry.ofcommunication.detect_socket_leaks(info)
+
+
+def enable_ministries(disable_hooks: Iterable = []):
+ """Enable auditors"""
+ _auditing_supported() # raises PythonVersion exception if <3.8
+ sys.addaudithook(sys_hook_entrypoint)
diff --git a/src/bigbrother/ministry/__init__.py b/src/bigbrother/ministry/__init__.py
new file mode 100644
index 00000000..a7e9380d
--- /dev/null
+++ b/src/bigbrother/ministry/__init__.py
@@ -0,0 +1 @@
+from . import ofcommunication
\ No newline at end of file
diff --git a/src/bigbrother/ministry/ofcommunication.py b/src/bigbrother/ministry/ofcommunication.py
new file mode 100644
index 00000000..e4683eff
--- /dev/null
+++ b/src/bigbrother/ministry/ofcommunication.py
@@ -0,0 +1,38 @@
+"""
+ Onionr - Private P2P Communication
+
+ Ensure sockets don't get made to non localhost
+"""
+import ipaddress
+
+import logger
+"""
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+"""
+
+
+def detect_socket_leaks(socket_event):
+ """is called by the big brother broker whenever
+ a socket connection happens.
+ raises exception & logs if not to loopback
+ """
+ ip_address = socket_event[1][0]
+
+ # validate is valid ip address (no hostname, etc)
+ # raises valueerror if not
+ ipaddress.ip_address(ip_address)
+
+ if not ip_address.startswith('127'):
+ logger.warn(f'Conn made to {ip_address} outside of Tor/similar')
+ raise ValueError('Conn to non loopback IP, this is a privacy concern!')
diff --git a/src/onionrexceptions.py b/src/onionrexceptions.py
index ddb19d82..5dd6b1b5 100755
--- a/src/onionrexceptions.py
+++ b/src/onionrexceptions.py
@@ -104,3 +104,6 @@ class MissingAddress(Exception):
class ContactDeleted(Exception):
pass
+
+class PythonVersion(Exception):
+ pass