Oniux: kernel-level Tor isolation for Linux applications

The Tor project has announcedthe oniux utility which provides Tor network isolation, using Linuxnamespaces, for third-party applications.

Namespaces are a powerful feature that gives us the ability toisolate Tor network access of an arbitrary application. We put eachapplication in a network namespace that doesn't provide access tosystem-wide network interfaces (such as eth0), and instead provides acustom network interface onion0.

This allows us to isolate an arbitrary application over Tor in themost secure way possible software-wise, namely by relying on asecurity primitive offered by the operating system kernel. UnlikeSOCKS, the application cannot accidentally leak data by failing tomake some connection via the configured SOCKS, which may happen due toa mistake by the developer.

The Tor project cautions that oniux is considered experimental asthe software it depends on, such as Arti andonionmasq,are still new.