SocksPipe or SocksSocket - an anonymous pipe to smoke network leakings bug out (of)
It seems that to make use of some kernel filtering and sandboxing, we may want to explore alternate ways of performing IPC between Firefox/Pidgin/xmpp-client/Thunderbird/etc and Tor.
I propose that we have a very small shim and call it ort. The job of ort would be to locate a named pipe (such as on windows, where it may be full duplex) or a Unix Domain Socket, connect to it and simply shuffle bytes between the application, ort and Tor. Tor would treat ort clients as SOCKS clients and effectively, we could ban applications for even being allowed to make any kind of network connections.
AppArmor as an example it may allow or deny 'inet stream' or 'inet socket' but it will not do anything useful beyond allowing or denying. So if inet sockets are allowed, they may be for 8.8.8.8 or 127.0.0.1 - we need to allow the latter and so the former would potentially leak out.
Most of the code for Unix Domain Sockets is already implemented in the ControlSocket code, I think. The named pipe or better yet, anonymous (!) pipes approach may be better, as well as more portable. On Solaris, I suppose we could use a door but I'm fairly certain that zero people would use it.
In an ideal case, I think we'd want to use pipes as that would allow us to use ort to shim up any application, simply block all inet/inet6 socket calls and call it a day. In this way, we would also be able to create a different channels for special requests - such as DNS requests that aren't resolvable via SOCKS5 and Tor normally.