Support tracee-launched Tor daemon

[JeremyRand]

Some applications (e.g. Tor Browser, Brave, and OnionShare) support launching their own bundled Tor instance. It would be nice if we could optionally detect such cases, and avoid treating connections issued by that Tor instance as a proxy leak.

[JeremyRand]

Since Horklump can see the process ID of each intercepted syscall, it seems that we should be able to key our behavior on that. Detecting the program name, given a PID, is doable in Linux AFAIK. So we should be able to detect the program name of the PID, and whitelist the PID if its program name is tor.

[robertmin1]

pid := record.PID

// read the process name from /proc/<pid>/comm
commPath := fmt.Sprintf("/proc/%d/comm", pid)
commBytes, err := ioutil.ReadFile(commPath)
if err != nil {
     panic(err)
}
comm := string(commBytes)

 // check if the process name is "tor" and whitelist the PID if it is
if comm == "tor\n" {
      fmt.Printf("PID %d is a Tor process\n", pid)
      // whitelist the PID
}

[robertmin1]

Alright, I was thinking of such as implementation. But for the tracee only right? Checking all sub-processes might be repetitive.

[robertmin1]

@JeremyRand Suggested to use cmdline since it provides additional information, such as arguments