v0.8.0
Security
Critical
- dnsmasq config moved to
/etc/dnsmasq-torshield.conf(root:wheel) via new ts_helper verbswrite-dnsmasq-conf/rm-dnsmasq-conf. Previously written to~/.config/opsec/dnsmasq.conf(user-writable), allowing a local attacker to inject arbitrary dnsmasq directives (dhcp-script,addn-hosts) executed as root on next connect. gen_iconbinary always recompiled from embedded source, never reused from cache. Previously the compiled binary persisted in~/.config/opsec/gen_iconwithout integrity verification - binary planting attack.
High
- TOCTOU in
ensure_helper()closed: compile inside atempdir()(mode 0700) that stays alive until the osascriptcpcompletes. Previously theNamedTempFilewas dropped before clang ran, releasing the path reservation without O_EXCL protection. - dnsmasq killed via validated PID from pid-file (
/bin/kill <pid>), notpkill -f <user-path>. The previous pattern matched all process cmdlines as root; theroot("kill", ...)call was also silently ignored (bare name not in ts_helper whitelist). - Watchdog verified by content comparison before skipping reinstall. File-existence check alone allowed a replaced watchdog LaunchDaemon script (persistent root shell) to persist undetected.
Medium
~/.config/opsec/restricted to mode 0700 (was 0755 - world-readable). All secrets (torrc, HMAC key, SAFECOOKIE cookie, hostname backups) now inaccessible to other local users.HOMEunset fallback usesgetpwuid(getuid())instead of/tmp(world-listable).- Tor binary resolved via absolute path (
/opt/homebrew/bin/torfirst). Previously relied on PATH - a rogue binary earlier in PATH could intercept traffic whiletor_ready()returned true.
Low
- pf interface name validated (alphanumeric only, default
en0).
UI
Menu redesigned to professional English labels: Connect / Disconnect, New Identity, Identity Rotation, Kill Switch, MAC Address Randomization, DNS Leak Protection, Fingerprint Resistance, Advanced (was Dev / Scripts), [OK] / [!] dependency status.