Page MenuHomePhabricator

add /etc/tor-controlport-filter.d configuration drop-in snippet configuration extension feature
Closed, ResolvedPublic

Description

/etc/tor-controlport-filter.d folder does not work great with Whonix. It allows to drop yml files for Tails per applications level separation but we won't have that level separation in Whonix.

What is not possible is extending an existing yml config (without touching that file).

Since porting to tor-controlport-filter by Tails, if multiple configs are matched it only uses one.

With legacy cpfpy it much more useful to tell users "drop a new file" which to extend the default config.

To give an example... In Whonix 13 with legacy cpfpy /etc/cpfpy.d/30_default.conf said

CONTROL_PORT_FILTER_WHITELIST=signal newnym

And in Whonix docs we could add:

create a new file /etc/cpfpy.d/50_user.conf and add

CONTROL_PORT_FILTER_WHITELIST=something"

That ability is lost since porting to tor-controlport-filter by Tails. As control-port-filter-python (now same as tor-controlport-filter by Tails) is implemented right now, we'd have to say open /etc/tor-controlport-filter.d/whonix.yml and fully replace it's content, which is problematic. (hard to combine various configuration extensions, interactive dpkg conflict resolution dialogs during upgrading)

Related code block:
https://github.com/Whonix/control-port-filter-python/blob/80542aa94dceb09f8d3158aea88a0e1cb7362ea5/usr/lib/tor-controlport-filter#L494-L508

Does this issue description make sense? EDIT: If it does not but you know what I mean, please edit it to improve it. If it does not, please contact me by e-mail, so I can improve it. (To keep this ticket discussion clean.)

Details

Impact
Normal

Event Timeline

Patrick created this task.Dec 12 2016, 1:59 AM
Patrick updated the task description. (Show Details)Dec 15 2016, 4:06 PM
Patrick added a subscriber: joysn1980.

Combined with the version from https://www.whonix.org/wiki/Next#Configure_Control_Port_Filter_Proxy it worked. But the "stripped down" 40_onionshare.yml it did not work. Threw a python exception.

30_whonix.yml:

---
- match-exe-paths:
    - '*'
  match-users:
    - '*'
  match-hosts:
    - '*'
  commands:
    SIGNAL:
      - 'NEWNYM'
    GETINFO:
      - 'status/circuit-established'
      - 'version'
      - pattern: 'net/listeners/socks'
        response:
        - pattern:     '250-net/listeners/socks=".*"'
          replacement: '250-net/listeners/socks="127.0.0.1:9150"'
  confs:
    __owningcontrollerprocess:
  events:
    SIGNAL:
      suppress: true
    CONF_CHANGED:
      suppress: true

"stripped down" 40_onionshare.yml

---
- match-exe-paths:
    - '*'
  match-users:
    - '*'
  match-hosts:
    - '*'
  commands:
    GETINFO:
      - 'onions/current'
    ADD_ONION:
      - pattern:     'NEW:BEST Port=80,(176[0-5][0-9])'
        replacement: 'NEW:BEST Port=80,{client-address}:{} Flags=DiscardPK'
    DEL_ONION:
      - '.+'
  confs:
    __owningcontrollerprocess:
  events:
    SIGNAL:
      suppress: true
    CONF_CHANGED:
      suppress: true
    HS_DESC:
      response:
        - pattern:     '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
          replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
        - pattern:     '650 HS_DESC UPLOAD (\S+) (\S+) .*'
          replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
        - pattern:     '650 HS_DESC UPLOADED (\S+) (\S+) .+'
          replacement: '650 HS_DESC UPLOADED {} {} redacted'
        - pattern:     '.*'
          replacement: ''

Started from command line since python exceptions do not end up in journal. Btw is that something that could be fixed?

sudo service tor-controlport-filter stop
sudo -u debian-tor /usr/lib/tor-controlport-filter --debug --listen-address 10.137.11.1

Error.

Tor control port filter started, listening on 10.137.11.1:9051
----------------------------------------
Exception happened during processing of request from ('10.137.11.1', 48952)
Traceback (most recent call last):
  File "/usr/lib/python3.4/socketserver.py", line 613, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python3.4/socketserver.py", line 344, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.4/socketserver.py", line 667, in __init__
    self.setup()
  File "/usr/lib/tor-controlport-filter", line 559, in setup
    merged_filter_dict = merge_yml(merged_filter_dict,filters[i])
  File "/usr/lib/tor-controlport-filter", line 201, in merge_yml
    final_obj[k] = merge_yml(final_obj[k],v)
  File "/usr/lib/tor-controlport-filter", line 201, in merge_yml
    final_obj[k] = merge_yml(final_obj[k],v)
  File "/usr/lib/tor-controlport-filter", line 218, in merge_yml
    if pattern_final_obj['pattern'] == ele['pattern']:
UnboundLocalError: local variable 'pattern_final_obj' referenced before assignment
----------------------------------------
Patrick changed the task status from Open to Review.Jan 9 2017, 4:46 PM

Works for me! Merged.

renamed etc/tor-controlport-filter.d/whonix.yml -> etc/tor-controlport-filter.d/30_whonix.yml:
https://github.com/Whonix/control-port-filter-python/commit/5178234b805ca549f47f25958d67286923eb076d

I this item can be closed now, Patrick?

Patrick closed this task as Resolved.Jan 24 2017, 12:52 PM