Page MenuHomePhorge
Create Task
Maniphest T576

add /etc/tor-controlport-filter.d configuration drop-in snippet configuration extension feature
Closed, ResolvedPublic
Actions

Description

/etc/tor-controlport-filter.d folder does not work great with Whonix. It allows to drop yml files for Tails per applications level separation but we won't have that level separation in Whonix.

What is not possible is extending an existing yml config (without touching that file).

Since porting to tor-controlport-filter by Tails, if multiple configs are matched it only uses one.

With legacy cpfpy it much more useful to tell users "drop a new file" which to extend the default config.

To give an example... In Whonix 13 with legacy cpfpy /etc/cpfpy.d/30_default.conf said

CONTROL_PORT_FILTER_WHITELIST=signal newnym

And in Whonix docs we could add:

create a new file /etc/cpfpy.d/50_user.conf and add

CONTROL_PORT_FILTER_WHITELIST=something"

That ability is lost since porting to tor-controlport-filter by Tails. As control-port-filter-python (now same as tor-controlport-filter by Tails) is implemented right now, we'd have to say open [/etc/tor-controlport-filter.d/whonix.yml](https://github.com/Whonix/control-port-filter-python/blob/master/etc/tor-controlport-filter.d/whonix.yml) and fully replace it's content, which is problematic. (hard to combine various configuration extensions, interactive dpkg conflict resolution dialogs during upgrading)

Related code block:
https://github.com/Whonix/control-port-filter-python/blob/80542aa94dceb09f8d3158aea88a0e1cb7362ea5/usr/lib/tor-controlport-filter#L494-L508

Does this issue description make sense? EDIT: If it does not but you know what I mean, please edit it to improve it. If it does not, please contact me by e-mail, so I can improve it. (To keep this ticket discussion clean.)

Details

Impact
Normal

Related Objects

Event Timeline

Patrick created this task.Dec 12 2016, 12:59 AM
Herald added a project: Whonix. · View Herald TranscriptDec 12 2016, 12:59 AM
Herald added subscribers: entr0py, WhonixQubes. · View Herald Transcript
Patrick mentioned this in T573: move from Whonix control-port-filter-python to tor-controlport-filter by Tails.Dec 12 2016, 1:00 AM
HulaHoop added a comment.Dec 14 2016, 9:19 AM

Crystal.

Patrick updated the task description. (Show Details)Dec 15 2016, 3:06 PM
Patrick added a subscriber: joysn1980.
Patrick added a comment.Dec 16 2016, 4:10 PM

proposal on yml config file merging:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy/tor-controlport-filter/config

joysn1980 claimed this task.EditedDec 22 2016, 12:21 PM

https://github.com/joysn/control-port-filter-python/tree/master/usr/lib

https://github.com/joysn/control-port-filter-python/commit/22ce6ba6ff6513e45d9166e6004d8748fd407eb0

Kindly review

Patrick added a comment.Dec 23 2016, 7:03 PM

Combined with the version from https://www.whonix.org/wiki/Next#Configure_Control_Port_Filter_Proxy it worked. But the "stripped down" 40_onionshare.yml it did not work. Threw a python exception.

30_whonix.yml:

---
- match-exe-paths:
    - '*'
  match-users:
    - '*'
  match-hosts:
    - '*'
  commands:
    SIGNAL:
      - 'NEWNYM'
    GETINFO:
      - 'status/circuit-established'
      - 'version'
      - pattern: 'net/listeners/socks'
        response:
        - pattern:     '250-net/listeners/socks=".*"'
          replacement: '250-net/listeners/socks="127.0.0.1:9150"'
  confs:
    __owningcontrollerprocess:
  events:
    SIGNAL:
      suppress: true
    CONF_CHANGED:
      suppress: true

"stripped down" 40_onionshare.yml

---
- match-exe-paths:
    - '*'
  match-users:
    - '*'
  match-hosts:
    - '*'
  commands:
    GETINFO:
      - 'onions/current'
    ADD_ONION:
      - pattern:     'NEW:BEST Port=80,(176[0-5][0-9])'
        replacement: 'NEW:BEST Port=80,{client-address}:{} Flags=DiscardPK'
    DEL_ONION:
      - '.+'
  confs:
    __owningcontrollerprocess:
  events:
    SIGNAL:
      suppress: true
    CONF_CHANGED:
      suppress: true
    HS_DESC:
      response:
        - pattern:     '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
          replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
        - pattern:     '650 HS_DESC UPLOAD (\S+) (\S+) .*'
          replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
        - pattern:     '650 HS_DESC UPLOADED (\S+) (\S+) .+'
          replacement: '650 HS_DESC UPLOADED {} {} redacted'
        - pattern:     '.*'
          replacement: ''

Started from command line since python exceptions do not end up in journal. Btw is that something that could be fixed?

sudo service tor-controlport-filter stop
sudo -u debian-tor /usr/lib/tor-controlport-filter --debug --listen-address 10.137.11.1

Error.

Tor control port filter started, listening on 10.137.11.1:9051
----------------------------------------
Exception happened during processing of request from ('10.137.11.1', 48952)
Traceback (most recent call last):
  File "/usr/lib/python3.4/socketserver.py", line 613, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python3.4/socketserver.py", line 344, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.4/socketserver.py", line 667, in __init__
    self.setup()
  File "/usr/lib/tor-controlport-filter", line 559, in setup
    merged_filter_dict = merge_yml(merged_filter_dict,filters[i])
  File "/usr/lib/tor-controlport-filter", line 201, in merge_yml
    final_obj[k] = merge_yml(final_obj[k],v)
  File "/usr/lib/tor-controlport-filter", line 201, in merge_yml
    final_obj[k] = merge_yml(final_obj[k],v)
  File "/usr/lib/tor-controlport-filter", line 218, in merge_yml
    if pattern_final_obj['pattern'] == ele['pattern']:
UnboundLocalError: local variable 'pattern_final_obj' referenced before assignment
----------------------------------------
joysn1980 added a comment.Jan 9 2017, 1:01 PM

Fixed it. Bad error handling.

https://github.com/joysn/control-port-filter-python
https://github.com/joysn/control-port-filter-python/blob/master/usr/lib/tor-controlport-filter

Kindly review

Patrick changed the task status from Open to Review.Jan 9 2017, 3:46 PM

Works for me! Merged.

Patrick mentioned this in T594: ship additional example profiles in control-port-filter-python package.Jan 9 2017, 6:35 PM
Patrick added a comment.Jan 9 2017, 6:41 PM

renamed etc/tor-controlport-filter.d/whonix.yml -> etc/tor-controlport-filter.d/30_whonix.yml:
https://github.com/Whonix/control-port-filter-python/commit/5178234b805ca549f47f25958d67286923eb076d

joysn1980 added a comment.Jan 24 2017, 10:44 AM

I this item can be closed now, Patrick?

Patrick closed this task as Resolved.Jan 24 2017, 11:52 AM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer