Page MenuHomePhabricator

re-enable tor-controlport-filter.service systemd hardening
Open, NormalPublic

Details

Impact
Normal

Event Timeline

Patrick created this task.Feb 13 2017, 6:50 PM

Since you originally added this, do you think you could re-invent it? @HulaHoop

As in the seccomp stuff? I think I can but can you help me find the original topic so I can re-create the testing environment I used back then?

As in the seccomp stuff?

Yes.

I think I can but can you help me find the original topic so I can re-create the testing environment I used back then?

https://forums.whonix.org/t/cpfpd-data-options-control-port-filter-python-hardening / T128?

Patrick updated the task description. (Show Details)Feb 13 2017, 8:43 PM

As soon as the next dev release (with the working KDE menus) is out I'll build it and start working.

Yes, that would be great and there is still time until the final release.

@Patrick
What do we need for the next dev release for hula?

Are the kde menus things one of the open v14 tickets?

@Patrick
What do we need for the next dev release for hula?

I guess 14.0.0.2.6 should work.

Can you use https://forums.whonix.org/t/whonix-14-0-0-2-6-developers-only @HulaHoop?

Are the kde menus things one of the open v14 tickets?

The "no KDE start menu at all" bug was solved in 14.0.0.2.6.

Remaining KDE work T636 and T633 aren't blockers to implement this ticket.

I haven't tested it yet and unfortunately I'm very busy these days, so cpfp apparmor work is up for grabs.

JasonJAyalaP removed HulaHoop as the assignee of this task.Jun 26 2017, 10:18 AM
JasonJAyalaP added a comment.EditedJun 26 2017, 10:44 AM

@Patrick

Using the hardening broke Tails? What do you mean?

*EDIT*

Do you mean we ported it from Tails to Whonix?

My understanding:

  1. Using SystemCallFilter enables a whitelist. The current whitelist isn't inclusive enough (that's the funny thing about whitelists!). And so all the lines with SystemCallFilter are commented out.
  2. I'm not sure what the other commented out lines are for.
  3. We need to find all the system calls that onion grater needs and add them with SystemCallFilter.

Do you mean we ported it from Tails to Whonix?

  • control-port-filter-python (Whonix 13 version, will be obsoleted/not used(legacy in Whonix 14) was written by @troubadour.
  • onion-grater was written by @anonym of Tails.
  • Whonix 14 will be using onion-grater which works great.

My understanding:

  1. Using SystemCallFilter enables a whitelist. The current whitelist isn't inclusive enough (that's the funny thing about whitelists!). And so all the lines with SystemCallFilter are commented out.

Correct. I did this as a quick fix so onion-grater integration of Whonix could be finished (done).

  1. I'm not sure what the other commented out lines are for.

They are all related to hardening.

  1. We need to find all the system calls that onion grater needs and add them with SystemCallFilter.

Yes.

JasonJAyalaP added a comment.EditedJun 27 2017, 6:38 PM

Tails didn't feel the need to use system call filtering?

They happily take it if we contribute it.

Question: To install OG in whonix 14 dev, so I simply pull the repo, make deb-icup, stop the old tor control port filter proxy, and start onion grater?

Should be even easier since onion-grater debian/control contains
Replaces: control-port-filter-python. So just installing onion-grater
should do.

sudo service onion-grater status just tells me that it failed to load. Any clues about how to debug this?

See:

sudo journalctl -u onion-grater

Or watch it while it's happening.

sudo journalctl -f -u onion-grater

And in another tab.

sudo systemctl restart onion-grater

Does that show something useful?

Two network interfaces are available? eth0 and eh1?

Replicate what
https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service
does.

sudo -u onion-grater /usr/lib/onion-grater

Does that show something useful?

JasonJAyalaP added a comment.EditedJul 7 2017, 8:45 PM

Python is choking on the line:
server = FilteredControlPortProxy(address, FilteredControlPortProxyHandler)

Jul 07 18:32:17 host systemd[1]: Starting Tor control port filter proxy...
Jul 07 18:32:18 host onion-grater[8129]: Traceback (most recent call last):
Jul 07 18:32:18 host onion-grater[8129]:   File "/usr/lib/onion-grater", line 770, in <module>
Jul 07 18:32:18 host onion-grater[8129]:     main()
Jul 07 18:32:18 host onion-grater[8129]:   File "/usr/lib/onion-grater", line 759, in main
Jul 07 18:32:18 host onion-grater[8129]:     server = FilteredControlPortProxy(address, FilteredControlPortProxyHandler)
Jul 07 18:32:18 host onion-grater[8129]:   File "/usr/lib/python3.5/socketserver.py", line 440, in __init__
Jul 07 18:32:18 host onion-grater[8129]:     self.server_bind()
Jul 07 18:32:18 host onion-grater[8129]:   File "/usr/lib/python3.5/socketserver.py", line 454, in server_bind
Jul 07 18:32:18 host onion-grater[8129]:     self.socket.bind(self.server_address)
Jul 07 18:32:18 host onion-grater[8129]: socket.gaierror: [Errno -3] Temporary failure in name resolution
Jul 07 18:32:18 host systemd[1]: onion-grater.service: Main process exited, code=exited, status=1/FAILURE
Jul 07 18:32:18 host systemd[1]: Failed to start Tor control port filter proxy.
Jul 07 18:32:18 host systemd[1]: onion-grater.service: Unit entered failed state.
Jul 07 18:32:18 host systemd[1]: onion-grater.service: Failed with result 'exit-code'.

I noticed that the serive tor-control-port-filter is running (stopping it doesnt make a difference). This is normal?

Probably tor-controlport-filter systemd unit file (the old one) still
running and blocking the onion-grater systemd unit file.

JasonJAyalaP (Jason J. Ayala P.):

I noticed that the serive tor-control-port-filter is running
(stopping it doesnt make a difference). This is normal?

Not normal. That should be removed during the upgrade.

onino-grater's debian/control uses `Replaces:
control-port-filter-python`. That should do. That should remove the
control-port-filter-python package, stops the old tor-controlport-filter
systemd unit file. But I don't remember if I tested this.

sudo service tor-controlport-filter stop
sudo service onion-grater start
same failure
if i try
sudo apt-get remove control-port-filter-python
It wants to remove everything. I don't think 'Replaces' worked.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

sudo apt-get remove control-port-filter-python
It wants to remove everything. I don't think 'Replaces' worked.

Migration issue.

Selective upgrading of individual packages without using apt-get, by
only using dpkg is hard.

control-port-filter-python cannot be removed because some
anon-meta-package still depends on it - you probably didn't update
anon-meta-packages.

It would probably work if you updated from rebuild local or remote
repository.

sudo service tor-controlport-filter stop
sudo service onion-grater start

Possibly also a migration issue. Not clear to my why that isn't working.
Possibly due to anon-gw-anonyminizer changes. So many things have
changed since.

Still something listening on that local port? Check sudo netstal -tulpen.

Maybe not a great idea to attempt selective package upgrades from this
state. All packages that changed in meanwhile should be rebuild and
reinstalled getting to a newer developers-only state. Either using the
local or a remote repository. A local one certainly goes faster during
debugging.

sudo netstal -tulpen

Port 9051 right? It's listening with python running, and nothing is listening when it's stopped

It would probably work if you updated from rebuild local or remote repository.

The whole system update thing you're writing about on the wiki? Maybe it's time for another Whonix Developers 14 version?

Patrick edited projects, added Whonix 16; removed Whonix 14.Jul 23 2017, 5:52 PM
Patrick updated the task description. (Show Details)Aug 15 2018, 1:04 PM