Page MenuHomePhabricator
Feed Advanced Search

Sat, Nov 23

madaidan added a comment to T938: request apparmor environment scrubbing whitelist from AppArmor upstream.

I created the issue:

Sat, Nov 23, 5:51 PM · apparmor-profile-everything, Whonix, AppArmor
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

https://github.com/Whonix/apparmor-profile-everything/pull/7

Sat, Nov 23, 4:44 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Try adding:

Sat, Nov 23, 4:20 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor

Oct 4 2019

madaidan added a comment to T670: Activating Lockdown.

It turns out, what I said only applies to the Debian package. The kernel patch and the package are actually two different things.

Oct 4 2019, 8:37 PM · Debian version 10 codename Buster, Whonix

Jul 8 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Yay, we have ProtectSystem=strict now.

Jul 8 2019, 8:30 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 6 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

Jul 6 2019, 4:23 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 4 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

It's a file, not a folder.

Jul 4 2019, 5:09 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 3 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

I just re-read the error message. Try adding

Jul 3 2019, 5:10 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T670: Activating Lockdown.

I can test it but I doubt lockdown will help at all.

Jul 3 2019, 4:58 PM · Debian version 10 codename Buster, Whonix
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

That's weird. Onion-grater is trying to write to somewhere that's being mounted read-only by systemd.

Jul 3 2019, 4:56 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 25 2019

madaidan added a comment to T869: Install Firejail by default inside Whonix.

GUI isolation is very important, no?

Jun 25 2019, 10:43 PM · Whonix 15, firejail, Whonix

Jun 24 2019

madaidan added a comment to T869: Install Firejail by default inside Whonix.

The problem is, xpra (actually xpra | xserver-xephyr | xvfb) isn't in the list of Recommends: of the firejail package by accident. We don't really know the rationale of that. Could be an optional dependency and without it, some things someone who knows firejail who is happy to find it installed would wonder why it actually does not work.

Jun 24 2019, 8:34 PM · Whonix 15, firejail, Whonix

Jun 23 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work after you comment ProtectSystem=strict and ReadWriteDirectories=? I think on Qubes-Whonix it is trying to write to a directory in /var/run (probably /var/run/qubes-service). I can't test as I don't use Qubes.

Jun 23 2019, 8:25 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work using this? It looks like it needs the openat syscall which it now allows.

Jun 23 2019, 4:31 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 20 2019

madaidan added a comment to T875: fix fail closed mechanism.

I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.

Jun 20 2019, 10:26 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 12 2019

madaidan added a comment to T582: revisit handling of /var/lib/dbus/machine-id.

The way it is now looks fine. Why would it need to be changed?

May 12 2019, 2:36 PM · Whonix 16, research, Whonix
madaidan added a comment to T904: make sure there is no swap by default.

We need to re-check this for Whonix Host. Since it gets installed using calamares (which handles partitioning) there could be an unwanted swap partition.

May 12 2019, 2:34 PM · Whonix, Whonix-Host
madaidan added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

May 12 2019, 2:14 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 11 2019

madaidan added a comment to T582: revisit handling of /var/lib/dbus/machine-id.

https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things.

May 11 2019, 7:27 PM · Whonix 16, research, Whonix

May 10 2019

madaidan added a comment to T582: revisit handling of /var/lib/dbus/machine-id.

Would it cause any issues if the machine-id was just deleted or replaced with a bunch of 0s?

May 10 2019, 7:27 PM · Whonix 16, research, Whonix
madaidan added a comment to T729: network hardening.

My pull request enables all of these except martian packet logging which I doubt would be useful on Whonix.

May 10 2019, 7:18 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
madaidan added a comment to T770: Custom TBB profile for localhost access + Privoxy.

You can create directories in tor-browser_en-US/Browser/TorBrowser/Data/Browser/ called (profile_name).default. Here will be all the configurations for the profile. It should have a custom user.js with proxy settings using privoxy and setting network.proxy.no_proxies_on to 0.

May 10 2019, 7:15 PM · Whonix
madaidan added a comment to T795: Customized welcome page and bookmarks for I2P / Alt TBB (keyword: homepage).

Alternatively, you could change the home page to the program's interface e.g. 127.0.0.1:7657 for I2P and start the browser with a script that creates a popup box using zenity or similar that tells the user the information.

May 10 2019, 6:48 PM · html, whonix-welcome-page, Whonix
madaidan added a comment to T875: fix fail closed mechanism.

Maybe disable it just for package upgrades?

May 10 2019, 6:19 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix
madaidan added a comment to T904: make sure there is no swap by default.

There is none. You can run swapon -s or cat /proc/swaps to verify.

May 10 2019, 5:55 PM · Whonix, Whonix-Host
madaidan added a comment to T902: disable removable drives auto-mounting - XFCE only.

No, I mean the upstream repository thunar-volman by XFCE developers.

May 10 2019, 5:47 PM · Whonix-Host, Whonix

May 9 2019

madaidan added a comment to T902: disable removable drives auto-mounting - XFCE only.

Can you see from thunar-volman source code where defaults are configured? Would be good to watch for future versions.

May 9 2019, 7:24 PM · Whonix-Host, Whonix

May 8 2019

madaidan added a comment to T902: disable removable drives auto-mounting - XFCE only.

Automounting can be configured in /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar-volman.conf

May 8 2019, 10:27 PM · Whonix-Host, Whonix