Page MenuHomePhabricator
Feed All Stories

Mon, Jan 20

Patrick added a comment to T868: mediawiki fixes #2.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

**too  much whitespace**
This is unnecessary whitespace from the html line:
  <h5 id="siteSub" class="subtitle"></h5>
which shows nothing + padding all h5's get.
The proper way, I presume, is to tell mediawiki to not display "subtitle", whatever that is. It seems to be similar to "tagline" which is set to "From Whonix" and outputted in html but set to hidden via css (dumb but whatever).
Mon, Jan 20, 1:08 PM · website, Whonix

Sat, Jan 18

Patrick closed T470: Whonix home page redesign as Resolved.
Sat, Jan 18, 1:22 PM · html, Whonix, user documentation
Patrick updated the task description for T868: mediawiki fixes #2.
Sat, Jan 18, 12:42 PM · website, Whonix
Patrick added a comment to T868: mediawiki fixes #2.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

**clickable expand button inside text**
Done. Check: https://www.whonix.org/wiki/Template:Reload_Tor
Sat, Jan 18, 12:39 PM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Sat, Jan 18, 12:14 PM · website, Whonix
Patrick added a comment to T868: mediawiki fixes #2.

replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.

Sat, Jan 18, 12:14 PM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Sat, Jan 18, 12:12 PM · website, Whonix
Patrick added a comment to T868: mediawiki fixes #2.

two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?

Sat, Jan 18, 12:12 PM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

clickable expand button inside text

Sat, Jan 18, 5:32 AM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.

Sat, Jan 18, 5:01 AM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?

Sat, Jan 18, 5:00 AM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

too much whitespace
This is unnecessary whitespace from the html line:

Sat, Jan 18, 4:53 AM · website, Whonix

Fri, Jan 17

Patrick updated the task description for T868: mediawiki fixes #2.
Fri, Jan 17, 9:03 AM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Fri, Jan 17, 8:40 AM · website, Whonix

Wed, Jan 15

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.
In T950#19249, @Patrick wrote:

The loader of tirdad is currently using dmesg.

Wed, Jan 15, 12:11 PM · Whonix 15, security-misc, Whonix

Tue, Jan 7

HulaHoop added a comment to T552: Packaging USBKill.

An interesting product that triggers a system wipe if the cable is pulled:

Tue, Jan 7, 5:51 PM · Whonix-Host, security, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Tue, Jan 7, 6:39 AM · website, Whonix

Wed, Jan 1

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

The loader of tirdad is currently using dmesg.

Wed, Jan 1, 12:31 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

quiet

Wed, Jan 1, 12:05 PM · Whonix 15, security-misc, Whonix

Dec 26 2019

Patrick edited projects for T953: extrepo - safely adding repos, added: Whonix 15; removed Restricted Project.
Dec 26 2019, 4:06 PM · Whonix 15, Whonix
Patrick triaged T953: extrepo - safely adding repos as Normal priority.
Dec 26 2019, 4:05 PM · Whonix 15, Whonix

Dec 25 2019

Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Dec 25 2019, 10:39 AM · Whonix 15, security-misc, Whonix
Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Dec 25 2019, 10:38 AM · Whonix 15, security-misc, Whonix

Dec 24 2019

madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

Dec 24 2019, 7:09 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...

Dec 24 2019, 6:24 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Sounds good.

Dec 24 2019, 5:54 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

https://github.com/Whonix/security-misc/pull/51

Dec 24 2019, 5:34 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

Dec 24 2019, 5:10 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Dec 24 2019, 5:07 PM · security, apparmor-profile-everything, Whonix
Patrick closed T943: make /boot and /lib/modules unreadable even for root as Resolved.

Would an audit denyrule for /boot be useful for the sake of audit?

Dec 24 2019, 4:49 PM · security, apparmor-profile-everything, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.

Dec 24 2019, 4:47 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

Dec 24 2019, 4:39 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Dec 24 2019, 4:37 PM · security, apparmor-profile-everything, Whonix
Patrick added a comment to T943: make /boot and /lib/modules unreadable even for root.

Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.

Dec 24 2019, 12:17 PM · security, apparmor-profile-everything, Whonix
Patrick closed T937: make /boot and /lib/modules unreadable for non-root users as Resolved.
Dec 24 2019, 12:15 PM · security-misc, Whonix
Patrick closed T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade as Resolved.

https://github.com/Whonix/security-misc/commit/ede536913daa0c7ddfe55e20c93d7b752daa5de3

Dec 24 2019, 12:15 PM · Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.

Dec 24 2019, 12:02 PM · Whonix 15, security-misc, Whonix

Dec 23 2019

madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.

https://github.com/Whonix/security-misc/pull/50

Dec 23 2019, 9:29 PM · security-misc, Whonix
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot/ is already unreadable.

Dec 23 2019, 9:27 PM · security, apparmor-profile-everything, Whonix
madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.
Dec 23 2019, 9:26 PM · security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Should this be set in the initramfs?

Dec 23 2019, 9:08 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade.

That worked.

Dec 23 2019, 8:58 PM · Whonix, security-misc
madaidan added a comment to T12: virtualizer: enforce maximum system resources a virtual machine may use.

We should be able to create a drop-in file at /lib/systemd/system/user-.slice.d/ and add something such as

Dec 23 2019, 8:54 PM · Whonix, VMware, Qubes, KVM, VirtualBox, virtualizer
Patrick triaged T952: warn against superadmin / superroot in grub boot menu or initramfs as Normal priority.
Dec 23 2019, 4:00 PM · Whonix 16, apparmor-profile-everything, Whonix
Patrick triaged T951: sign kernel modules as Normal priority.
Dec 23 2019, 3:15 PM · Whonix 16, Whonix, security-misc
Patrick updated the task description for T670: Activating Lockdown.
Dec 23 2019, 3:14 PM · Debian version 10 codename Buster, Whonix
Patrick triaged T950: set kernel.printk sysctl to prevent kernel info leaks as Normal priority.
Dec 23 2019, 2:19 PM · Whonix 15, security-misc, Whonix
Patrick updated subscribers of T949: easy remote support VNC alternative, NX, SPICE, X2Go, Remmina.
Dec 23 2019, 2:14 PM · Whonix, usability
Patrick triaged T949: easy remote support VNC alternative, NX, SPICE, X2Go, Remmina as Normal priority.
Dec 23 2019, 2:14 PM · Whonix, usability
Patrick triaged T948: /tmp etc. separation through polyinstantiation by using namespaces.conf as Normal priority.
Dec 23 2019, 2:09 PM · research, security-misc, Whonix
Patrick triaged T947: Qubes-Whonix eth1 static networking as Normal priority.
Dec 23 2019, 2:03 PM · Whonix 15, Whonix
Patrick triaged T946: test sdwdate apparmor profile and set to complain mode as Normal priority.
Dec 23 2019, 2:01 PM · sdwdate, Whonix 15, Whonix
Patrick triaged T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade as Normal priority.
Dec 23 2019, 1:53 PM · Whonix, security-misc

Dec 22 2019

Patrick updated subscribers of T12: virtualizer: enforce maximum system resources a virtual machine may use.

cgroups were mentioned by @madaidan

Dec 22 2019, 9:26 AM · Whonix, VMware, Qubes, KVM, VirtualBox, virtualizer

Dec 11 2019

Patrick edited Description on whonix-gw-firewall.
Dec 11 2019, 9:48 AM
Patrick edited Description on whonix-ws-firewall.
Dec 11 2019, 9:47 AM
marmarek added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.

Dec 11 2019, 3:35 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick renamed T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables from Consider nftables as a replacement for iptables to Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Dec 11 2019, 2:11 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick added a comment to T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.

Or skip nftables and use Berkeley Packet Filter (BPF)?

Dec 11 2019, 2:10 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research
Patrick updated the task description for T509: Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.
Dec 11 2019, 2:09 AM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Dec 8 2019

HulaHoop triaged T944: Hardened sshd Setup as Normal priority.
Dec 8 2019, 4:06 PM · enhancement, Whonix

Dec 7 2019

Patrick renamed T937: make /boot and /lib/modules unreadable for non-root users from make /boot unreadable for non-root users to make /boot and /lib/modules unreadable for non-root users.
Dec 7 2019, 9:14 AM · security-misc, Whonix
Patrick renamed T943: make /boot and /lib/modules unreadable even for root from make /boot unreadable even for root to make /boot and /lib/modules unreadable even for root.
Dec 7 2019, 9:14 AM · security, apparmor-profile-everything, Whonix
Patrick triaged T943: make /boot and /lib/modules unreadable even for root as Normal priority.
Dec 7 2019, 9:13 AM · security, apparmor-profile-everything, Whonix

Dec 5 2019

Patrick updated the task description for T941: lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:16 PM · Whonix, security
Patrick updated the task description for T941: lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:12 PM · Whonix, security
Patrick renamed T941: lock down interpreters / compilers (interpreter lock) (compiler lock) from lock down interpreters (interpreter lock) to lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:12 PM · Whonix, security
Patrick updated the task description for T941: lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:07 PM · Whonix, security
Patrick triaged T942: polish Whonix Host Firewall for Whonix Host as Normal priority.
Dec 5 2019, 4:04 PM · security, Whonix, Whonix-Host
Patrick renamed T941: lock down interpreters / compilers (interpreter lock) (compiler lock) from lock down interpreters to lock down interpreters (interpreter lock).
Dec 5 2019, 3:51 PM · Whonix, security
Patrick triaged T941: lock down interpreters / compilers (interpreter lock) (compiler lock) as Normal priority.
Dec 5 2019, 3:51 PM · Whonix, security
Patrick updated the task description for T940: grub boot password.
Dec 5 2019, 3:35 PM · security, Whonix-Host, Whonix
Patrick triaged T940: grub boot password as Normal priority.
Dec 5 2019, 3:22 PM · security, Whonix-Host, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Dec 5 2019, 9:14 AM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Dec 5 2019, 9:13 AM · website, Whonix
Patrick updated the task description for T771: install magic-wormhole by default / Implementing an Onionshare alternative.
Dec 5 2019, 6:57 AM · Whonix 14, Whonix, Whonix 15

Nov 25 2019

Patrick updated the task description for T543: TCP ISNs and Temperature induced clock skews.
Nov 25 2019, 1:32 PM · C Code, security, Whonix

Nov 23 2019

Patrick closed T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Resolved.

Awesome!

Nov 23 2019, 5:53 PM · apparmor-profile-everything, Whonix, AppArmor
madaidan added a comment to T938: request apparmor environment scrubbing whitelist from AppArmor upstream.

I created the issue:

Nov 23 2019, 5:51 PM · apparmor-profile-everything, Whonix, AppArmor
Patrick triaged T939: file permissions hardening lockdown as Normal priority.
Nov 23 2019, 5:25 PM · Whonix, security-misc
Patrick triaged T938: request apparmor environment scrubbing whitelist from AppArmor upstream as Normal priority.
Nov 23 2019, 5:23 PM · apparmor-profile-everything, Whonix, AppArmor
Patrick added a member for security-misc: madaidan.
Nov 23 2019, 5:20 PM
Patrick triaged T937: make /boot and /lib/modules unreadable for non-root users as Normal priority.
Nov 23 2019, 5:19 PM · security-misc, Whonix
Patrick closed T936: apparmor-profile-everything breaks Qubes upgrading as Resolved.
Nov 23 2019, 5:07 PM · apparmor-profile-everything, Qubes, AppArmor, Whonix
Patrick added a project to T936: apparmor-profile-everything breaks Qubes upgrading : apparmor-profile-everything.
Nov 23 2019, 5:07 PM · apparmor-profile-everything, Qubes, AppArmor, Whonix
Patrick added a member for apparmor-profile-everything: madaidan.
Nov 23 2019, 5:07 PM
Patrick created apparmor-profile-everything.
Nov 23 2019, 5:06 PM
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

https://github.com/Whonix/apparmor-profile-everything/pull/7

Nov 23 2019, 4:44 PM · apparmor-profile-everything, Qubes, AppArmor, Whonix
Patrick added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Could you add to git please?

Nov 23 2019, 4:41 PM · apparmor-profile-everything, Qubes, AppArmor, Whonix
Patrick added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Works.

Nov 23 2019, 4:38 PM · apparmor-profile-everything, Qubes, AppArmor, Whonix
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Try adding:

Nov 23 2019, 4:20 PM · apparmor-profile-everything, Qubes, AppArmor, Whonix
Patrick triaged T936: apparmor-profile-everything breaks Qubes upgrading as Normal priority.
Nov 23 2019, 4:16 PM · apparmor-profile-everything, Qubes, AppArmor, Whonix

Nov 21 2019

Patrick updated the task description for T470: Whonix home page redesign.
Nov 21 2019, 8:56 PM · html, Whonix, user documentation
Patrick closed T588: improve Troubleshooting / Test as Resolved.

Good enough.

Nov 21 2019, 8:55 PM · Whonix, user documentation
Patrick closed T621: Combatting sclockadj's log spam as Resolved.

Not a problem anymore.

Nov 21 2019, 8:54 PM · Debian version 10 codename Buster, Whonix, research

Nov 16 2019

Patrick updated the task description for T543: TCP ISNs and Temperature induced clock skews.
Nov 16 2019, 11:20 AM · C Code, security, Whonix
Patrick added a comment to T543: TCP ISNs and Temperature induced clock skews.
Nov 16 2019, 11:19 AM · C Code, security, Whonix
Patrick updated the task description for T543: TCP ISNs and Temperature induced clock skews.
Nov 16 2019, 11:18 AM · C Code, security, Whonix

Nov 8 2019

Patrick updated the task description for T868: mediawiki fixes #2.
Nov 8 2019, 4:50 PM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Nov 8 2019, 4:21 PM · website, Whonix