Page MenuHomePhabricator

madaidan (madaidan)
User

User Details

User Since
May 1 2019, 12:18 AM (38 w, 5 d)

Recent Activity

Dec 24 2019

madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

Dec 24 2019, 7:09 PM · Whonix 15, Whonix, security-misc
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

https://github.com/Whonix/security-misc/pull/51

Dec 24 2019, 5:34 PM · Whonix 15, Whonix, security-misc
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

Dec 24 2019, 5:10 PM · Whonix 15, Whonix, security-misc
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Dec 24 2019, 5:07 PM · security, apparmor-profile-everything, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

Dec 24 2019, 4:39 PM · Whonix 15, Whonix, security-misc
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Dec 24 2019, 4:37 PM · security, apparmor-profile-everything, Whonix

Dec 23 2019

madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.

https://github.com/Whonix/security-misc/pull/50

Dec 23 2019, 9:29 PM · Whonix, security-misc
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot/ is already unreadable.

Dec 23 2019, 9:27 PM · security, apparmor-profile-everything, Whonix
madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.
Dec 23 2019, 9:26 PM · Whonix, security-misc
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Should this be set in the initramfs?

Dec 23 2019, 9:08 PM · Whonix 15, Whonix, security-misc
madaidan added a comment to T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade.

That worked.

Dec 23 2019, 8:58 PM · security-misc, Whonix
madaidan added a comment to T12: virtualizer: enforce maximum system resources a virtual machine may use.

We should be able to create a drop-in file at /lib/systemd/system/user-.slice.d/ and add something such as

Dec 23 2019, 8:54 PM · Whonix, VMware, Qubes, KVM, VirtualBox, virtualizer

Nov 23 2019

madaidan added a comment to T938: request apparmor environment scrubbing whitelist from AppArmor upstream.

I created the issue:

Nov 23 2019, 5:51 PM · apparmor-profile-everything, AppArmor, Whonix
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

https://github.com/Whonix/apparmor-profile-everything/pull/7

Nov 23 2019, 4:44 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor
madaidan added a comment to T936: apparmor-profile-everything breaks Qubes upgrading .

Try adding:

Nov 23 2019, 4:20 PM · apparmor-profile-everything, Qubes, Whonix, AppArmor

Oct 4 2019

madaidan added a comment to T670: Activating Lockdown.

It turns out, what I said only applies to the Debian package. The kernel patch and the package are actually two different things.

Oct 4 2019, 8:37 PM · Debian version 10 codename Buster, Whonix

Jul 8 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Yay, we have ProtectSystem=strict now.

Jul 8 2019, 8:30 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 6 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

Jul 6 2019, 4:23 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 4 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

It's a file, not a folder.

Jul 4 2019, 5:09 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 3 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

I just re-read the error message. Try adding

Jul 3 2019, 5:10 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T670: Activating Lockdown.

I can test it but I doubt lockdown will help at all.

Jul 3 2019, 4:58 PM · Debian version 10 codename Buster, Whonix
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

That's weird. Onion-grater is trying to write to somewhere that's being mounted read-only by systemd.

Jul 3 2019, 4:56 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 25 2019

madaidan added a comment to T869: Install Firejail by default inside Whonix.

GUI isolation is very important, no?

Jun 25 2019, 10:43 PM · Whonix 15, Whonix, firejail

Jun 24 2019

madaidan added a comment to T869: Install Firejail by default inside Whonix.

The problem is, xpra (actually xpra | xserver-xephyr | xvfb) isn't in the list of Recommends: of the firejail package by accident. We don't really know the rationale of that. Could be an optional dependency and without it, some things someone who knows firejail who is happy to find it installed would wonder why it actually does not work.

Jun 24 2019, 8:34 PM · Whonix 15, Whonix, firejail

Jun 23 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work after you comment ProtectSystem=strict and ReadWriteDirectories=? I think on Qubes-Whonix it is trying to write to a directory in /var/run (probably /var/run/qubes-service). I can't test as I don't use Qubes.

Jun 23 2019, 8:25 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work using this? It looks like it needs the openat syscall which it now allows.

Jun 23 2019, 4:31 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 20 2019

madaidan added a comment to T875: fix fail closed mechanism.

I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.

Jun 20 2019, 10:26 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 12 2019

madaidan added a comment to T582: revisit handling of /var/lib/dbus/machine-id.

The way it is now looks fine. Why would it need to be changed?

May 12 2019, 2:36 PM · Whonix 16, research, Whonix
madaidan added a comment to T904: make sure there is no swap by default.

We need to re-check this for Whonix Host. Since it gets installed using calamares (which handles partitioning) there could be an unwanted swap partition.

May 12 2019, 2:34 PM · Whonix, Whonix-Host
madaidan added a comment to T875: fix fail closed mechanism.

Seems quite hacky. What's the root cause for failing?

May 12 2019, 2:14 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix

May 11 2019

madaidan added a comment to T582: revisit handling of /var/lib/dbus/machine-id.

https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things.

May 11 2019, 7:27 PM · Whonix 16, research, Whonix

May 10 2019

madaidan added a comment to T582: revisit handling of /var/lib/dbus/machine-id.

Would it cause any issues if the machine-id was just deleted or replaced with a bunch of 0s?

May 10 2019, 7:27 PM · Whonix 16, research, Whonix
madaidan added a comment to T729: network hardening.

My pull request enables all of these except martian packet logging which I doubt would be useful on Whonix.

May 10 2019, 7:18 PM · whonix-ws-firewall, Whonix, whonix-gw-firewall
madaidan added a comment to T770: Custom TBB profile for localhost access + Privoxy.

You can create directories in tor-browser_en-US/Browser/TorBrowser/Data/Browser/ called (profile_name).default. Here will be all the configurations for the profile. It should have a custom user.js with proxy settings using privoxy and setting network.proxy.no_proxies_on to 0.

May 10 2019, 7:15 PM · Whonix
madaidan added a comment to T795: Customized welcome page and bookmarks for I2P / Alt TBB (keyword: homepage).

Alternatively, you could change the home page to the program's interface e.g. 127.0.0.1:7657 for I2P and start the browser with a script that creates a popup box using zenity or similar that tells the user the information.

May 10 2019, 6:48 PM · html, whonix-welcome-page, Whonix
madaidan added a comment to T875: fix fail closed mechanism.

Maybe disable it just for package upgrades?

May 10 2019, 6:19 PM · whonix-ws-firewall, whonix-gw-firewall, Whonix
madaidan added a comment to T904: make sure there is no swap by default.

There is none. You can run swapon -s or cat /proc/swaps to verify.

May 10 2019, 5:55 PM · Whonix, Whonix-Host
madaidan added a comment to T902: disable removable drives auto-mounting - XFCE only.

No, I mean the upstream repository thunar-volman by XFCE developers.

May 10 2019, 5:47 PM · Whonix-Host, Whonix

May 9 2019

madaidan added a comment to T902: disable removable drives auto-mounting - XFCE only.

Can you see from thunar-volman source code where defaults are configured? Would be good to watch for future versions.

May 9 2019, 7:24 PM · Whonix-Host, Whonix

May 8 2019

madaidan added a comment to T902: disable removable drives auto-mounting - XFCE only.

Automounting can be configured in /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar-volman.conf

May 8 2019, 10:27 PM · Whonix-Host, Whonix