Page MenuHomePhabricator

systemdProject
ActivePublic

Members (2)

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

systemd support

Recent Activity

Nov 6 2019

Patrick updated subscribers of T362: systemd SystemCallFilter= containment option seccomp hardening.
Nov 6 2019, 3:34 AM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix
Patrick closed T362: systemd SystemCallFilter= containment option seccomp hardening as Resolved.

This was done. If not, please create specific tickets where it isn't done.

Nov 6 2019, 3:34 AM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix

Jul 8 2019

Patrick closed T631: re-enable tor-controlport-filter.service systemd hardening as Resolved.
Jul 8 2019, 9:49 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Removed a few. Would not start without openat, so kept.

Jul 8 2019, 9:49 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Yay, we have ProtectSystem=strict now.

Jul 8 2019, 8:30 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Yay, we have ProtectSystem=strict now.

Jul 8 2019, 1:06 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Can we exclude ExecStartPre=/usr/lib/onion-grater-merger from systemd hardening?

Jul 8 2019, 12:53 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 7 2019

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Error back after reboot.

Jul 7 2019, 11:50 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 6 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

Jul 6 2019, 4:23 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

Jul 6 2019, 1:03 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 4 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

It's a file, not a folder.

Jul 4 2019, 5:09 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/commit/8480cff304ea019b25dc49d91672e7c3f8599a07

Jul 4 2019, 7:59 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

It's a file, not a folder. Nothing in the code of
/usr/lib/onion-grater-merger writes to /usr/lib/onion-grater-merger.

Jul 4 2019, 7:41 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 3 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

I just re-read the error message. Try adding

Jul 3 2019, 5:10 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

That's weird. Onion-grater is trying to write to somewhere that's being mounted read-only by systemd.

Jul 3 2019, 4:56 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 1 2019

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Merged your changes.

Jul 1 2019, 10:11 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 24 2019

Patrick edited projects for T631: re-enable tor-controlport-filter.service systemd hardening, added: Whonix 15; removed Whonix 16.
Jun 24 2019, 3:49 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 23 2019

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work after you comment ProtectSystem=strict and ReadWriteDirectories=? I think on Qubes-Whonix it is trying to write to a directory in /var/run (probably /var/run/qubes-service). I can't test as I don't use Qubes.

Jun 23 2019, 8:25 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Unfortunately not. On Qubes-Whonix. Could be Non-Qubes-Whonix vs
Qubes-Whonix?

Jun 23 2019, 7:53 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work using this? It looks like it needs the openat syscall which it now allows.

Jun 23 2019, 4:31 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick updated subscribers of T631: re-enable tor-controlport-filter.service systemd hardening.

Does not work yet. @madaidan

Jun 23 2019, 10:27 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Dec 9 2018

Patrick triaged T785: Use /lib/systemd/system/tor@service.d instead as Normal priority.
Dec 9 2018, 6:52 AM · anon-gw-anonymizer-config, systemd, Whonix

Dec 7 2018

Patrick removed a project from T362: systemd SystemCallFilter= containment option seccomp hardening: Whonix 15.
Dec 7 2018, 11:57 AM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix

Sep 18 2018

marmarek added a comment to T691: sdwdate sclockadj change time without spamming logs.

Actually, the "apt-daily.timer: Adding 1h 17min 24.927437s random time" message have real impact, not only noise. Each time sdwdate change time, systemd adds a random delay to those timers. which means the timer will never expire (unless that random delay will happen to be very close to 0 - i.e. below the time until sdwdate change the time, which looks to be 1s).

Sep 18 2018, 3:55 AM · systemd, research, sclockadj, sdwdate, Whonix

Aug 15 2018

Patrick updated the task description for T362: systemd SystemCallFilter= containment option seccomp hardening.
Aug 15 2018, 1:06 PM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix
Patrick updated the task description for T631: re-enable tor-controlport-filter.service systemd hardening.
Aug 15 2018, 1:04 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 25 2018

Patrick closed T691: sdwdate sclockadj change time without spamming logs as Resolved.

This is sorted in a later version of systemd.

Jul 25 2018, 8:39 AM · systemd, research, sclockadj, sdwdate, Whonix
Patrick edited projects for T691: sdwdate sclockadj change time without spamming logs, added: systemd; removed Whonix 16.
Jul 25 2018, 8:39 AM · systemd, research, sclockadj, sdwdate, Whonix

Mar 7 2018

Patrick closed T637: port from service to systemctl add --no-pager / --no-block as Resolved.
Mar 7 2018, 1:14 AM · whonixsetup, whonixcheck, whonix-setup-wizard, whonix-legacy, whonix-developer-meta-files, sdwdate-gui, sdwdate, rads, qubes-whonix, bootclockrandomization, anon-shared-helper-scripts, anon-gw-leaktest, anon-gw-anonymizer-config, systemd, bug, Whonix, Whonix 14

Feb 6 2018

Patrick removed a project from T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch: Debian version 9 codename Stretch.
Feb 6 2018, 1:03 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention

Jul 23 2017

Patrick edited projects for T631: re-enable tor-controlport-filter.service systemd hardening, added: Whonix 16; removed Whonix 14.
Jul 23 2017, 5:52 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 12 2017

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

All yes.

Jul 12 2017, 1:32 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
JasonJAyalaP added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

sudo netstal -tulpen

Jul 12 2017, 1:25 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

sudo apt-get remove control-port-filter-python
It wants to remove everything. I don't think 'Replaces' worked.
Jul 12 2017, 12:13 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 11 2017

JasonJAyalaP added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

sudo service tor-controlport-filter stop
sudo service onion-grater start
same failure
if i try
sudo apt-get remove control-port-filter-python
It wants to remove everything. I don't think 'Replaces' worked.

Jul 11 2017, 11:11 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 9 2017

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Probably tor-controlport-filter systemd unit file (the old one) still
running and blocking the onion-grater systemd unit file.

Jul 9 2017, 2:38 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 7 2017

JasonJAyalaP added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Python is choking on the line:
server = FilteredControlPortProxy(address, FilteredControlPortProxyHandler)

Jul 7 2017, 8:45 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 6 2017

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

sudo journalctl -u onion-grater

Jul 6 2017, 5:38 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
JasonJAyalaP added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

sudo service onion-grater status just tells me that it failed to load. Any clues about how to debug this?

Jul 6 2017, 12:52 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 1 2017

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Should be even easier since onion-grater debian/control contains
Replaces: control-port-filter-python. So just installing onion-grater
should do.

Jul 1 2017, 12:05 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
JasonJAyalaP added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Question: To install OG in whonix 14 dev, so I simply pull the repo, make deb-icup, stop the old tor control port filter proxy, and start onion grater?

Jul 1 2017, 3:00 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 28 2017

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

They happily take it if we contribute it.

Jun 28 2017, 12:11 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 27 2017

JasonJAyalaP added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Tails didn't feel the need to use system call filtering?

Jun 27 2017, 6:38 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 26 2017

Patrick updated subscribers of T631: re-enable tor-controlport-filter.service systemd hardening.

Do you mean we ported it from Tails to Whonix?

Jun 26 2017, 1:33 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
JasonJAyalaP added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Using the hardening broke Tails? What do you mean?

Jun 26 2017, 10:45 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
JasonJAyalaP updated the task description for T631: re-enable tor-controlport-filter.service systemd hardening.
Jun 26 2017, 10:42 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
JasonJAyalaP placed T631: re-enable tor-controlport-filter.service systemd hardening up for grabs.
Jun 26 2017, 10:18 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 25 2017

HulaHoop added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

I haven't tested it yet and unfortunately I'm very busy these days, so cpfp apparmor work is up for grabs.

Jun 25 2017, 2:05 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jun 22 2017

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

@Patrick
What do we need for the next dev release for hula?

Jun 22 2017, 12:07 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
JasonJAyalaP assigned T631: re-enable tor-controlport-filter.service systemd hardening to HulaHoop.
Jun 22 2017, 3:56 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)