This was done. If not, please create specific tickets where it isn't done.

Removed a few. Would not start without openat, so kept.

Yay, we have ProtectSystem=strict now.

Yay, we have ProtectSystem=strict now.

Can we exclude ExecStartPre=/usr/lib/onion-grater-merger from systemd hardening?

Error back after reboot.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

It's a file, not a folder.

https://github.com/Whonix/onion-grater/commit/8480cff304ea019b25dc49d91672e7c3f8599a07

It's a file, not a folder. Nothing in the code of
/usr/lib/onion-grater-merger writes to /usr/lib/onion-grater-merger.

I just re-read the error message. Try adding

That's weird. Onion-grater is trying to write to somewhere that's being mounted read-only by systemd.

Merged your changes.

Does it work after you comment ProtectSystem=strict and ReadWriteDirectories=? I think on Qubes-Whonix it is trying to write to a directory in /var/run (probably /var/run/qubes-service). I can't test as I don't use Qubes.

Unfortunately not. On Qubes-Whonix. Could be Non-Qubes-Whonix vs
Qubes-Whonix?

Does it work using this? It looks like it needs the openat syscall which it now allows.

Does not work yet. @madaidan

Actually, the "apt-daily.timer: Adding 1h 17min 24.927437s random time" message have real impact, not only noise. Each time sdwdate change time, systemd adds a random delay to those timers. which means the timer will never expire (unless that random delay will happen to be very close to 0 - i.e. below the time until sdwdate change the time, which looks to be 1s).

This is sorted in a later version of systemd.

All yes.

sudo netstal -tulpen

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

sudo apt-get remove control-port-filter-python
It wants to remove everything. I don't think 'Replaces' worked.

sudo service tor-controlport-filter stop
sudo service onion-grater start
same failure
if i try
sudo apt-get remove control-port-filter-python
It wants to remove everything. I don't think 'Replaces' worked.

Probably tor-controlport-filter systemd unit file (the old one) still
running and blocking the onion-grater systemd unit file.

Python is choking on the line:
server = FilteredControlPortProxy(address, FilteredControlPortProxyHandler)

sudo journalctl -u onion-grater

sudo service onion-grater status just tells me that it failed to load. Any clues about how to debug this?

Should be even easier since onion-grater debian/control contains
Replaces: control-port-filter-python. So just installing onion-grater
should do.

Question: To install OG in whonix 14 dev, so I simply pull the repo, make deb-icup, stop the old tor control port filter proxy, and start onion grater?

They happily take it if we contribute it.

Tails didn't feel the need to use system call filtering?

In T631#13827, @JasonJAyalaP wrote:

Do you mean we ported it from Tails to Whonix?

Using the hardening broke Tails? What do you mean?

I haven't tested it yet and unfortunately I'm very busy these days, so cpfp apparmor work is up for grabs.

In T631#13769, @JasonJAyalaP wrote:

@Patrick
What do we need for the next dev release for hula?