Page MenuHomePhabricator

circumventionProject
ActivePublic

Watchers

  • This project does not have any watchers.

Recent Activity

Apr 6 2019

Patrick renamed T887: download Tor Browser on Whonix-Gateway as provider for latest Tor and pluggable transports from make TBB usable as "system Tor", so latest Tor and pluggable transports can be used on Whonix-Gateway to download Tor Browser on Whonix-Gateway as provider for latest Tor and pluggable transports.
Apr 6 2019, 8:50 PM · circumvention, tb-updater, Whonix
Patrick removed a project from T386: meek Pluggable Transport: Debian version 10 codename Buster.
Apr 6 2019, 4:38 PM · enhancement, circumvention, Whonix
Patrick updated subscribers of T386: meek Pluggable Transport.
Apr 6 2019, 4:38 PM · enhancement, circumvention, Whonix

May 12 2018

Patrick added a comment to T386: meek Pluggable Transport.

meek might be dead by then:
https://forums.whonix.org/t/replacing-meek-snowflake

May 12 2018, 5:17 PM · enhancement, circumvention, Whonix

Feb 6 2018

Patrick removed a project from T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch: Debian version 9 codename Stretch.
Feb 6 2018, 1:03 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention

Sep 8 2017

JasonJAyalaP closed T676: fix obfs4proxy AppArmor issue in Whonix 14 as Resolved.
Sep 8 2017, 1:54 AM · Whonix 14, Whonix, AppArmor, circumvention

Sep 6 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Ah I see.

Sep 6 2017, 8:23 PM · Whonix 14, Whonix, AppArmor, circumvention

Sep 5 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

I changed it to
NoNewPrivileges=No
That's the only thing I can imagine that would be causing that parsing error. Testing now

> torproject's stretch repository [1] does not contain tor_0.3.1.5 yet.

Once TPOs stretch repo contains the latest, this workaround will no longer be needed, correct?
Sep 5 2017, 12:04 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

with =no, I'm no longer getting the parsing error

sudo journalctl | grep workaround

but /lib/systemd/system/tor@default.service is unaffected

# Hardening
AppArmorProfile=system_tor
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
...
Sep 5 2017, 11:56 AM · Whonix 14, Whonix, AppArmor, circumvention

Sep 4 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

with =no, I'm no longer getting the parsing error

Sep 4 2017, 11:29 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

I changed it to
NoNewPrivileges=No
That's the only thing I can imagine that would be causing that parsing error. Testing now

Sep 4 2017, 11:11 PM · Whonix 14, Whonix, AppArmor, circumvention

Sep 3 2017

Patrick reopened T676: fix obfs4proxy AppArmor issue in Whonix 14 as "Open".
Sep 3 2017, 2:12 PM · Whonix 14, Whonix, AppArmor, circumvention

Jul 6 2017

JasonJAyalaP closed T676: fix obfs4proxy AppArmor issue in Whonix 14 as Resolved.
Jul 6 2017, 5:57 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a project to T676: fix obfs4proxy AppArmor issue in Whonix 14: Whonix 14.

Please keep the Whonix 14 tag. I guess this can be closed, resolved?

Jul 6 2017, 2:35 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

Ok I created the workaround as you described:

https://github.com/Whonix/anon-gw-anonymizer-config/commit/bfe28e340d03cc4d77e4f49e24bcc0a9da42da06
Jul 6 2017, 2:28 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP removed a project from T676: fix obfs4proxy AppArmor issue in Whonix 14: Whonix 14.
Jul 6 2017, 12:25 AM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Debian bug report:

Jul 6 2017, 12:25 AM · Whonix 14, Whonix, AppArmor, circumvention

Jul 5 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Ok I created the workaround as you described:
https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/lib/systemd/system/tor@default.service.d/40_obfs4proxy-workaround.conf

Jul 5 2017, 11:36 PM · Whonix 14, Whonix, AppArmor, circumvention

Jul 1 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

Two things work:

  1. Changing obfs4 execution permission in system_tor apparmor profile (abstractions/tor) from PUx to ix.
  2. Keeping PUx but removing "NoNewPrivileges" from tor@default systemd service (/lib/systemd/system)
Jul 1 2017, 11:57 AM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Two things work:

Jul 1 2017, 2:42 AM · Whonix 14, Whonix, AppArmor, circumvention

Jun 30 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Pux (already Tor's default) is alright.

Jun 30 2017, 12:44 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

I commented out the lines in local/system_tor about obfsproxy. This caused obfsproxy to fail. Changing obfsproxy to rix didn't work. But I'm confused at what I'm seeing, and so I'm still looking at it.

Jun 30 2017, 3:57 AM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Comment that and obfs4proxy can run as PUx (instead of needing ix)

Jun 30 2017, 3:38 AM · Whonix 14, Whonix, AppArmor, circumvention

Jun 29 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

To save you from somehow learning about systemd overrides the hard way...

Jun 29 2017, 2:34 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

In this case, a /local file can probably not do the trick.

Jun 29 2017, 2:30 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Ah. I didn't see the include. Makes sense.

Jun 29 2017, 2:14 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Ah. I didn't see the include. Makes sense.

Jun 29 2017, 3:26 AM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

/etc/apparmor.d/system_tor after #include <abstractions/tor> and #include <local/system_tor> will be interpreted like the following, I think:

Jun 29 2017, 3:01 AM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

But what I really don't know is how system_tor interacts with abstractions/

Jun 29 2017, 2:55 AM · Whonix 14, Whonix, AppArmor, circumvention

Jun 28 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

AA doesn't report a denied message when tor tries to launch obfs4. However:

Jun 28 2017, 11:55 PM · Whonix 14, Whonix, AppArmor, circumvention

Jun 26 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Yes. Because the other solution "not use AppArmor for Tor" is not a great one. It worked in Whonix 13, just needs to be fixed for Whonix 14.

Jun 26 2017, 1:37 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

To be clear:
Tor ships a broken apparmor profile (for the last 5 years? Suggested nuke of the profile 3 years ago), and we're trying to unbreak obfs4, correct?

Jun 26 2017, 11:40 AM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

/etc/apparmor.d/system_tor is unmodified, owned by Debian tor packabe. /etc/apparmor.d/system_tor Will #include <local/system_tor>.

Jun 26 2017, 10:58 AM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Which app armor profile is blocking obfs4?

Jun 26 2017, 10:53 AM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Which app armor profile is blocking obfs4? Something from us or an apparmor profile that comes from tpo?

Jun 26 2017, 10:33 AM · Whonix 14, Whonix, AppArmor, circumvention

Jun 22 2017

Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

That's why we need to sort it out in https://github.com/Whonix/apparmor-profile-anondist/blob/master/etc/apparmor.d/abstractions/base.anondist somehow.

Jun 22 2017, 12:09 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Tor's own app armor profile breaks needed features (obs4). The ticket is 4 years old with no progress. Even they complained about needed to resolve or remove it (years ago).

Jun 22 2017, 2:28 AM · Whonix 14, Whonix, AppArmor, circumvention

Jun 5 2017

Patrick updated the task description for T676: fix obfs4proxy AppArmor issue in Whonix 14.
Jun 5 2017, 2:47 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick renamed T676: fix obfs4proxy AppArmor issue in Whonix 14 from test obfs4proxy in Whonix 14 to fix obfs4proxy AppArmor issue in Whonix 14.
Jun 5 2017, 2:45 PM · Whonix 14, Whonix, AppArmor, circumvention

Jun 3 2017

JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

You're right. /var/run/tor/log reports
"Could not launch managed proxy executable /usr/bin/obfs4proxy Operation not permitted"

Jun 3 2017, 7:17 PM · Whonix 14, Whonix, AppArmor, circumvention
Patrick added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

Is the obfs4proxy package installed? Probably yes.

Jun 3 2017, 3:19 PM · Whonix 14, Whonix, AppArmor, circumvention
JasonJAyalaP added a comment to T676: fix obfs4proxy AppArmor issue in Whonix 14.

I was trying obfs4proxy in whonix-gateway. I editted the torrc to UseBridges 1 and added the Client Transport line (note, torrc.examples says to add "managed" at the end; https://github.com/Yawning/obfs4 does not). I then added bridges from tpo (bridge obfs4 ip ... ).
Whonixcheck reports WARNING can't connect to bridge REASON=PT_MISSING
PT_Missing is an error from stem: "no pluggable transport was available"

Jun 3 2017, 1:31 AM · Whonix 14, Whonix, AppArmor, circumvention

May 16 2017

Patrick created T676: fix obfs4proxy AppArmor issue in Whonix 14.
May 16 2017, 4:06 PM · Whonix 14, Whonix, AppArmor, circumvention

Feb 11 2017

Patrick updated the task description for T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch.
Feb 11 2017, 7:01 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention
Patrick removed a project from T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch: Whonix 14.

Not easy. Need to wait for reply from TPO.

Feb 11 2017, 7:00 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention
Patrick updated the task description for T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch.
Feb 11 2017, 6:57 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention
Patrick updated the task description for T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch.
Feb 11 2017, 6:53 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention

Jan 18 2017

Patrick added a project to T520: install fteproxy by default in Whonix-Gateway when porting to Debian stretch: Whonix 14.
Jan 18 2017, 6:58 AM · systemd, AppArmor, research, user documentation, enhancement, Whonix, circumvention

Jan 15 2017

Patrick edited projects for T386: meek Pluggable Transport, added: Debian version 10 codename Buster; removed Debian version 9 codename Stretch.

Didn't make it into Debian version 9 codename Stretch. Rechecking in Debian version 10 codename Buster.

Jan 15 2017, 6:56 AM · enhancement, circumvention, Whonix

Jan 9 2017

Patrick closed T116: document how to use TBB as "system Tor" inside Whonix-Gateway as Invalid.

Calling this a duplicate of T118.

Jan 9 2017, 12:27 PM · research, user documentation, circumvention, enhancement, Whonix