Page MenuHomePhabricator

onion-grater (Control Port Filter Proxy)Project
ActivePublic

Members (1)

Watchers

  • This project does not have any watchers.

Recent Activity

Mon, Jul 8

Patrick closed T631: re-enable tor-controlport-filter.service systemd hardening as Resolved.
Mon, Jul 8, 9:49 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Removed a few. Would not start without openat, so kept.

Mon, Jul 8, 9:49 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Yay, we have ProtectSystem=strict now.

Mon, Jul 8, 8:30 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Yay, we have ProtectSystem=strict now.

Mon, Jul 8, 1:06 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Can we exclude ExecStartPre=/usr/lib/onion-grater-merger from systemd hardening?

Mon, Jul 8, 12:53 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Sun, Jul 7

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Error back after reboot.

Sun, Jul 7, 11:50 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Sat, Jul 6

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

Sat, Jul 6, 4:23 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/blob/master/lib/systemd/system/onion-grater.service currently works without ReadWritePaths. So let's not add?

Sat, Jul 6, 1:03 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T654: create an unMessage onion-grater profile.

Dead upstream.

Sat, Jul 6, 12:28 PM · Whonix, onion-grater (Control Port Filter Proxy)

Thu, Jul 4

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

It's a file, not a folder.

Thu, Jul 4, 5:09 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

https://github.com/Whonix/onion-grater/commit/8480cff304ea019b25dc49d91672e7c3f8599a07

Thu, Jul 4, 7:59 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

It's a file, not a folder. Nothing in the code of
/usr/lib/onion-grater-merger writes to /usr/lib/onion-grater-merger.

Thu, Jul 4, 7:41 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Wed, Jul 3

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

I just re-read the error message. Try adding

Wed, Jul 3, 5:10 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

That's weird. Onion-grater is trying to write to somewhere that's being mounted read-only by systemd.

Wed, Jul 3, 4:56 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Mon, Jul 1

Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Merged your changes.

Mon, Jul 1, 10:11 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Mon, Jun 24

Patrick edited projects for T631: re-enable tor-controlport-filter.service systemd hardening, added: Whonix 15; removed Whonix 16.
Mon, Jun 24, 3:49 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Sun, Jun 23

madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work after you comment ProtectSystem=strict and ReadWriteDirectories=? I think on Qubes-Whonix it is trying to write to a directory in /var/run (probably /var/run/qubes-service). I can't test as I don't use Qubes.

Sun, Jun 23, 8:25 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Unfortunately not. On Qubes-Whonix. Could be Non-Qubes-Whonix vs
Qubes-Whonix?

Sun, Jun 23, 7:53 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
madaidan added a comment to T631: re-enable tor-controlport-filter.service systemd hardening.

Does it work using this? It looks like it needs the openat syscall which it now allows.

Sun, Jun 23, 4:31 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)
Patrick updated subscribers of T631: re-enable tor-controlport-filter.service systemd hardening.

Does not work yet. @madaidan

Sun, Jun 23, 10:27 AM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Apr 6 2019

Patrick closed T879: qvm-service infrastructure does not work with whonix-gw-14 template as Wontfix.

Reducing the number of lingering, unrealistic tickets, therefore closing.

Apr 6 2019, 8:46 PM · Qubes, onion-grater (Control Port Filter Proxy), Whonix
Patrick closed T503: have sane built-in defaults even if config files are non-existing as Resolved.

https://github.com/Whonix/anon-ws-disable-stacked-tor/commit/128e2312bf58a5c1cea3eecd74d1fa0a1a194b51

Apr 6 2019, 5:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix
Patrick updated the task description for T503: have sane built-in defaults even if config files are non-existing.
Apr 6 2019, 5:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Dec 9 2018

Patrick lowered the priority of T879: qvm-service infrastructure does not work with whonix-gw-14 template from Normal to Wishlist.
Dec 9 2018, 5:52 AM · Qubes, onion-grater (Control Port Filter Proxy), Whonix

Dec 7 2018

Patrick removed a project from T444: test if Ricochet IM instructions are functional: Whonix 15.
Dec 7 2018, 12:05 PM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick removed a project from T362: systemd SystemCallFilter= containment option seccomp hardening: Whonix 15.
Dec 7 2018, 11:57 AM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix

Oct 1 2018

Patrick placed T503: have sane built-in defaults even if config files are non-existing up for grabs.
Oct 1 2018, 1:17 PM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

Sep 20 2018

Patrick triaged T849: make onion-grater resilient if networking is down as Normal priority.
Sep 20 2018, 11:33 AM · Whonix 16, Whonix, onion-grater (Control Port Filter Proxy)

Aug 15 2018

Patrick updated the task description for T362: systemd SystemCallFilter= containment option seccomp hardening.
Aug 15 2018, 1:06 PM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix
Patrick updated the task description for T631: re-enable tor-controlport-filter.service systemd hardening.
Aug 15 2018, 1:04 PM · Whonix 15, Whonix, enhancement, systemd, onion-grater (Control Port Filter Proxy)

Jul 24 2018

Patrick added a comment to T654: create an unMessage onion-grater profile.

Ping @dau.

Jul 24 2018, 12:11 PM · Whonix, onion-grater (Control Port Filter Proxy)
Patrick added a comment to T444: test if Ricochet IM instructions are functional.

There are up to date Whonix 14 testers versions available.

Jul 24 2018, 11:47 AM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick changed Impact from Whonix:triage to Whonix:normal on T444: test if Ricochet IM instructions are functional.
Jul 24 2018, 11:45 AM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick renamed T444: test if Ricochet IM instructions are functional from Ricochet IM to test if Ricochet IM instructions are functional.
Jul 24 2018, 11:45 AM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick updated the task description for T444: test if Ricochet IM instructions are functional.
Jul 24 2018, 11:43 AM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick reopened T503: have sane built-in defaults even if config files are non-existing as "Open".
Jul 24 2018, 5:35 AM · Whonix 15, tb-updater, tb-starter, open-link-confirmation, rads, onion-grater (Control Port Filter Proxy), uwt, sdwdate, whonixcheck, whonix-ws-firewall, whonix-gw-firewall, Whonix

May 9 2018

Patrick changed the status of T444: test if Ricochet IM instructions are functional from Open to testing-in-next-build-required.

https://github.com/Whonix/uwt/commit/907f8e1ee93a0ec47febecce3e86266c681764fa

May 9 2018, 11:48 AM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick changed the status of T444: test if Ricochet IM instructions are functional from Review to Open.
May 9 2018, 11:34 AM · onion-grater (Control Port Filter Proxy), research, Whonix

May 7 2018

Patrick added a comment to T444: test if Ricochet IM instructions are functional.

Yes, please.

May 7 2018, 7:00 AM · onion-grater (Control Port Filter Proxy), research, Whonix

May 6 2018

Tibo added a comment to T444: test if Ricochet IM instructions are functional.

I see. So without these variables set, ricochet tries to to start its
own Tor client?

Yes exactly !

May 6 2018, 11:54 PM · onion-grater (Control Port Filter Proxy), research, Whonix

May 1 2018

Patrick added a comment to T444: test if Ricochet IM instructions are functional.

Tibo (Tibo):

Tibo added a comment.

Any idea why that is required?

Yes, ricochet is looking if a control port is defined in the config file or in
the environment.
If a control port is defined, ricochet will not launch tor and will directly
connect to the control host.

May 1 2018, 12:23 PM · onion-grater (Control Port Filter Proxy), research, Whonix

Apr 30 2018

Tibo added a comment to T444: test if Ricochet IM instructions are functional.

Any idea why that is required?

Apr 30 2018, 7:57 PM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick added a comment to T444: test if Ricochet IM instructions are functional.
In T444#15959, @Tibo wrote:

The only thing missing is to set environment variable TOR_CONTROL_PORT=9151 and TOR_CONTROL_HOST="127.0.0.1".
That's all :).

Apr 30 2018, 9:57 AM · onion-grater (Control Port Filter Proxy), research, Whonix

Apr 26 2018

Tibo added a comment to T444: test if Ricochet IM instructions are functional.

This ticket is in status "needs review". Meaning, implementation is
done, but should be tested in next build.
This status is confusing and for ticket changes we'll be using
testing-in-next-build-required as status.
This ticket is in status "needs review". Meaning, implementation is
done, but should be tested in next build.
So the only remaining work here before you started working on this
ticket was:
Do the instructions in the wiki work as is? If yes, the ticket is done.

Apr 26 2018, 9:19 PM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick added a comment to T444: test if Ricochet IM instructions are functional.

Tibo (Tibo):

Tibo added a comment.
I think I misunderstood something.

Apr 26 2018, 6:29 PM · onion-grater (Control Port Filter Proxy), research, Whonix
Tibo added a comment to T444: test if Ricochet IM instructions are functional.

I think I misunderstood something.
I thought that the goal was to not use EXTERNAL_OPEN_ALL=true and just open one port on the workstation firewall.

Apr 26 2018, 10:14 AM · onion-grater (Control Port Filter Proxy), research, Whonix
Patrick added a comment to T444: test if Ricochet IM instructions are functional.

Tibo (Tibo):

Tibo added a comment.
Oh, my bad...

Probably a manual config is required because otherwise
localListenAddress is set to localhost.
Manual config is not how it is supposed to work. It worked before

Yes exactly, and also to set the localListenPort.

Apr 26 2018, 9:09 AM · onion-grater (Control Port Filter Proxy), research, Whonix
Tibo added a comment to T444: test if Ricochet IM instructions are functional.

Oh, my bad...

Apr 26 2018, 1:10 AM · onion-grater (Control Port Filter Proxy), research, Whonix

Apr 24 2018

Patrick added a comment to T444: test if Ricochet IM instructions are functional.

Tibo (Tibo):

Tibo added a comment.
So here are all the steps to make ricochet working :
Open Ricochet and close it (it will create all the config files and folders).
Then edit : *$HOME/.local/share/Ricochet/ricochet.anondist-orig/ricochet.json* :
{

"identity": {
    "dataDirectory": "data-0",
    "localListenAddress": "10.152.152.11",
    "localListenPort": 12345
},
"tor": {
    "controlAddress": "127.0.0.1",
    "controlPort": 9151,
    "socksAddress": "127.0.0.1",
    "socksPort": 9050
},
"ui": {
    "combinedChatWindow": true,
    "language": "",
    "notificationVolume": 0.75
}

}

Apr 24 2018, 10:28 AM · onion-grater (Control Port Filter Proxy), research, Whonix

Apr 23 2018

Tibo added a comment to T444: test if Ricochet IM instructions are functional.

So here are all the steps to make ricochet working :

Apr 23 2018, 10:52 PM · onion-grater (Control Port Filter Proxy), research, Whonix