Re: [Tails-dev] Using VMs in Tails

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: The Tails public development discussion list
CC: dissent
Betreff: Re: [Tails-dev] Using VMs in Tails
Hi,

David Wolinsky wrote (19 Dec 2013 03:14:39 GMT) :
> I want to start working on integrating the of Pseudonymity as
> defined by WiNoN into Tails.


I'm very happy to see someone work on this.

> To do this I propose the following:


> - In the host, we run redsocks (http://darkk.net.ru/redsocks/), this will
> pick up traffic from the VMs and redirect it to Tor.


I have a few questions here:

- Is Tor running on the host system, or inside a dedicated VM?

The latter would have the benefit of making it hard for
a compromised Tor client to gather information about the local
networking setup, hardware identifiers, etc. I guess going with the
former is easier to implement as a first iteration, and I'd like to
see a working first iteration ASAP, so I guess it totally makes
sense to postpone this for now.

- How does this play with our stream isolation design [1]?
In other words, what kind of SocksPort(s), with what stream
isolation options, would the TCP traffic be redirected to?

I could probably take "once we segregate each pseudonym into its own
VM, we don't care anymore" for an answer, but I've not thought this
through yet.

[1] https://tails.boum.org/contribute/design/stream_isolation/

> Currently there exists no package for redsocks in Squeeze, should
> we check to see if the Wheezy package works or just build our own
> Redsocks package?


Replied in the dedicated thread you started about it.

> - Install the necessary software for both LXC and KVM


I understand you decided to go with KVM only for now, and I think it
totally makes sense. The state of the LXC userspace doesn't look very
good yet, and it's still unclear to me how strong it is nowadays
against a root compromise of the guest (enterprisey distros who
currently ship solutions based on LXC only dare doing so with
additional safeguards such as SELinux and AppArmor).

> - Give amnesia the right sudo abilities to start LXC and KVM


I bet this will have to be a bit finer grained than this, but I see
what you mean :)

> - Add start LXC Pseudonym and KVM Pseudonym to the desktop


What system would be started by these launchers?
Another full-blown Tails, or something else?

If Tails, what difficulties do you expect to face, in other words, how
should the Pseudonym-Tails differ from a "standard" one? I guess we
could brainstorm it a bit to start with. E.g. do we want the user to
be shown Tails Greeter? Or do we want to forward (some of) the user's
choices into the Pseudonym-Tails, such as language and keyboard layout
settings? We can also probably postpone this to when something simple
and working is ready to be tested, your call :)

> - Upon starting a Pseudonym, we'll add a Tap device and connect it to a
> bridge, where redsocks will pick up the traffic. For each pseudonym, we'll
> run a unique redsocks instance and start a new Tor proxy socket.
> - We can either a pseudonym watcher to clean up state or just run the
> pseudonym in a script, blocking on the VM execution. When the VM has been
> closed, it is automatically cleaned up.
> - Use IP Tables to enforce communication between the pseudonyms and Tor
> In this instance, each pseudonym will have a unique IP address, but it will
> only be able to talk to Tor running via the bridge and not other pseudonyms.


OK.

> Call this round 1, and we'll add more details as we discuss.


Looks good for round 1 :)

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc