Hi,
sorry for the delay.
David Wolinsky wrote (29 Dec 2013 06:11:29 GMT) :
> On Wed, Dec 25, 2013 at 3:56 PM, intrigeri <intrigeri@???> wrote:
>> - How does this play with our stream isolation design [1]?
>> In other words, what kind of SocksPort(s), with what stream
>> isolation options, would the TCP traffic be redirected to?
>>
>> I could probably take "once we segregate each pseudonym into its own
>> VM, we don't care anymore" for an answer, but I've not thought this
>> through yet.
>>
>> [1] https://tails.boum.org/contribute/design/stream_isolation/
>>
> This is an interesting point. It may be totally reasonable to apply the
> same rules as Iceweasel on a per-VM basis, once we move to
> that phase.
For the record, the Tails browser currently uses a SocksPort with no
stream isolation options at all.
> Without multi-vms and no vm introspection, I imagine the most desirable
> approach would be to use a stricter, less performance oriented isolation
> policy.
Yes, perhaps it would be a fine start. See issues with IsolateDestPort
in the MUA, though, in our stream isolation design doc.
> Actually I went through Tails in more depth recently, since posting this
> message, and it seems we don't really need a unique SocksPort for each VM,
> but rather just direct it to the appropriate SocksPort for the correct
> level of isolation desired.
I'm not following you here, so I'm curious. What would be "the
appropriate SocksPort", and based on what would the redirection
be done?
>> > - Add start LXC Pseudonym and KVM Pseudonym to the desktop
>>
>> What system would be started by these launchers?
>> Another full-blown Tails, or something else?
>>
>> If Tails, what difficulties do you expect to face, in other words, how
>> should the Pseudonym-Tails differ from a "standard" one? I guess we
>> could brainstorm it a bit to start with. E.g. do we want the user to
>> be shown Tails Greeter? Or do we want to forward (some of) the user's
>> choices into the Pseudonym-Tails, such as language and keyboard layout
>> settings? We can also probably postpone this to when something simple
>> and working is ready to be tested, your call :)
>>
> This is my current "research" task. [...] So that the guest just
> mounts a directory from the host as its mask layer. This would then
> contain whatever necessary to prevent many of the tails securing
> services to be running in the guest.
OK, I see.
> One favor I ask of you is if you could point me to some
> documentation that enumerates what all this might be.
I'm afraid we have anything better than our design doc:
https://tails.boum.org/contribute/design/
... and the sub-pages it points to. I realize these documents are not
optimized for the kind of research you're doing. Feel free to ask any
specific question about whatever you find unclear, or undocumented.
I'm glad to plug the holes in our design doc whenever it makes sense.
> A second favor, how do you feel about our method? Do you have an
> alternative method? Ideally, this would be self-maintaining or
> require a minimal amount of effort.
I think I would personally first try to share the boot device image,
and add some conditional code that disables what you don't need when
booted as a guest VM, based on some parameter passed on the kernel
command-line. But perhaps that would become messy too quickly, and
your stacked FS approach makes more sense. To be honest, I don't
realize yet how spread and large the differences will need to be, and
of what kind they will be, so perhaps starting with listing those (see
the above question) would help picking the best tool for the task.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc