Re: [Tails-dev] [Whonix-devel] Tails control port filter pro…

Delete this message

Reply to this message
Autor: anonym
Data:  
A: The Tails public development discussion list
Assumpte: Re: [Tails-dev] [Whonix-devel] Tails control port filter proxy in Whonix?
Patrick Schleizer:
> anonym:
>> Patrick Schleizer:
>>> [override] will probably work for Whonix. Joy and me drafted a
>>> plan.
>>>
>>> In one sentence: We at Whonix invent a new a separate config
>>> folder, parse it with a yml merger python script, and generate
>>> another yml file that gets passed to tor-controlport-filter by
>>> Tails.
>>
>> Ok. My understanding of this proposal is that you no longer need any
>> sort of "filter rules merging" in tor-controlport-filter itself,
>> correct? If so, great! :)
>
> I guess so, right.
>
> Unless any of the Tails profiles use '*'? But in that case we might be
> able to just config-package-dev displace the profile.


Tails doesn't use `hosts` (previously, `match-hosts` -- the `match-` prefix has been dropped for all three matching rules) but only `exe-paths` and `users`, and only with static, glob-less patterns.

>> Feel free to send a PR with your other
>> changes applied to tor-controlport-filter in Tails Git!
>> Otherwise
>> I'll do it myself later this week.
>
> Let's see who is faster. Can't say yet.


Seems I was. :)

>>> - /etc/tor-controlport-filter.d -- We tell Whonix users to ignore
>>> it. -- Internally used by /usr/lib/tor-controlport-filter . -- Will
>>> contain --- tails-default-profies.yml (for the sake of sharing the
>>> package
>>
>> But they are not useful in Whonix since they only work for loopback
>> connections (i.e. only for applications running on the gateway, which
>> should be nothing except for tor, essentially). Right?
>
> Right. [And a rather minor point...: tor-arm [now nyx] is one that could
> use a profile. Users tend to create screenshots of arm, so redacting any
> IP addresses would be nice. Also terminal emulators such as konsole
> might have bugs. By limiting what what tor-arm gets to see it might
> prevent exploiting a bug in the terminal emulator. So hypothetically
> speaking, you have a profile for tor-arm, we would probably use it as well.]


Sure, but we won't. I expect that a profile very similar to the one we have for Onion Circuits would do if you just want to use it as a circuit/stream viewer.

Cheers!