tetrahedra via qubes-users:
On Wed, Sep 25, 2019 at 11:32:20PM +0000, 'awokd' via qubes-users wrote:
Sven Semmler:
On 9/25/19 5:26 PM, 'Jackie' via qubes-users wrote:
even different applications within the same vm, will use different
tor circuits.
I know this is true of apps that come with whonix-ws, but is it the
case for apps added later like Signal? I think you'd still be OK if
Signal was the only thing added, but don't know about something like
Signal and Discord in the same AppVM.
I'm fairly sure the answer is "no, stream isolation is only automatic
for apps which are wrapped by `uwt` or which otherwise take steps to be
isolated, and this just happens to be the case for most whonix-default
apps"...
I think the OP was talking about isolation between VMs, not isolation of
apps within the same VM.
This is kind of how Qubes is designed in the first place. A random
untrusted app, like a browser, could easily be exploited, and
coredump/ptrace/what-have-you another app in the same VM and thereby
break Tor isolation that way. Network- and machine-level isolation are
different things, but the underlying concepts (e.g.
compartmentalization) are kind of the same.
But nevertheless, in regards to the quote at hand... Yes, the
preinstalled applications are preconfigured for stream isolation, either
internally or by uwt. User installed apps, unless specifically
configured, will use the TransPort & DNSPort and will be isolated only
as specified by the TransPort & DNSPort isolation flags (whonix appears
to just use Tor defaults, so effectively none).
For foreground applications (as opposed to services), it's easy to use
torsocks with IsolatePID=1 to isolate a process. You can also enable
torsocks globally (and thus isolate background processes as well), but
I've never tried it on Whonix (and there must be some reason they're not
doing this by default).
https://www.whonix.org/wiki/Stream_Isolation
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2c317f8d-b37b-9a15-2eb8-71cf36220b6f%40vfemail.net.
