anonym: > [...] > One thing to note about the mumble-server script is the "little > bind-mount trick" used to workaround Tor's AppArmor confinement. We > won't have that problem, I think. I did that so that all things we want > to make persistent for mumble-server lives in the same directory on the > persistent media, i.e. both Tor's HS bits, and mumble-server's data. We > certainly can do better by making these two separate, e.g. we make > /var/lib/tor/hs persistent and store all HS bits there, and then make > another directory outside of this persistent for the service > configuration/data bits.
I ran into this problem today. To make it possible to use both ephemeral services and persistent services at the same time, I can't simply add all services to /etc/tor/torrc and make it persistent, because then obviously all hidden services would be persistent. Sadly, we don't have /etc/torrc.d yet. So instead I chose to use the /usr/share/tor/tor-service-defaults-torrc for the persistent services and /etc/tor/torrc for the ephemeral ones. I wrote some code to make single files persistent by creating a new directory in TailsData_unlocked, moving the file into it and adding the directory to the persistence.conf with type "link". I think this a pretty ugly solution. Now the problem is that the AppArmor confinement doesn't allow Tor to use this symlink, because it points to a file outside of the allowed Tor directories. I could make the whole directory /etc/torrc or /usr/share/tor persistent, but this would make some other files persistent too. I think it would be problematic if a future release contains important changes on any these files. Actually, this would also be problematic if we only make one of the torrc files persistent and there would be important changes to it. I could make this persistence feature even more ugly by creating a subdirectory in /usr/share/tor/, making this subdirectory persistent, then creating a symlink to it to TailsData_unlocked, putting the tor-service-defaults-torrc in it and adding it to the persistence.conf with type "link" to link the tor-service-defaults-torrc to /usr/share/tor. I think the best way would be to implement the torrc.d feature and/or the bind-mounting-regular-files feature. _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
