From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id EPPYAMrzKWY5JgAAe85BDQ:P1 (envelope-from ) for ; Thu, 25 Apr 2024 08:10:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id EPPYAMrzKWY5JgAAe85BDQ (envelope-from ) for ; Thu, 25 Apr 2024 08:10:18 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=Uow+LPIM; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1714025417; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=xLoy07RoOG9L3ZoODsULAyMnq+UKYHAcZoW9IoD8TMM=; b=SvXS2HWj57vQhVCePdCRQ1a74zLT7JSsaTIN5yKufV+QHVTwu5lL+3lgwPI8Gv5Gr68K6Q wSTITcfvJs0ngnVp9lzeBsjdzmcuujvaQyIMlAc8BotlWYRN7taO4NMJL2/iM9leUUcovi g+aX3LsgvMHm/Gkuo1/z6R1aoRpqK3gG+LNiNBJaXLHhckaFRGlImZPSu14Mdp6yywALm9 Bcm7N0ApX21nRu9jRdDVMNP4J5OmzxEagJxqKc+HlCUDqxF/RKWealgbVBPaMVZhOmbq/t 6+4wEPo2fYfYW5CaxEhD0L2KHdSV96UBRxIqQT33OduKfilvsIkvooQDuwph2w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714025417; a=rsa-sha256; cv=none; b=r/ELwDZ4cishO2/FdCfbYP5ZdCvF38F8KCv8mwOzKd2YZpCC0TTBftfyPZ6GSxiVJVqTz6 fzY76wU9a30/k1Zd9AR9+Gh/0j3lxsOFcaZMdNCc5Fpp/cmhQHOuOIiteb9AN/ZXYMX4HH Md8R4GEjJJWmkWo/6YViXw95WAwNeXGOB9fQjmLn7+yjolc+M2YTdC/bDr2t0NrZssDO7O 2FOpgnwV7lycZuDOKjmnkSc/Q9Sd5wXbi+ck1C6d4zqtF1lMtKqC2qHPNF/6kH9Yy8iwur YG8ebZPSe0Sf7fI8RaFegwz5SCNT+QBIHOG3cTyYvaR3MPPUIW6Y52C4Om2aKA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=Uow+LPIM; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AAF0B156BB for ; Thu, 25 Apr 2024 08:10:17 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rzsIu-0007wb-Ss; Thu, 25 Apr 2024 02:09:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rzsIk-0007wA-Cu for guix-patches@gnu.org; Thu, 25 Apr 2024 02:09:49 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rzsIj-0000SG-6c for guix-patches@gnu.org; Thu, 25 Apr 2024 02:09:46 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rzsJ0-0004Jf-Hf for guix-patches@gnu.org; Thu, 25 Apr 2024 02:10:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70341] [PATCH v3] services: tor: Add support for pluggable transports. Resent-From: Nigko Yerden Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 25 Apr 2024 06:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70341 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: =?UTF-8?Q?Andr=C3=A9?= Batista Cc: 70341@debbugs.gnu.org Received: via spool by 70341-submit@debbugs.gnu.org id=B70341.171402536516158 (code B ref 70341); Thu, 25 Apr 2024 06:10:02 +0000 Received: (at 70341) by debbugs.gnu.org; 25 Apr 2024 06:09:25 +0000 Received: from localhost ([127.0.0.1]:60394 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rzsIO-0004CW-7B for submit@debbugs.gnu.org; Thu, 25 Apr 2024 02:09:25 -0400 Received: from mail-lj1-x234.google.com ([2a00:1450:4864:20::234]:53556) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rzsII-0004AD-5Q for 70341@debbugs.gnu.org; Thu, 25 Apr 2024 02:09:22 -0400 Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2db13ca0363so7909341fa.3 for <70341@debbugs.gnu.org>; Wed, 24 Apr 2024 23:09:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714025334; x=1714630134; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=xLoy07RoOG9L3ZoODsULAyMnq+UKYHAcZoW9IoD8TMM=; b=Uow+LPIMzdyVbhe6ggmzsEP/xpRZyWT9nOlVFSb4V957aUl8sxlg3borukUc17f2S4 dkv8x2GJDeXBb8TjtHnEwQPsSte+Bbv1BPSa6Bek/g+G2OI3SLrBZcUxGz/x96Usifd8 Ejcv79Fxi9EO3DoLZoi6frl6aANckYshEObO3lndDHsxf5om2+i3X8IbLIly9Ajtu2Qf CSN7c59oKpGkF+Ey49NyEpDAbTu/dZCxlCsXB0vbtU4zj3ky6ImPvHVK8KhAbIFZcxba KW4TnRFWunBnuflcbXv0Grly5hNV0r3YNzvT3HU9GjANwlfcMfWFLW6CGZs+8Cc7nimK rwUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714025334; x=1714630134; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xLoy07RoOG9L3ZoODsULAyMnq+UKYHAcZoW9IoD8TMM=; b=Nne9aA9cfoHqSveuZqFfnhIDhpWWQV6dP1UO6pWuFn2i47WhI3U/u4dyWH4/TEZ/Wc gppZEwtLwJXXQ6vsBnLkD+Qz4CsbX83ab/bKhVdajDcxoCndr/JZzG1HLaX+DxfHUry/ hmNl74KXx/yXahj4z4uz752v8pfA9feqU5V2db5dYCeTs1m4ISGjk9cLP/sFogHZboVV zSBFqDsMd2VxDgpRBzM3v8eRoc1XCBQ9Q5fgzhDOaTL/0hAncHqKPIzYyGw6pQR2pwmK v2OMu+LwMThxpTt4GaGlyngZZHhWmPDU9wnF5Z/dw40BpnTAy0kckNU/hanXtJoXhCcn Lfzw== X-Gm-Message-State: AOJu0Yww4FNvfeRWPPgbaXHLaVA79lSXIAIgR7LF0dZCYII2Zrx05koQ 84h06eEBVyi1uIQX2d+dlO/+lNc8OpAJyCUd7s7Pmi23W4V2Y11g X-Google-Smtp-Source: AGHT+IG8ZGLJivVr4/VglHSciaE+B/Pb/x6/wQB0TlqlftvBm7S4/qziZ1AzOxqc0LMFKm8H2z6Igw== X-Received: by 2002:a2e:a587:0:b0:2dd:7938:ed2f with SMTP id m7-20020a2ea587000000b002dd7938ed2fmr4521791ljp.19.1714025333996; Wed, 24 Apr 2024 23:08:53 -0700 (PDT) Received: from [127.0.0.1] ([212.75.155.102]) by smtp.gmail.com with ESMTPSA id j25-20020a2e6e19000000b002dd7615e1f7sm1189832ljc.95.2024.04.24.23.08.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 24 Apr 2024 23:08:53 -0700 (PDT) Message-ID: Date: Thu, 25 Apr 2024 11:08:52 +0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird References: <11e72216f4be8b6559ecc04646fd722daa5dd09d.1712846897.git.nigko.yerden@gmail.com> <3af678c4310a58373fe1e86b84f75a1d37e02295.1713758319.git.nigko.yerden@gmail.com> From: Nigko Yerden Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 2.62 X-Spam-Score: 2.62 X-Migadu-Queue-Id: AAF0B156BB X-Migadu-Scanner: mx12.migadu.com X-TUID: jh60x02rUQ4i Hi André, Thank you for the feedback! > I can confirm that the tor service is unable to fork-exec a > pluggable-transport and the bootstrap process is halted at its start > when trying to use a system wide bridge + PT. However, this patch > does not seem to address the issue at hand, since it just creates new > tor-service-type configuration options that accomplish the same as > configuring on config-file directly. Have you had success with this? > I had no luck. Yes, I have! This patch not only creates new tor-service-type configuration options but, which is crucial, adds pluggable transport (PT) executable, if provided, to #:mappings argument of the least-authority-wrapper, see 'tor-shepherd-service' chunk. With this patch Tor process gets access to PT plugin and, if bridges are configured via config-file field, Tor starts using obfuscated traffic. > Even if it had succeeded though, I'm not sure if this is the best > approach to it, since it would break guix system configuration, > right? No, the patch does not break any existing tor-service-type configuration. If PT is not used, 'transport-plugin' defaults to '#f', and the Tor works exactly as if there wasn't any patch at all. > How would one know beforehand which binary to point to? One would > first need to install the PT and look to its path on store and then > link to it in a new configuration. And then this link would have to > be manualy updated. Am I missing something here? There is much simpler and convenient way of doing this. If users want to bring PT into action, they may simply write (service tor-service-type (config-file ".... Bridge obfs4 ...") (transport-plugin (file-append PT-PACKAGE "/bin/name-of-executable")) The PT-PACKAGE does not even have to be present in the list of 'operating-system 'packages field, since Guix will find the reference to PT-package and install it automatically. The only thing which should be known beforehand is the "name-of-executable". For 'go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird package it is "lyrebird", while for 'go-github-com-operatorfoundation-obfs4 it is "obfs4proxy". It is unlikely that these names will change with upgrades. > Finally, next time, try to keep the issue to a single thread. I'm > replying to #70332 and #70302 just for reference, but let's keep to > #70341 going forward. Sorry about that! I have tried not to create new bug issue but was unsuccessful. Perhaps I shouldn't have touched the email heading. Regards, Nigko André Batista wrote: > Hi Nigko, > > seg 22 abr 2024 às 08:58:39 (1713787119), nigko.yerden@gmail.com > enviou: >> Pluggable transports are programs that disguise Tor traffic, which >> can be useful in case Tor is censored. Pluggable transports cannot >> be configured by #:config-file file exclusively because Tor process >> is run via 'least-authority-wrapper' and cannot have access to >> transport plugin, which is a separate executable (Bug#70302, >> Bug#70332). > > I can confirm that the tor service is unable to fork-exec a > pluggable-transport and the bootstrap process is halted at its start > when trying to use a system wide bridge + PT. However, this patch > does not seem to address the issue at hand, since it just creates new > tor-service-type configuration options that accomplish the same as > configuring on config-file directly. Have you had success with this? > I had no luck. > > More comments bellow. > >> * doc/guix.texi (Networking Services): Document 'transport-plugin' >> and 'pluggable-transport' options for 'tor-configuration'. * >> gnu/services/networking.scm: Export >> 'tor-configuration-transport-plugin-path', >> 'tor-configuration-pluggable-transport'. (): Add >> 'transport-plugin' and 'pluggable-transport' fields. >> (tor-configuration->torrc)[transport-plugin]: Add content to >> 'torrc' computed-file. (tor-shepherd-service)[transport-plugin]: >> Add file-system-mapping. >> >> Change-Id: I64e7632729287ea0ab27818bb7322fddae43de48 --- >> doc/guix.texi | 11 ++++++++ >> gnu/services/networking.scm | 54 >> ++++++++++++++++++++++++++----------- 2 files changed, 49 >> insertions(+), 16 deletions(-) >> >> diff --git a/doc/guix.texi b/doc/guix.texi index >> 65af136e61..eb0837860e 100644 --- a/doc/guix.texi +++ >> b/doc/guix.texi @@ -127,6 +127,7 @@ Copyright @copyright{} 2024 >> Herman Rimm@* Copyright @copyright{} 2024 Matthew Trzcinski@* >> Copyright @copyright{} 2024 Richard Sent@* +Copyright @copyright{} >> 2024 Nigko Yerden@* >> >> Permission is granted to copy, distribute and/or modify this >> document under the terms of the GNU Free Documentation License, >> Version 1.3 or @@ -21849,6 +21850,16 @@ Networking Services >> @file{/var/run/tor/control-sock}, which will be made writable by >> members of the @code{tor} group. >> >> +@item @code{transport-plugin} (default: @code{#f}) +This must be >> either @code{#f} or a ``file-like'' object pointing to the >> +pluggable transport plugin executable. In the latter case the >> +@code{#:config-file} file should contain line(s) configuring +one >> or more bridges. + +@item @code{pluggable-transport} (default: >> @code{"obfs4"}) +A string that specifies the type of the pluggable >> transport in +case @code{#:transport-plugin} is not @code{#f}. + >> @end table @end deftp >> >> diff --git a/gnu/services/networking.scm >> b/gnu/services/networking.scm index 8e64e529ab..6e535ea8ef 100644 >> --- a/gnu/services/networking.scm +++ >> b/gnu/services/networking.scm @@ -22,6 +22,7 @@ ;;; Copyright © >> 2023 Declan Tsien ;;; Copyright © 2023 >> Bruno Victal ;;; Copyright © 2023 muradm >> +;;; Copyright © 2024 Nigko Yerden >> ;;; ;;; This file is part of GNU Guix. >> ;;; @@ -159,6 +160,8 @@ (define-module (gnu services networking) >> tor-configuration-hidden-services >> tor-configuration-socks-socket-type >> tor-configuration-control-socket-path + >> tor-configuration-transport-plugin-path + >> tor-configuration-pluggable-transport >> tor-onion-service-configuration tor-onion-service-configuration? >> tor-onion-service-configuration-name @@ -955,7 +958,11 @@ >> (define-record-type* (socks-socket-type >> tor-configuration-socks-socket-type ; 'tcp or 'unix (default >> 'tcp)) (control-socket? tor-configuration-control-socket-path - >> (default #f))) + (default #f)) + >> (transport-plugin tor-configuration-transport-plugin-path + >> (default #f)) + (pluggable-transport >> tor-configuration-pluggable-transport + (default >> "obfs4"))) >> >> (define %tor-accounts ;; User account and groups for Tor. @@ -988,7 >> +995,8 @@ (define-configuration/no-serialization >> tor-onion-service-configuration (define (tor-configuration->torrc >> config) "Return a 'torrc' file for CONFIG." (match-record config >> - (tor config-file hidden-services >> socks-socket-type control-socket?) + (tor config-file >> hidden-services socks-socket-type control-socket? + >> transport-plugin pluggable-transport) (computed-file "torrc" >> (with-imported-modules '((guix build utils)) @@ -1027,6 +1035,13 @@ >> (define (tor-configuration->torrc config) (cons name mapping))) >> hidden-services)) >> >> + (when #$transport-plugin + (format >> port "\ +UseBridges 1 +ClientTransportPlugin ~a exec ~a~%" + >> #$pluggable-transport + >> #$transport-plugin)) + (display "\ ### End of automatically >> generated lines.\n\n" port) > > Even if it had succeded though, I'm not sure if this is the best > approach to it, since it would break guix system configuration, > right? How would one know beforehand which binary to point to? One > would first need to install the PT and look to its path on store and > then link to it in a new configuration. And then this link would have > to be manualy updated. Am I missing something here? > > Finally, next time, try to keep the issue to a single thread. I'm > replying to #70332 and #70302 just for reference, but let's keep to > #70341 going forward. > > Cheers!