i saw some support pages on the wiki mentioning AlpineLinux, its a small lightweight linux distribution with some nice security features (grsecurity/PaX in default kernel + most/all packages have PIC) so i thought i would give it a try.
I actually wanted to see/test two things:
- how easy is it to replace the Whonix-Gateway with a non-standard Distribution i.e. testing portability of “anon distribution”/Whonix.
- what are the downsides/upsides of “minimalistic distributions”
i am happy to report that i now have an up and running Whonix-Gateway based on a minimal alpinelinux image.
First of all, Whonix/anon-gw is VERY EASY to port, big respect to the Whonix-Devs … i had alpinelinux running as a tor gateway in less then 4 hours. For semi-full functionality (including sdwdate and cpfpd) i needed about a day. Thats much better then i’ve ever expected .
So whats working actually/whats not working:
- full tor proxy/gateway functionality (did some leaktests, looked good but obviously not 100% tested);
- cpfpd works fine
- sdwdate - runs nicely now but needed some bug hunting
- Whonix-firewall: worked out of the box
- uwt: NOT WORKING, calls to dpkg and stuff, didn’t looked into it as i dont need it on the gateway anyway. For update functionality via apk i use torsocks which is fine for me.
- Whonix-setup: NOT WORKING, to be honest, didn’t looked into it but probably needs a lot of work.
- no GUI/X11: thats intentional
- No AppArmor - intentional, i will try to use the grsecuritys RBAC System
- Gateway now uses ~80M ram & <800MB disk space; only 6 services running (syslogd, klogd, acpid, tor, cpfpd, sdwdate)
In the interest of Whonix hacking i will give a short (generic) overview of what i did to port the Whonix-Gateway functionality to another Linux distribution:
- Checked anon-meta-packages and installed most available packages via apk
- Checked out/cloned all whonix-gw*, anon-gw*, sdwdate, some of the “shared” and cpfp-python github-repos
- copied most files from the repos to their locations in the file-system; i didn’t copy debian specifics (systemd, apparmor …)
- Then i looked into every cloned repo, checked the debian/control+post-install and added dependencies/user/groups/dir/chmods/chowns according to the scripts
- Test every package -> fix -> repeat - usually undocumented dependencies, hardcoded pathes, calls to debian specifics and a lot of problems with the fact that alpine uses busybox and busybox doesn’t like a LOT of command line switches for common shell utils.
Some Problems i ran into with alpinelinux-as-a-whonix-gw:
- TOR: Biggest problem in the beginning was Tor not accepting TransPort/TransListenAddress. The package alpine ships is actually the newest tor version. However, and i didn’t realize this until i failed multiple times to compile tor in a way so it would work, you need to have iptables-dev installed (and maybe you have to do ./configure --enable-transparent) to be able to compile tor with TransPort/TransListenAddress support. I will probably open a ticket with AlpineLinux for this problem.
- SDWDATE: to get it up and running was not the hard problem (some permission problems). I also had to fix some of the anon-helper-scripts sdwdate calls to check if tor is up&running. Biggest problem however was a very sneaky bug(?) of python-locale that only occurs if called from init/during boot. To pinpoint the problem i had to write a small python “init script” that basically does the same as guimessages-translations.py only with lot of debug printings :). I realized that locale.getdefaultlocale() fails at this point during boot. To be precise, i guess it returns an empty(?) tuple and therefore the .split method translations.py is trying to call is not defined. As i do not require localization support anyway i ended up just commenting out that line - it will fall back to what ever is defined as DEFAULT_LANG inside the translations.py lib file.
- already mentioned, had to fix a lot of shell scripts because busybox builtin tools don’t accept a lot of CLI switches. Next time i’ll just install coreutils
- had to port some systemd services to openrc - not hard, used a skeleton init script (can be VERY simple) and let openrc do the magic
- Some python packages had to be installed via pip because their weren’t any alpinelinux packages. Not a big problem
Things i want to try now:
- Grsecurity/PaX: now that everything is running i think i will try to start grsecurity in learning mode and see if i can come up with some sensible rules.
I hope this can be a starting point in experimenting a little bit with other linux flavors as “Anon-Distribution”. I think when it comes to security features (apparmor, firejail, grsec …) a small lightweight distribution would be much easier to handle. If we only have to contain six running services any kind of policy creation will be much easier to do. On the other hand, usability is my main concern with my approach. I mean beside the fact that currently some whonix usability functions aren’t working in my setup (these could be ported) a minimal image will always lack certain ease-of-use features important to people coming from a non-linux OS. Maybe at some point in the future the Gateway could be something “the user doesn’t need to look at anyway”.
If anyone is interested in what i did precisely, feel free to ask. If anyone wants to give it a try i could upload the VirtualBox Image somewhere or post the installed package list / pip list so you don’t have to do it all by yourself.