onion-grater downstream support - multi parsing directories and multi matches
Introduction
Greeetings.
Vocab: profile = rules file *.yml
I want to use onion-grater on downstream.
Downstream has a different usage than Tails and I want to patch without breaking Tails usage. I can do this by myself so no need to worry. Just wanted to know if this could be accepted upstream (Tails).
Also, I'm open to discussion and evaluation about the methods used.
Following Tails principles https://tails.boum.org/contribute/how/code/#index1h2:
When we need a feature that no software provides yet, we tend to pick the best existing tool, and do whatever is needed to get the needed feature upstream... which sometimes implies to write a patch ourselves.
Onion-grater is the best existing tool and I plan to do patch upstream (Tails) without modifying Tails usage, meaning that systemd onion-grater.service stays the same, Tails does not need to specify any command line option different than what is has already been doing, no Tails modification, just onion-grater modification for downstream support.
Allow multiple matches
Via option parsing of course to not modify Tails usage, but can be used by downstream projects.
One different use case for example is that multiple profiles may match, conflicting with current onion-grater that multiple matches are not allowed. Because of this, I want to implement an option --allow-multiple-matches
, and that option value would be evaluated in the if statement to skip the runtimeerror.
This is especially important for tor daemon separation were users
and exe-path
can't be used because the user applications is running on a different machine than tor is. Also, hosts: '*'
is used by default because would be troublesome to set default per host instead for all hosts. This option would be ok on downstream, such as Whonix. I understand the implications of this, but it doesn't apply the same way on Tails, as Tails set always user, hosts (netns), apparmor-profile and thus it is not possible to have multiple matches by default.
Also, because of multiple profiles matching and onion-grater stopping at the first match, it makes sense to sort the matched files in reverse and stopping at the first match, this means that if Z_example.yml
matches, it will stop there instead of stopping at A_example.yml
if it also matches. Following the same pattern as tor to sort the files lexicographically, but as onion-grater stops at index 0, the files need to be sorted in reverse.
Allow parsing alternative directories
Currently onion-grater is hardcoded to /etc/onion-grater.d
, but other functionality such as listening interface, port, cookie, are not hardcoded. I'd like to add an option to default to the Tails dir /etc/onion-grater.d
but also allow overriding that option by specifying any --parse-dir DIR
option and even multiple directories by action='append'
for the add_argument.
This is valuable to help testing onion-grater configuration without applying them to be used to any request, such as using a /etc/onion-grater.d
and/or /usr/local/etc/onion-grater.d
for example, using a list such as ['/etc/onion-grater.d', '/usr/local/etc/onion-grater.d']
.