From 8aab4cf1aae51ffa18b8fa3ca98b89aa7840263c Mon Sep 17 00:00:00 2001
From: 3np <3np@example.com>
Date: Sat, 22 Mar 2025 21:41:56 +0000
Subject: [PATCH 1/2] block tinyproxy requests to 127.0.0.1

migrates existing qubes-whonix-specific tinyproxy filter
from qubes-core-agent-linux to qubes-whonix.

note that this is not a security measure as requests to other
loopback addresses are still allowed. this filter is an
accommodation for whonix torification detection.

https://github.com/QubesOS/qubes-issues/issues/1482
---
 usr/lib/qubes-whonix/tinyproxy-config-patch | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/usr/lib/qubes-whonix/tinyproxy-config-patch b/usr/lib/qubes-whonix/tinyproxy-config-patch
index 6c98638..9a6ee48 100755
--- a/usr/lib/qubes-whonix/tinyproxy-config-patch
+++ b/usr/lib/qubes-whonix/tinyproxy-config-patch
@@ -26,4 +26,6 @@ append-once /etc/tinyproxy/tinyproxy-updates.conf "## BEGIN: auto-generated conf
 append-once /etc/tinyproxy/tinyproxy-updates.conf "Upstream socks5 127.0.0.1:9104"
 append-once /etc/tinyproxy/tinyproxy-updates.conf "## END: auto-generated configuration by $0"
 
+append-once /etc/tinyproxy/updates-blacklist "127.0.0.1"
+
 true "$0: END"

From 06bf5a06436dce9e598877ce25205b76d2959b9c Mon Sep 17 00:00:00 2001
From: 3np <3np@example.com>
Date: Sat, 22 Mar 2025 23:23:44 +0000
Subject: [PATCH 2/2] add /etc/tinyproxy/updates-blocklist

replacing /etc/tinyproxy/updates-blacklist identical from qubes-core-agent-linux
---
 etc/tinyproxy/updates-blocklist             | 2 ++
 usr/lib/qubes-whonix/tinyproxy-config-patch | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 etc/tinyproxy/updates-blocklist

diff --git a/etc/tinyproxy/updates-blocklist b/etc/tinyproxy/updates-blocklist
new file mode 100644
index 0000000..f79e43a
--- /dev/null
+++ b/etc/tinyproxy/updates-blocklist
@@ -0,0 +1,2 @@
+10.137.255.254
+127.0.0.1
diff --git a/usr/lib/qubes-whonix/tinyproxy-config-patch b/usr/lib/qubes-whonix/tinyproxy-config-patch
index 9a6ee48..ce05f2a 100755
--- a/usr/lib/qubes-whonix/tinyproxy-config-patch
+++ b/usr/lib/qubes-whonix/tinyproxy-config-patch
@@ -23,9 +23,8 @@ true "$0: START"
 #"
 
 append-once /etc/tinyproxy/tinyproxy-updates.conf "## BEGIN: auto-generated configuration by $0"
+append-once /etc/tinyproxy/tinyproxy-updates.conf "Filter /etc/tinyproxy/updates-blocklist"
 append-once /etc/tinyproxy/tinyproxy-updates.conf "Upstream socks5 127.0.0.1:9104"
 append-once /etc/tinyproxy/tinyproxy-updates.conf "## END: auto-generated configuration by $0"
 
-append-once /etc/tinyproxy/updates-blacklist "127.0.0.1"
-
 true "$0: END"