Users can benefit from security-misc inside of Qubes-Whonix by replacing passwordless root with a dom0 prompt[1], causing only few issues.
Further hardening is possible by completely denying any sudo attempts inside of anon-whonix and sys-whonix.
Reduce Kernel Information Leaks
No issues encountered inside of anon-whonix.
Breaks networking of any vm connected to sys-whonix.
- Same tinyproxy message inside of sys-whonix as in this issue: https://github.com/QubesOS/qubes-issues/issues/8606
- Could be related, didnāt investigate further: https://github.com/QubesOS/qubes-issues/issues/8610
SUID Disabler and Permission Hardener
Works perfectly fine inside of anon-whonix and sys-whonix.
hidepid
No issues inside of anon-whonix.
Breaks anon-connection-wizard
inside of sys-whonix, the following log trace is produced when attempting to connect to tor via anon-connection-wizard
.
tor_status was called.
tor_status status: tor_disabled
ERROR: pkexec /usr/libexec/anon-gw-anonymizer-config/tor-config-sane Exit Code: 127
torrc_file_path: /usr/local/etc/torrc.d/40_tor_control_panel.conf
ACW: executing: pkexec /usr/libexec/anon-connection-wizard/acw-write-torrc /tmp/tmpby2795nq
Error checking for authorization com.kicksecure.anon-connection-wizard.acw-write-torrc: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file ?/proc/2538/status?: No such file or directory
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py", line 1273, in next_button_clicked
subprocess.check_call(command)
File "/usr/lib/python3.11/subprocess.py", line 413, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['pkexec', '/usr/libexec/anon-connection-wizard/acw-write-torrc', '/tmp/tmpby2795nq']' returned non-zero exit status 127.
zsh: IOT instruction (core dumped) anon-connection-wizard
- Temporary workaround: Connect to tor first, then enable
proc-hidepid.service
inside of sys-whonix template.
Remount Secure
Enabling via grub has no effect, have to create simple remount-secure.service
as temporary workaround.
[Unit]
[Service]
Type=oneshot
ExecStart=remount-secure 3
[Install]
WantedBy=multi-user.target
Any level with noexec flag breaks updates in template via salt - still able to update manually inside template via terminal.
Traceback (most recent call last):
File "/usr/bin/qubes-vmexec", line 5, in <module>
sys.exit(main())
^^^^^^
File "/usr/lib/python3/dist-packages/qubesagent/vmexec.py", line 55, in main
os.execvp(command[0], command)
File "<frozen os>", line 574, in execvp
File "<frozen os>", line 597, in _execvpe
PermissionError: [Errno 13] Permission denied
- Didnāt investigate further, but the issue is obvious - noexec blocking something relevant from executing.
Virtualization check error when running commands like qvm-copy-to-vm
to vm with noexec level enabled.
qvm-copy-to-vm anon-whonix example-file
Failed to check for virtualization: Permission denied
- Same issue as before, just this time without any log trace.
Breaks bind dirs such as /var/lib/tor
by remounting /var,
causing tor guard nodes to rotate on each sys-whonix boot.
- Temporary workaround: Edit
remount-secure
and disable mounting of/var
by runningsudoedit /usr/bin/remount-secure
and commenting out_var
inside ofmain
.
This is me documenting my experiments, I am using security-misc inside of Qubes-Whonix with band-aid fixes stated above with no issues.
I understand that Qubes OS does not believe in restricting root for security, but security-misc is useful against non sophisticated malware and remount-secure could be expanded by optionally mounting more dirs as tmpfs to go easier on disk.
I am willing to make and contribute full patches for listed issues, just need heads up about security-misc future for Qubes-Whonix
[1] https://forum.qubes-os.org/t/replacing-passwordless-root-with-a-dom0-prompt/19074/ - archive