Disable qrexec between Whonix and non-Whonix VMs

kurdubirdo · October 1, 2022, 1:16am

I recently made a stuff up and copy pasted from anon-whonix into a debian-11 VM. It got me thinking, why the hell is Qubes RPC even allowed between Whonix and non-Whonix VMs?

I added some initial rules to prevent the Filecopy case:
qubes.Filecopy * @tag:anon-vm @tag:anon-vm allow
qubes.Filecopy * @tag:anyvm @tag:anon-vm deny
qubes.Filecopy * @tag:anon-vm @anyvm deny
qubes.Filecopy * @tag:anon-vm @tag:whonix-updatevm allow
qubes.Filecopy * @anyvm @tag:whonix-updatevm deny

I am not certain this covers every case but it is a good enough start.

I then got to thinking, I don’t really want ANY Qubes RPC touching my whonix vms other than what is absolutely necessary. I guess this includes anything initiated by dom0 and the sdwdate GUI stuff. Coming up with the appropriate rules for this isn’t exactly straightforward without intricate knowledge of Qubes and Whonix. Is this something that has been looked into? If not, why not?

nyxnor · October 1, 2022, 9:12am

Usability
Doesn’t violate proxy rules

What are you trying to accomplish? How does this violate Qubes-Whonix isolation? You still have to authorize with dom0 popup everytime, and Ctrl+Shift+V is made by dom0 to allow pasting from global clipboard to qube.

Only if you find other threads on this forum or qubes forum. Never saw on documentation.

Because protecting against information leaks that only dom0 dialogs and commands can authorize is no protecting against anything?

I am not saying you shouldn’t do it, I just want to see if the points are valid.

nyxnor · October 1, 2022, 9:58am

You could also deny all calls from work except for calls to work-pub:

* * work work-pub allow
* * work * deny

I didn’t test, but from this, you can try:

* * @tag:anon-vm @tag:anon-vm ask
* * @tag:anon-vm * deny

But the second rule might break some things.

[user@dom0 /etc/qubes/policy.d]$ grep -i filecopy *
90-default.policy:qubes.Filecopy          *           @anyvm          @anyvm      ask
grep: include: Is a directory
[user@dom0 /etc/qubes/policy.d]$ grep anon-vm *
80-whonix.policy:whonix.SdwdateStatus +         @tag:anon-gateway @tag:anon-vm      allow  autostart=no notify=no
80-whonix.policy:whonix.NewStatus     *         @tag:anon-vm      @tag:anon-gateway allow  autostart=no
80-whonix.policy:whonix.GatewayCommand +restart @tag:anon-gateway @tag:anon-vm      allow  autostart=no
80-whonix.policy:whonix.GatewayCommand +stop    @tag:anon-gateway @tag:anon-vm      allow  autostart=no
80-whonix.policy:whonix.GatewayCommand +showlog @tag:anon-gateway @tag:anon-vm      allow  autostart=no
90-default.policy:qubes.GetDate           *           @tag:anon-vm    @anyvm      deny

you need to allow those rules also before the deny rule.

Patrick · October 1, 2022, 9:59am

Not that I know.

https://www.whonix.org/wiki/Reporting_Bugs#Community_Feedback