Hardening Qubes-Whonix

Here is a list of all templates (since we have not categorized them):

(You can find such special pages through https://www.whonix.org/wiki/Special:SpecialPages.)

If you like to create any new templates, please just tell me the template page names and I create them.

(Many are general, non-Qubes specific.)

I like the ordering in various difficulties.

Security Guide - Whonix is supposed to contain only items being ‘easy’ and perhaps ‘medium’.

Advanced Security Guide - Whonix is supposed to contain only ‘difficult’ items.

Perhaps Security_Guide needs a face lift? Perhaps remove all non-actionable items? I.t. remove all items that are just knowledge. Move that elsewhere, to where? And then have only ‘easy’ and ‘medium’ difficult actionable items on that page? [Plus links to other actionable items that have a separate page such as grsecurity.]

Thanks!

Works with entr0py’s amended .onion mirror link, as does the canonical method for enabling the Whonix repository. @entr0py does the Tor project .onion mirror belong in the Debian sources file?

See edits above. If this is okay, I will insert it in the security guide somewhere.

Patrick - I agree re: security docs. If entr0py and Ego have the quick-start guide in hand, then I hope to take this on as a mini-project. It is one of the most important sections of the wiki.

My other main interests are getting the Tor sandboxing stuff working (when you have the time) and helping to test and document this, and seeing that GRSEC documentation and testing works in Qubes-Whonix. Most of this will hopefully just be cut and pasting from coldhacka’s blog with the appropriate attribution.

No, if anything, it should get its own torproject.list. I would leave it out of the end-user security guide. Only for testers or paranoid. Testers Wanted! Tor - Stable Upgrades - #5 by Patrick

They do but can just as easily work for other hypervisors by changing a single config option.

For Qubes [Xen] it’s not as simple. ( https://github.com/coldhakca/coldkernel/issues/35 )

Doesn’t work out of the box for VirtualBox either. (Breaks X, guest additions and apparmor.)

So I wonder it works with KVM at all.

Another point to add… Due to https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org switch your sys-net and sys-firewall to Debian, if that works for you. [medium difficulty since this can break your networking. I advice to keep the original sys-net and sys-firewall Fedora based. Just in case. So you can switch back. And have a separate sys-net-debian as well as sys-firewall-debian.]

VBox is an out of tree module and things with dkms are very flaky.

Working here but thats not much consolation and I won’t pretend to know whats wrong in Xen’s case.

Good call. I have tested this and it works (Debian sys-net and firewall).

The side benefit is you can defer to .onions also in the debian-8 templateVM, meaning the whole system is onionized, except for Qubes mirrors currently (with the .onion project underway).

I realize another addition to the list is putting any clear-net browsing (Firefox in Debian AppVM) in a firejail sandbox. Firejail is available from Jessie backports and seems to work well.

The only question is (I know you have a huge firejail thread going on elsewhere), how does one edit the qubes desktop file to run not just plain FF, but the command “firejail firefox” in the executable line? I have located the .desktop file, but wasn’t sure. Is some kind of symbolic link required or “” somewhere? Just throwing in “firejail firefox” there doesn’t work.

re Qubes dom0 desktop files edit for firejail support:

Don’t. Really. Unless of course there is really no other way around. dom0 should not be involved at all. That should be purely up to the VM templates. Qubes dom0 start menu is capable to extract the full exec line. For example whonix-irc-chat-support.desktop uses hexchat --url ircs://irc.oftc.net:9999/#Whonix. The only place where this is configured is inside the template.

The question is: “How to firejailify an application without requiring the user manually typing firejail into the console.”

Or a wider question: "How to automatically prepend commands (such as firejail before applications (such as firefox).

Has been (partially*) discussed here:
https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment

(* I’d have to re-read first to know.)

Hi

According to this: Dev/Firejail - Kicksecure

A short term workaround until the proposed upstreaming of start-tor-browser [4] happens: is to append Firejail to all launcher commands under: /usr/share/applications. Reasoning: TBB folder not visible to users. For a user to accidentally execute Tor Browser without protection, they have to go out of their way to find and launch the start-tor-browser script in the hidden TBB folder. In TBB’s use-model we don’t have to worry about command line users because TBB is a GUI app first and foremost. Visual indicators further help warn against accidental execution in the unlikely event it happens. If they use command line the might as well put Firejail before the script name. This solution is tested and working and survives TBB upgrades.

So, I imagined this would mean:

1) In Qubes-Whonix, we would edit the relevant file in the Debian-8 TemplateVM

/usr/share/applications/firefox-esr.desktop

2) Prepend the firefox executable in the following line with “firejail”

Exec=/usr/lib/firefox-esr/firefox-esr %u

→

Exec=/usr/lib/firefox-esr/firejail firefox-esr %u

And hoping for Christmas magic, it would lead to Firefox automatically starting contained, because the Qubes menu entry points to: /usr/share/applications/firefox-esr.desktop

Of course, not that easy. Help?

I’m trying to make this easy for dumb users like me. We need our hands held every step of the way, or we will do something really stupid

Although, I don’t mind running a terminal with “firejail firefox” every time, there must be an easy solution.

torjunkie:

2) Prepend the firefox executable in the following line with
“firejail”

Exec=/usr/lib/firefox-esr/firefox-esr %u

→

Exec=/usr/lib/firefox-esr/firejail firefox-esr %u

Exec=firejail /usr/lib/firefox-esr/firefox-esr %u

Maybe full path to firejail is required as well.

Ha ha ha Dyslexia at its finest. Yep - that works.

What about an entry something like this below? (DebianVM Firefox-ESR tested; Whonix-WS Tor Browser tested) - please point out my many errors, misunderstandings and poor, non-canonical method.

To Do: Non-Qubes-Whonix only - Running Tor Browser in the Alpha Tor Sandbox

[Copy working instructions from sandboxing thread]

Sandboxing Tor Browser and Firefox with Firejail in Qubes-Whonix

Until the alpha Tor Browser sandbox is fully integrated into Qubes-Whonix (experimental instructions are now available for non-Qubes-Whonix), Qubes-Whonix users should strongly consider running instances of the Tor Browser in a restricted environment using the Firejail Security Sandbox.

It must be remembered that the Tor Browser is an untrusted application with a huge attack surface. It is frequently, and successfully, attacked in the wild. Therefore, it makes sense to mitigate the risk of security breaches with a sandboxing approach. According to the Firejail project page:

https://firejail.wordpress.com/

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.

Best of all, Firejail has built-in profiles for a large number of popular Linux programs including: Firefox, Chromium, VLC and Transmission. Sandboxes can be started by simply prefixing your program command with “firejail” in a terminal e.g. “firejail firefox”, “firejail vlc” etc.

Alternatively, a simple work-around in Qubes-Whonix is to edit the relevant .desktop file that launches a process and prepend the executable path with the firejail command.[1][2]

Running Tor Browser in a Firejail Sandbox (tested)

Note: preferably clone your Whonix-Workstation-TemplateVM prior to taking these steps below, as some dependencies will be added.

(1) Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.[3][4]

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref

(2) Paste:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save.

(3) Add Debian Backports to the Debian sources file

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/debian.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/debian.list

Cut and paste the following Debian Backports mirror (choose the http OR .onion mirror):

deb Index of /debian jessie-backports main contrib non-free

OR

deb http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free

Save and exit.

(4) Update the TemplateVM and Install Firejail from the backports mirror

sudo apt-get update

sudo apt-get -t jessie-backports install firejail

(5) Create a local directory for the Tor Browser desktop file

mkdir -p /home/user/.local/share/applications

(6) Copy the existing Tor Browser desktop file to the local directory

sudo cp /usr/share/applications/janondisttorbrowser.desktop /home/user/.local/share/applications/janondisttorbrowser.desktop

(7) Edit janondisttorbrowser.desktop in an editor with root rights.[5]

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /home/user/.local/share/applications/janondisttorbrowser.desktop

If you are using a terminal-only Whonix, run:

sudo nano /home/user/.local/share/applications/janondisttorbrowser.desktop

(8) Prepend the Exec= line with “firejail”[6]

Exec=firejail torbrowser %u

OR to use the existing Firefox profile with Tor

Exec=firejail --profile=/etc/firejail/firefox.profile torbrowser %u

Save and exit

(9) Populate the newly created folder in the TemplateVM

Note: change the name of the template below if you created a whonix-ws-clone-1 to test this procedure.

While Whonix-Workstation TemplateVM is still running, in dom0 run:

qvm-sync-appmenus whonix-ws

(10) Create a new Whonix-Workstation-AppVM based on your modified template

The Tor Browser entry will now point to the modified janondisttorbrowser.desktop file in the .local directory which is prepended with firejail.

Running Firefox-ESR in a Firejail Sandbox (Qubes Debian-8 Template only; tested)

Note: preferably clone your Debian-8 TemplateVM prior to taking these steps below, as some dependencies will be added.[7]

Repeat the steps above for the Tor Browser entry, EXCEPT:

At steps (6) and (7), edit the following file:

/usr/share/applications/firefox-esr.desktop

At step (9), run in dom0:

qvm-sync-appmenus debian-8

Note: change the name of the template if you cloned it at an earlier step.

Footnotes:

[1] Dev/Firejail - Kicksecure
[2] This process can be repeated with every .desktop application file if desired
[3]Template:Apt-Pinning - Whonix
[4] Apt-Pinning allows the user to mix and match packages from different Debian repos without breaking the base distro
[5] Yawning’s script for Firejail integration with Tor Browser is no longer available at https://git.schwanenlied.me/yawning/tor-firejail/src/master/start-tor-browser
[6] Advanced users can create a custom profile for Tor Browser by following these steps at Building Custom Profiles | Firejail
[7] Users should NOT use Firefox in a Whonix template. It is easily fingerprinted and less secure than Tor Browser

Of course right.

Yes.

Quite possible.

We’re on the same page. Our world view on that topic matches. The reason it’s not already done is lack of time. I am still working on the tickets for Whonix 14. Some of them are incredible hard for me. What Whonix needs is contributions like this.

Can you please use this template?
Template:Apt-Pinning - Whonix

(Unless you see it unfit, then we fix it?)

(((For usage examples of that template: Tools -> What links here)))

Please use Template:Open with root rights - Whonix instead.

Please don’t directly edit that file. That can lead to unexpected results. Next time tb-updater is updated (each time there is a new Tor Browser stable release) that file be overwritten. From then, no more firejail. That’s how Debian [and others] packaging works. There are workarounds for that. One is using dpkg-divert, but not a great one. Can you try please if overwriting the desktop file using /home/user/.local/share/applications works? That would be much better.

This need a warning box stating that one should not run Firefox in Whonix and expect anonymity. Generally, I am open to non-anonymity related security also. But some things may not be confused with each other.

(For that purpose I was wondering to hack Tor Browser that gets more and more hardened and then use it for browsing clearnet. Will probably not be easyly possible since TCP support will be removed from Tor Browser [using SocksSocket only]. Would require recompilation or finding a clever socks to clearnet solution.)

This is great. Thanks!

One thing to note, I was not able to save the the “debian.list” file due to not having write access using “sudo nano /etc/apt/sources.list.d/debian.list”. Had to open dolphin with “sudo dolphin” and edit the file from there. Is there a better way?

Patrick - thanks. I know you are a very busy man. I will use the templates and fix up both the suggested .onion sources entry and Firejail entry in this forum, prior to any wiki editing.

@eujuan1

I should have used the Whonix template for that step (will fix that up). See here:

Open {{{filename}}} in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite {{{filename}}}

If you are using a terminal-only Whonix, run:

sudo nano {{{filename}}}

Does that work okay (kdesudo kwrite)?

I’ve made all your recommended changes (see edited version of suggested .onions mirrors and firejail entries above). The only problem is ->

/home/user/.local/share/applications directory doesn’t exist?

Using the find / -name command, it shows in the Whonix-WS Template VM, the file only exists at:

/usr/share/applications/janondisttorbrowser.desktop

&

/home.orig/user/Desktop/janondisttorbrowser.desktop

Ditto for anon-whonix appVM. Not sure what I’m doing wrong here.

torjunkie:

Not sure what I’m doing wrong here.

Only expecting the file to be already there.

I’ve made all your recommended changes (see edited version of suggested .onions mirrors and firejail entries above). The only problem is →

/home/user/.local/share/applications directory doesn’t exist?

Please try creating the folder.

mkdir -p /home/user/.local/share/applications

Can you try with Non-Qubes-Whonix first or any operating system with a regular start menu if that works first? Otherwise I gotta try this. (First need to understand the usual mechanism before the Qubes mechanism.)

You might also be able to skip that. I guess in Qubes /home/user/.local/share/applications/ folder has to be populated in TemplateVM. And after that - while the TemplateVM is still running - run in dom0.

(whonix-ws vs whonix-ws-clone)

qvm-sync-appmenus whonix-ws

Or perhaps better to learn more.

qvm-sync-appemnus --verbose whonix-ws

Using the find / -name command, it shows in the Whonix-WS Template VM, the file only exists at:

/usr/share/applications/janondisttorbrowser.desktop

This file is owned by tb-updater in a system wide folder.

&

/home.orig/user/Desktop/janondisttorbrowser.desktop

That should be totally unrelated. It’s a desktop shortcut that is only visible in Non-Qubes-Whonix.

/home/user/.local/share/applications/ is a linux user account specific folder. (Not a system wide folder.)

In theory, once /home/user/.local/share/applications/janondisttorbrowser.desktop exists it will be used and /usr/share/applications/janondisttorbrowser.desktop will be ignored by the start menu.

Thanks, works fine.
Really appreciate the help all of you are providing for us technically challenged people.

Thanks Patrick - will try this.

@eujan1

I get taken to school every day on these forums by Patrick et al (see this thread for example). A little knowledge is apparently a dangerous thing.

But, asking the experts explicit questions appears to get working solutions for us mere mortals. Who knew that virtualized, split Tor systems using advanced hypervisors and multiple templates would be so complicated