prevent qubes-updates-proxy.service from possibly modifying Whonix's firewall

Information

ID: 427
PHID: PHID-TASK-g4c26h56hfcbuphn5liv
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description


Do you think the following seems like a sound solution?

/lib/systemd/system/qubes-updates-proxy.service.d/40_qubes-whonix.conf
## This file is part of Whonix.
## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

[Service]

## Clear the 'ExecStartPre' list.
## Prevent loading firewall rules: ExecStartPre=/usr/lib/qubes/iptables-updates-proxy start
ExecStartPre=

## Clear the 'ExecStopPost' list.
## Prevent removing firewall rules: ExecStopPost=/usr/lib/qubes/iptables-updates-proxy stop
ExecStopPost=

## XXX: Workaround.
## Re-adding a required 'ExecStartPre' item.
## Required until, qubes-core-agent 3.1.3 hits stable and everyone
## upgraded, i.e. until /usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
## is in place.
## https://github.com/QubesOS/qubes-issues/issues/1401
ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy

Alternatively, I was wondering if I rather should produce a pull request against QubesOS either,

  • a) split qubes-updates-proxy into qubes-updates-proxy and qubes-updates-proxy-iptables or,
  • b) allow iptables-updates-proxy to be turned of by /etc/qubes/settings.d

What do you think?

Comments


Patrick

2015-11-12 15:58:26 UTC


marmarek

2015-11-12 17:21:35 UTC


Patrick

2015-11-12 17:35:50 UTC