preventing Qubes-Whonix updates through clearnet on Qubes R4 / ensuring torified updates

Patrick · December 21, 2017, 4:09pm

root issue:

UpdateVM for templates always defaults to sys-net

opened 07:53AM - 24 Sep 17 UTC

help wanted C: doc T: task r4.0-dom0-stable

#### Qubes OS version (e.g., `R3.2`): R4.0rc1 Testing #### Affected TemplateVM…s (e.g., `fedora-23`, if applicable): Whonix, maybe others --- ### Expected behavior: Be able to select a different UpdateVM to update a template. For example, a whonix gateway to ensure updates run over tor. ### Actual behavior: Template vm defaults to using sys-net. Could potentially leak info on the template vm ### Steps to reproduce the behavior: ### General notes: This setting is irrespective of the global UpdateVM set in Dom0-Qubes Global Settings as well as the NetVM of the Template VM. The setting is set in` /etc/qubes-rpc/policy/qubes.UpdateProxy`: > $type:TemplateVM $default allow,target=sys-net I believe I have pieced together how the update proxy works in 4.0: - The proxy for apt and yum is set to localhost:8082. - This is redirected through systemctl units `qubes-updates-proxy-forwarder.socket` and `qubes-updates-proxy-forwarder@.service` to qrexec - Dom0 uses the above policy to redirect to sys-net - Sys-net includes a tinyproxy listening on localhost:8082 - The Template VM does not (and should not) have a netvm Also note that this only one problem with getting whonix templates to update in 4.0. There are are some changes that I will detail on the whonix site and link here --- #### Related issues:

impact:

Users who clone whonix-gw or whonix-ws, will quite likely either not know they have to edit /etc/qubes-rpc/policy/qubes.UpdateProxy or forget about it.

workaround:

I am not sure what @marmarek will decide wrt UpdateVM for templates always defaults to sys-net · Issue #3118 · QubesOS/qubes-issues · GitHub and when the solution flows into Qubes.

Meanwhile I would like to add a workaround. Please check the implementation.

github.com

Whonix/qubes-whonix/blob/0fd147dcf5db91d678a7e4ac5fa0b1b4eb1a9424/etc/uwt.d/40_qubes.conf

#!/bin/bash

## Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

if [ "$torified_check" = "skip" ]; then
   ## Allow testing this script from command line.
   ## 'return 0 2>/dev/null || true' to exit from `source`ing this script.
   return 0 2>/dev/null || true
   ## 'exit 0' to exit when run from command line.
   exit 0
fi

if [ "$uwtwrapper_parent" == "/usr/bin/apt-get" ] || [ "$uwtwrapper_parent" == "/usr/bin/aptitude-curses" ]; then
   torified_check=true
fi

if [ ! "$torified_check" = "true" ]; then
   return 0 2>/dev/null || true
   exit 0

This file has been truncated. show original

Patrick · December 21, 2017, 4:23pm

Latest /etc/uwt.d/40_qubes.conf (just small changes, refactoring, output).

qubes-whonix/40_qubes.conf at master · Whonix/qubes-whonix · GitHub

Patrick · December 21, 2017, 5:14pm

A safer workaround would be a Qubes-Whonix TemplateVM firewall that block access to Qubes updates proxy.

(qubes-whonix/torified-updates-proxy-check at master · Whonix/qubes-whonix · GitHub would have to run under a special user that may circumvent the firewall.)

Patrick · December 22, 2017, 2:35am

All of this is done. Qubes TemplateVMs whonix-gw and whonix-ws will now use Whonix-Workstation firewall. (whonix-gw template will use it as well since the whonix-gw template is “actually more like a workstation”)

whonix-gw-firewall / whonix-ws-firewall package got merged into a single package whonix-friewall. Tons of commits.

So now even if UpdateVM for templates always defaults to sys-net · Issue #3118 · QubesOS/qubes-issues · GitHub does not get implemented or not so soon, it got much harder to update over clearnet. It is still possible to update over clearnet with manual reconfiguration, and good that this flexibility and freedom exists.

Patrick · December 23, 2017, 1:36pm

Use tag instead of direct name for updatevm setting · marmarek/qubes-mgmt-salt-dom0-virtual-machines@ca27a33 · GitHub
UpdateVM for templates always defaults to sys-net · Issue #3118 · QubesOS/qubes-issues · GitHub