Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

qrexec policy NewStatus is unclear

grepping new status shows that anon-vm will target anon-gateway.

$ cd /etc/qubes/policy.d
$ grep -R NewStatus
80-whonix.policy:whonix.NewStatus     *         @tag:anon-vm      @tag:anon-gateway allow  autostart=no
80-whonix.policy:whonix.NewStatus     *         @anyvm            @anyvm            deny

But qrexec-policy-graph shows that a Workstation anon-whonix-example that has a separate Gateway sys-whonix-example uses sys-whonix for whonix.NewStatus.

$ qrexec-policy-graph --source anon-whonix-example --target sys-whonix
digraph g {
  "anon-whonix-example" -> "sys-whonix" [label="whonix.NewStatus" color=red];

Is this something that should be added to the Multiple Gw intructions?

1 Like
"sys-whonix" -> "anon-whonix-example" [label="whonix.GatewayCommand" color=red];
"sys-whonix" -> "anon-whonix-example" [label="whonix.SdwdateStatus" color=red];
1 Like

Currently mentioned under



I’ve already done that, but that is in VM.
The dom0 policy should command it.
Any workstation can use any gateway for sdwdate if they wish…

1 Like

Anything that requires manual edits by the user in the VM or in dom0 is a bad design anyhow.

Not sure if the re-design proposal in ⚓ T930 whonix.SdwdateStatus service starts VMs that were killed would fix it.

Various discussions in various tickets such as qrexec autostart=no and new policy format by adrelanos · Pull Request #13 · QubesOS/qubes-core-admin-addon-whonix · GitHub

So this needs probably more work than just more manual dom0 editing documentation.

1 Like

Maybe Qubes should tag Workstations according to gateway, this makes much easier to enforce the policies via @tag:something.

For example, Gateway is created, names sys-whonix-test, receives tag anon-gateway-sys-whonix-test. Every Workstation that assigns the above Gateway to be its NetVM will receive the tag anon-vm-gateway-sys-whonix-test.

Of course the tags should have a better name, but putting the name according to the domain name makes it easier to locate.

Qubes already puts tags anon-vm and anon-gateway when the AppVMs are created anyway.

1 Like

Yes, it still requires editing the policy with the above tag response.

But anyway, I don’t have other idea on how to keep Workstations not connecting to other Gateways via qrexec without dom0 policy.

1 Like

An additional tag perhaps. The existing ones are/might be re-used for other purposes already. Or some other qrexec feature. “Qrexec only to the Net Qube I am connected to.”

In any case, this is too complex. I cannot even foresee when this would happen unless contributed by a volunteer. Would have to be discussed upstream at Qubes.

1 Like

Adding to this, they first have to prohibit a anon-vm to have a NetVM that is not anon-gateway. Then this second part would be closer to foreseeable.

1 Like