qrexec policy NewStatus is unclear

nyxnor · October 12, 2022, 2:36pm

grepping new status shows that anon-vm will target anon-gateway.

$ cd /etc/qubes/policy.d
$ grep -R NewStatus
80-whonix.policy:whonix.NewStatus     *         @tag:anon-vm      @tag:anon-gateway allow  autostart=no
80-whonix.policy:whonix.NewStatus     *         @anyvm            @anyvm            deny

But qrexec-policy-graph shows that a Workstation anon-whonix-example that has a separate Gateway sys-whonix-example uses sys-whonix for whonix.NewStatus.

$ qrexec-policy-graph --source anon-whonix-example --target sys-whonix
digraph g {
  "anon-whonix-example" -> "sys-whonix" [label="whonix.NewStatus" color=red];
}

Is this something that should be added to the Multiple Gw intructions?

nyxnor · October 12, 2022, 3:29pm

"sys-whonix" -> "anon-whonix-example" [label="whonix.GatewayCommand" color=red];
"sys-whonix" -> "anon-whonix-example" [label="whonix.SdwdateStatus" color=red];

Patrick · October 12, 2022, 3:34pm

Currently mentioned under

https://www.whonix.org/wiki/Multiple_Whonix-Workstation#How-to:Use_more_than_One_Whonix-Workstation.E2.84.A2_-_Easy

?

nyxnor · October 12, 2022, 3:58pm

I’ve already done that, but that is in VM.
The dom0 policy should command it.
Any workstation can use any gateway for sdwdate if they wish…

Patrick · October 12, 2022, 4:59pm

Anything that requires manual edits by the user in the VM or in dom0 is a bad design anyhow.

Not sure if the re-design proposal in ⚓ T930 whonix.SdwdateStatus service starts VMs that were killed would fix it.

Various discussions in various tickets such as https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/13#issuecomment-1035269706

So this needs probably more work than just more manual dom0 editing documentation.

nyxnor · October 12, 2022, 5:09pm

Maybe Qubes should tag Workstations according to gateway, this makes much easier to enforce the policies via @tag:something.

For example, Gateway is created, names sys-whonix-test, receives tag anon-gateway-sys-whonix-test. Every Workstation that assigns the above Gateway to be its NetVM will receive the tag anon-vm-gateway-sys-whonix-test.

Of course the tags should have a better name, but putting the name according to the domain name makes it easier to locate.

Qubes already puts tags anon-vm and anon-gateway when the AppVMs are created anyway.

nyxnor · October 12, 2022, 5:11pm

Yes, it still requires editing the policy with the above tag response.

But anyway, I don’t have other idea on how to keep Workstations not connecting to other Gateways via qrexec without dom0 policy.

Patrick · October 13, 2022, 8:19am

An additional tag perhaps. The existing ones are/might be re-used for other purposes already. Or some other qrexec feature. “Qrexec only to the Net Qube I am connected to.”

In any case, this is too complex. I cannot even foresee when this would happen unless contributed by a volunteer. Would have to be discussed upstream at Qubes.

nyxnor · October 13, 2022, 10:22am

Adding to this, they first have to prohibit a anon-vm to have a NetVM that is not anon-gateway. Then this second part would be closer to foreseeable.