sdwdate-gui for Qubes. Testers wanted (developers welcome)

For Whonix 14, Qubes users only.

An improved sdwdate-gui for Qubes. A single sys-whonix tray icon get the status of its own sdwdate and the ones running in the living anon vm’s (anon-whonix, anon-something, …, anon-x).

The anon vm’s are registered or unregistered as the are started or shut down.

If one or several anon vm is killed or crashed, it is unregistered and restarted.

In addition, it shows Tor status directly in the tray icon if Tor is not running, in the menu otherwise. If installed, the Tor controller GUI can be run from the menu.

Installation instructions.

In whonix-gw-14:

  • Install the software for building the package

    sudo apt-get install git genmkfile ruby-ronn debhelper buid-essential 
  • Get the package
    To be able to get the package from github, full networking has to be allowed in the template. In whonix-gw-14 --> Qubes Settings --> Networking select sys-whonix instead of (none).
    This setup should be temporary, as it is recommended against allowing networking in Qubes templates.
    Revert to (none) after installation.

    git clone
  • Install the package

    cd sdwdate-gui
    make deb-icup

In whonix-ws-14:

  • Repeat the steps in whonix-gw-14

  • Enable shutdown notifier service

    sudo systemctl enable shutdown-notify

In dom0:

  • Add gateway tag for new policies

    qvm-tags sys-whonix add gateway
  • Add policies for sys-whonix <--> anon-vm communication
    Three files to be added in /etc/qubes-rpc/policy.

    • whonix.GatewayCommand

      $tag:anon-vm $tag:gateway allow
      $anyvm $anyvm deny        
    • whonix.SdwdateStatus

      $tag:anon-vm $tag:gateway allow
      $anyvm $anyvm deny        
    • whonix.NewStatus

      $tag:anon-vm $tag:gateway allow
      $anyvm $anyvm deny  

    In /etc/qubes-rpc/policy

    sudo nano whonix.GatewayCommand

    Write the content. Save with Ctrl + x --> y --> Enter
    Beware that any typo will prevent the setup to work.

Shutdown the templates, restart sys-whonix, start or restart the anon-xxx vm’s.

Could you please git merge origin/master? It contains many auxiliary
fixes which predate sdwdate-gui-qubes.

Then I think I can upload this soon to the testers repository to ease


We are left with the policies in dom0. The gateway tag is not compulsory if it’s replaced by sys-whonix in the policies, but the files have to be installed.

1 Like

Let’s call the tag anon-gateway? gateway alone may be rejected by Qubes as being too unspecific.

Could you please add the tag here?

Dev/Qubes - Whonix


Could you add the policy files here please?
qubes-core-admin/qubes-rpc-policy at master · QubesOS/qubes-core-admin · GitHub

Merged your pull request.

Updated qubes-core-admin-addon-whonix

Added policies in qubes-core-admin. without the .policy extension.

I do not see what I can do in GitHub - QubesOS/qubes-core-agent-linux: Qubes component: core-agent-linux

Or do we need a new qvm-features-request somewhere ?

1 Like

add "anon-gateway" tag · troubadoour/qubes-core-admin-addon-whonix@4bcaa19 · GitHub - this seems wrong, since all of this happens after if 'whonix-ws' in template.features:.

add policies for sdwdate-gui-qubes · troubadoour/qubes-core-admin@a55b8ae · GitHub - this looks good. Could you please also add sys-whonix verbatim? Reason: I guess many people will miss the anon-gateway tag. The problem is, we will invent it after qubes-core-admin-addon-whonix was run for the first time. Or will we delay Whonix 14 until there is a new qubes-core-admin-addon-whonix? By adding sys-whonix verbatim we avoid issues of refused qrexec connections for most users who just use a single sys-whonix. This needs to be explained in the pull request.

I guess we have to invent qvm-features-request whonix-gw=1.

I hope not.

Moved anon-gateway tag before the if whonix-ws block.

Added sys-whonix in policies.

1 Like

Add "anon-gateway" tag, for Whonix-15. · troubadoour/qubes-core-admin-addon-whonix@5111da0 · GitHub - that would result adding the anon-gateway tag to to workstations as well. It needs some if 'whonix-gw' in template.features: above if 'whonix-ws' in template.features: or so.

Policies for sdwdate-gui-qubes. · troubadoour/qubes-core-admin@daca453 · GitHub - looks good. Created a pull request for it.

swdate-gui-qubes depends on tor-control-panel

1 Like

Was merged! :slight_smile:

sdwdate-gui[qubes] in VirtualBox.

Ref: http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/kdesudo-error-popup-window-sdwdate-gui/5642/22?u=troubadour

This is whonix-firewall not coming up. sdwdate-gui creates /usr/lib/qubes/notify-shutdown

In whonix-gateway-firewall line 135, we have:

   if [ -d "/usr/lib/qubes" ]; then
      [ -n "$qubes_vm_type" ] || qubes_vm_type="$(qubesdb-read /qubes-vm-type)"

Command qubesdb-read is unknown in VirtualBox, crashing whonix-firewall.

Recommended dependency tor-control-panel was accidentally removed. Will amend.

1 Like

Oh, what a bug. Another reason to solve Provide a cannoncial way to detect Qubes · Issue #1963 · QubesOS/qubes-issues · GitHub to prevent such very difficult to foreseeable issues.
I’ll think about replacing if [ -d "/usr/lib/qubes" ]; then with something better.

It could be if [ -d "/var/lib/qubes" ];. Seems less prone to be created.

By the way, we are using if [ -d "/usr/lib/qubes" ] in start-maybe, which is most likely why sdwdate-gui does not start in VirtualBox. That is the next debugging step.

1 Like

I think this is best

if command -v "qubesdb-read" >/dev/null 2>&1 ; then

Yes. Just read This looks more robust.

1 Like