sdwdate-gui for Qubes. Testers wanted (developers welcome)

For Whonix 14, Qubes users only.

An improved sdwdate-gui for Qubes. A single sys-whonix tray icon get the status of its own sdwdate and the ones running in the living anon vm’s (anon-whonix, anon-something, …, anon-x).

The anon vm’s are registered or unregistered as the are started or shut down.

If one or several anon vm is killed or crashed, it is unregistered and restarted.

In addition, it shows Tor status directly in the tray icon if Tor is not running, in the menu otherwise. If installed, the Tor controller GUI can be run from the menu.

Installation instructions.

In whonix-gw-14:

• Install the software for building the package

  sudo apt-get install git genmkfile ruby-ronn debhelper buid-essential 
  

• Get the package
  To be able to get the package from github, full networking has to be allowed in the template. In whonix-gw-14 --> Qubes Settings --> Networking select sys-whonix instead of (none).
  This setup should be temporary, as it is recommended against allowing networking in Qubes templates.
  Revert to (none) after installation.

  git clone https://github.com/troubadoour/sdwdate-gui.git
  

• Install the package

  cd sdwdate-gui
  make deb-icup
  

In whonix-ws-14:

• Repeat the steps in whonix-gw-14

• Enable shutdown notifier service

  sudo systemctl enable shutdown-notify
  

In dom0:

• Add gateway tag for new policies

  qvm-tags sys-whonix add gateway
  

• Add policies for sys-whonix <--> anon-vm communication
  Three files to be added in /etc/qubes-rpc/policy.

  • whonix.GatewayCommand

    $tag:anon-vm $tag:gateway allow
    $anyvm $anyvm deny        
    

  • whonix.SdwdateStatus

    $tag:anon-vm $tag:gateway allow
    $anyvm $anyvm deny        
    

  • whonix.NewStatus

    $tag:anon-vm $tag:gateway allow
    $anyvm $anyvm deny  
    

  Example:
  In /etc/qubes-rpc/policy

  sudo nano whonix.GatewayCommand
  

  Write the content. Save with Ctrl + x --> y --> Enter
  Beware that any typo will prevent the setup to work.

Shutdown the templates, restart sys-whonix, start or restart the anon-xxx vm’s.

Could you please git merge origin/master? It contains many auxiliary
fixes which predate sdwdate-gui-qubes.

Then I think I can upload this soon to the testers repository to ease
testing.

Done.

We are left with the policies in dom0. The gateway tag is not compulsory if it’s replaced by sys-whonix in the policies, but the files have to be installed.

Let’s call the tag anon-gateway? gateway alone may be rejected by Qubes as being too unspecific.

Could you please add the tag here?

• https://github.com/QubesOS/qubes-core-agent-linux
• https://github.com/QubesOS/qubes-core-admin-addon-whonix/blob/master/qubeswhonix/__init__.py

Related:
https://www.whonix.org/wiki/Dev/Qubes#anon-vm_tag

Related:

Could you add the policy files here please?
https://github.com/QubesOS/qubes-core-admin/tree/master/qubes-rpc-policy

Merged your pull request.

Updated qubes-core-admin-addon-whonix

Added policies in qubes-core-admin. without the .policy extension.

I do not see what I can do in https://github.com/QubesOS/qubes-core-agent-linux

Or do we need a new qvm-features-request somewhere ?

https://github.com/troubadoour/qubes-core-admin-addon-whonix/commit/4bcaa192528c580fe0dc2b1532ec8b67bde742b9 - this seems wrong, since all of this happens after if 'whonix-ws' in template.features:.

https://github.com/troubadoour/qubes-core-admin/commit/a55b8ae28dba9079ff17a8b7820a4f8adf968826 - this looks good. Could you please also add sys-whonix verbatim? Reason: I guess many people will miss the anon-gateway tag. The problem is, we will invent it after qubes-core-admin-addon-whonix was run for the first time. Or will we delay Whonix 14 until there is a new qubes-core-admin-addon-whonix? By adding sys-whonix verbatim we avoid issues of refused qrexec connections for most users who just use a single sys-whonix. This needs to be explained in the pull request.

I guess we have to invent qvm-features-request whonix-gw=1.

I hope not.

Moved anon-gateway tag before the if whonix-ws block.

Added sys-whonix in policies.

https://github.com/troubadoour/qubes-core-admin-addon-whonix/commit/5111da021a28d0edf326b9cb40c3f74b224df1fd - that would result adding the anon-gateway tag to to workstations as well. It needs some if 'whonix-gw' in template.features: above if 'whonix-ws' in template.features: or so.

https://github.com/troubadoour/qubes-core-admin/commit/daca45391165df0ba3589b1a11334ad6e3c61ca8 - looks good. Created a pull request for it.

swdate-gui-qubes depends on tor-control-panel

Was merged!

sdwdate-gui[qubes] in VirtualBox.

Ref: http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/kdesudo-error-popup-window-sdwdate-gui/5642/22?u=troubadour

This is whonix-firewall not coming up. sdwdate-gui creates /usr/lib/qubes/notify-shutdown

In whonix-gateway-firewall line 135, we have:

   if [ -d "/usr/lib/qubes" ]; then
      [ -n "$qubes_vm_type" ] || qubes_vm_type="$(qubesdb-read /qubes-vm-type)"

Command qubesdb-read is unknown in VirtualBox, crashing whonix-firewall.

https://github.com/troubadoour/sdwdate-gui/commit/126a4b443228e51780bf03514302a7c51dd9492f

Recommended dependency tor-control-panel was accidentally removed. Will amend.

Oh, what a bug. Another reason to solve https://github.com/QubesOS/qubes-issues/issues/1963 to prevent such very difficult to foreseeable issues.
I’ll think about replacing if [ -d "/usr/lib/qubes" ]; then with something better.

It could be if [ -d "/var/lib/qubes" ];. Seems less prone to be created.

By the way, we are using if [ -d "/usr/lib/qubes" ] in start-maybe, which is most likely why sdwdate-gui does not start in VirtualBox. That is the next debugging step.

I think this is best

if command -v "qubesdb-read" >/dev/null 2>&1 ; then

Yes. Just read https://github.com/QubesOS/qubes-issues/issues/1963. This looks more robust.

https://github.com/Whonix/Whonix/commit/01bee1d5540578fe45611176a6592f1562746ac8