whonix.SdwdateStatus service starts VMs that were killed

Phabricator Tickets
1

Information

ID: 930
PHID: PHID-TASK-pydwvddu22mxum7x5cee
Author: marmarek
Status at Migration Time: open
Priority at Migration Time: Wishlist

Description

@marmarek:
When Whonix Workstation (for example anon-whonix) is properly shutdown, it executes whonix.NewStatus+anon-whonix_shutdown call to unregister itself from sdwdate in Whonix Gateway. But when anon-whonix is killed or crashed, that unregister call isn’t made, and sdwdate still periodically calls whonix.SdwdateStatus, which causes anon-whonix started again. → @Patrick said: This part would fixed by Qubes #7169 / PR 13.

Ideas how to solve this:

  1. make one call whonix.NewStatus that a) registers new domain, b) waits for EOF from the other end (cat >/dev/null or such) c) unregisters domain. This way, when the other end is terminated, the EOF will still be delivered, as the connection will be terminated.
  2. Use just one call ws->gw to receive status updates, to avoid whonix.SdwdateStatus calls at all. If data flow would be tricky to do this natively, whonix.NewStatus (or renamed if appropriate) could listen on on a unix socket (with a VM name in path) with socat, and whatver would call whonix.SdwdateStatus, could connect to that socket instead.
  3. Modify qrexec policy syntax to allow autostart=no or similar in the policy. This way, whonix.SdwdateStatus could be configured to not start the domain. (I think I want this feature anyway, but not sure if this is really the best fit to fix this issue). → EDIT by Patrick: Created Qubes #7168 for it.

Slightly offtopic:

  • what whonix.SdwdateStatus calls are for? sdwdate-gui runs and show status in sys-whonix, so why is anon-whonix making the calls?

Edit by Patrick:

  1. /usr/lib/python3/dist-packages/sdwdate_gui/sdwdate_watcher.py in anon-whonix notifies sys-whonix by running /usr/bin/qrexec-client-vm sys-whonix whonix.NewStatus+status.

  2. /usr/libexec/sdwdate-gui/notify-shutdown in anon-whonix notifies sys-whonix by running /usr/bin/qrexec-client-vm sys-whonix whonix.NewStatus+shutdown.

  3. In sys-whonix sdwdate-gui-qubes polls the status from VMs using for example:

    qrexec-client-vm anon-whonix whonix.SdwdateStatus

{“icon”: “busy”, “message”: “Initial time fetching in progress…”}

  • whonix.NewStatus seems to get remote VM name from an argument; this could be spoofed by the source VM; reliable way to get remote domain name in qrexec service is QREXEC_REMOTE_DOMAIN env variable. (Fixed.)
  • BTW for some reason this disappeared from qrexec3 documentation, it’s only mentioned in qrexec2…

Comments

Patrick

2023-12-29 15:33:12 UTC