search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
541 stars 48 forks source link

Ship a hardened wpa_supplicant configuration #6510

Closed DemiMarie closed 2 months ago

DemiMarie commented 3 years ago

The problem you're addressing (if any)

wpa_supplicant is a large, essential, and complex daemon with substantial attack surface. In a default Fedora install, it runs unsandboxed and has free reign over the system. In QubesOS, it is confined within sys-net, but there is no reason to make it any more tempting of a target than it needs to be.

Describe the solution you'd like

wpa_supplicant should run in a sandbox with limited access to resources. This is not difficult to achieve; I achieved it myself in less than two hours. PR coming.

Where is the value to a user, and who might that user be?

This will benefit any user who uses wpa_supplicant, which is the majority of laptop users.

Describe alternatives you've considered

None

Additional context

Relevant documentation you've consulted

Related, non-duplicate issues

qtpies commented 3 years ago

Because of an issue I ran into I recently replaced wpa_supplicant with iwd with little effort and I'm enjoying the benefits without any trouble yet. I mention this as it seems that wpa_supplicant will at some point be replaced by iwd, and it might be worth spending time on securing iwd instead of the old and complex wpa_supplicant? If you disagree please ignore my comment.

The only issue I did run into is that Fedora currenlty ships an old version of iwd (1.26) which has an issue with NetworkManager. I currently fixed this by changing sys-net to run from a Debian 10 template, as Debian ships 1.28.

quantumpacket commented 1 year ago

Has this made it into the 4.2rc?

DemiMarie commented 1 year ago

Nope

marmarek commented 2 months ago

This is a feature request for whatever distribution one uses for their sys-net, there is nothing qubes-specific here. In fact, it's less relevant for qubes than other distros due to having it sandboxed in sys-net.

github-actions[bot] commented 2 months ago

This issue has been closed as an "upstream issue." This means that the issue pertains to software that does not belong to the Qubes OS Project and that we do not develop or control. We suggest that you file this issue in the appropriate project's issue tracker instead. For more information, see Why don't you fix upstream bugs that affect Qubes OS?

We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.

If anyone reading this believes that this issue was closed in error or that the resolution of "upstream issue" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed.