Open adrelanos opened 3 months ago
There's a contributor available to implement this security enhancement.
However, since this would involve the creation of an additional VM that would be installed by default for users who opt-in to install Qubes-Whonix and therfore some extra system resource use, I suppose this feature might require approval by the Qubes core team before it's worth implementing this?
In other words... Currently maybe blocked by: Qubes core team approval
Ping @marmarek.
The problem you're addressing (if any)
Currently the Whonix-Gateway
sys-whonix
,updatevm
(global preference for dom0 updates),clockvm
(global preference).This is non-ideal for security and anonymity.
The main issue of having these services running is it undermines the proxy isolation of Whonix-Gateway and Whonix-Workstation separation.
In case of non-Whonix, clearnet use, where it is fine to use
sys-firewall
for those tasks, even though it is a Net Qube,sys-firewall
is not the qube for proxy settings as well assys-whonix
is not the qube for running Qubes services, which is a task for a Whonix-Workstation, not a Whonix-Gateway, for better leak-proofness.A vulnerability in tinyproxy marked as CVE-2023-49606 states that a specially crafted HTTP header could lead to remote code execution. In the Qubes case of using
sys-whonix
for hosting the tinyproxy, compromise of the Gateway means compromise of the user identity.The solution you'd like
sys-ops-whonix
- UpdatesProxy, UpdateVM, ClockVM - a new, dedicated service VM.Proposal: An App Qube or named Disposable Whonix-Workstation with the name
sys-ops-whonix
The
sys-ops-whonix
would be based on the Whonix-Workstation Template and its Net Qube will be set tosys-whonix
by default.The value to a user, and who that user might be
Better security and higher leak-proofness of Qubes-Whonix.
Details
anon-whonix
assys-ops-whonix
(UpdatesProxy, UpdateVM, ClockVM)? Becauseanon-whonix
is intended for user interaction with applications such as Tor Browser. It is an App Qube.sys-ops-whonix
would be a service qube.sys-ops-whonix
default Qubes dom0 AppMenu: User applications would be removed from the app menu and Tor Browser would be prevented from starting.sys-net
andsys-firewall
can be disposables with Salt declarations. A persistentsys-ops-whonix
can be interesting for caching purposes ofUpdatesProxy
, but that is not a Qubes default and is unnecessary forclockvm
andupdatevm
. Makingsys-ops-whonix
persistent for the purpose ofcacher
would be a task for acacher
Salt state.The name
sys-ops-whonix
To make clear what the VM's function is, the VM's name should probably start with
sys-
and should also includewhonix
.sys-whonix-ops
would perhaps be more easily confused withsys-whonix
.ops
standing for operations. What operations? UpdatesProxy, UpdateVM, ClockVM.If the name is non-ideal, suggestions are welcome.
Completion criteria checklist
The migration would involve:
[ ] Creation of the
sys-ops-whonix
qube with Salt. [ ] Make sure that Salt state is also called when using the Anaconda installer when installing Qubes-Whonix. [ ] Rename of mentions in Qubes source code that hard codesys-whonix
forsys-ops-whonix
when appropriate. [ ] Possibly other modifications that will be discovered when implementation starts.