Disable thumbnail previews in file managers in SecureDrop Workstation VMs

[redshiftzero]

OG desc:

Nautilus helpfully generates a thumbnail preview of many file types, including images.

However, in our use case, we want to to prevent the parsing of potentially malicious decrypted files in sd-app, so we should disable the thumbnail generation.

Note that to prevent parsing of these files disabling thumbnails is necessary but (possibly) not sufficient, more investigation needed.

With https://github.com/freedomofpress/securedrop-client/pull/2057, a file manager (and thunar, not nautilus) would not be available in sd-app, only in viewer and export VMs, but thumbnail generation should still be disabled.

[adrelanos]

Whonix 14 will do that by default.

Package https://github.com/Whonix/security-misc is responsible for that.

References:

• https://phabricator.whonix.org/T500
• https://github.com/Whonix/security-misc/commit/5ba2a5b6ff53df37ad38f082ad86ff2227158d93
• https://github.com/Whonix/security-misc/commit/dfe8a569b639dd09ef4cd7f35c05efd7ea080406
• https://github.com/QubesOS/qubes-issues/issues/1108#issuecomment-263174448

[adrelanos]

@redshiftzero can you reproduce this inside Qubes-Whonix?

If no, due to https://github.com/QubesOS/qubes-issues/issues/1885 we might be able to close this one as duplicate.

[conorsch]

Have not tried to reproduce recently, but the original scope of this ticket was in the sd-svs VM, which is not based on the Qubes Whonix Workstation—presumably that's why we saw behavior different from what @adrelanos points out.

Now that we've got the client code coming together, we'll be dropping use of Nautilus altogether in the standard journalist workflow (#179). So the preview issue is now less important than when this issue was first opened. The previews may be relevant for forthcoming workflows such as export, however #84, so leaving open for now. (cc @redshiftzero if you disagree)

[eloquence]

sd-app (née sd-svs) still ships with Nautilus, but I'm not seeing rich previews at least for JPGs and PDFs. Have we already mitigated this in our config?

[zenmonkeykstop]

Need to confirm that tracker-miner has been disabled in sd-app altogether - nautilus may be replaced with thunar based on some issues encountered in the debian-12-based templates with grsec kernels, so we should make sure its equivalent service, if any, is also not processing files to produce thumbnails.

See also https://lwn.net/Articles/947288/

[zenmonkeykstop]

The equivalent service under xfce is tumblerd (which I cannot initially type without leaving out the "e" :/ ) - it's installed as a dependency of thunar but not actually required for it to run. So, we could:

• just uninstall it in the template
• add a config file for it under ~/.config that disables all its plugins
• both, for safety's sake

[legoktm]

Cross-referencing:

• https://github.com/QubesOS/qubes-issues/issues/8372
• and then un-disabled in https://github.com/QubesOS/qubes-core-agent-linux/pull/450