Page MenuHomePhabricator
Create Task
Maniphest T452

open links from Qubes-Whonix-Gateway inside a Qubes-Whonix-Workstation
Closed, ResolvedPublic
Actions

Description

Links clicked by the user on the gateway currently show an error popup. (Such links could be seen in whonixcheck, logs, help files, etc.)

Link Confirm Open does not support opening links on Gateway for security reasons.

Please copy the link to the Workstation and open it there.

Use Tor Browser under Workstation to browse the internet.

In Qubes, we might be able to do better than that.

When open-link-confirmation detects being run inside Qubes, it could instead run the following command.

qvm-open-in-vm anon-whonix https://www.whonix.org

First, dom0 would show a confirmation popup.

Second, anon-whonix's open-link-confirmation would show a confirmation popup.

The following link will be opened in Tor Browser.

Be careful if Tor Browser is already running as your activities might get linked.

file:///tmp/sys-whonix/tmp.yoMl6S7xV0

Continue?

It is showing file:///tmp/sys-whonix/tmp.yoMl6S7xV0 rather than the link, because of Qubes upstream issue 'there is no qubes.OpenURL yet'.

It also seems a bit weird to default to opening inside anon-whonix. (I can easily make that configurable through /etc/open_link_confirm.d.) But I don't know how the gateway could figure out any reasonable, or running, or anon-link, or existing whonix-gw based AppVMs. However, it should be good enough, because many users will have anon-whonix thanks to Qubes management stack.

Details

Impact
Normal

Event Timeline

Patrick created this task.Dec 12 2015, 12:24 AM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: open-link-confirmation, Qubes, Whonix 13.
Patrick set Impact to Normal.
Patrick added subscribers: Patrick, marmarek, nrgaway, bnvk.
marmarek added a comment.Dec 12 2015, 7:48 PM
It also seems a bit weird to default to opening inside `anon-whonix`. (I can easily make that configurable through [/etc/open_link_confirm.d](https://github.com/Whonix/open-link-confirmation/tree/master/etc/open_link_confirm.d).) But I don't know how the gateway could figure out any reasonable, or running, or anon-link, or existing whonix-gw based AppVMs. However, it should be good enough, because many users will have `anon-whonix` thanks to Qubes management stack.

This can be also done in dom0 qrexec policy (for example by management
stack, or user creating dedicated "link Whonix-Workstation")
Example (/etc/qubes-rpc/policy/qubes.OpenInVM or qubes.OpenURL in the
future):
sys-whonix $anyvm ask,target=anon-whonix

Documentation:
https://www.qubes-os.org/doc/qrexec3/#tocAnchor-1-1-3

Patrick added a comment.Dec 12 2015, 7:55 PM

Sounds good. Perhaps we want even two services, i.e. qubes.WhonixOpenURL
vs qubes.OpenURL.

marmarek added a comment.Dec 12 2015, 7:58 PM
Sounds good. Perhaps we want even two services, i.e. qubes.WhonixOpenURL
vs qubes.OpenURL.

What would be the difference?

Patrick added a comment.Dec 12 2015, 8:09 PM

qubes.WhonixOpenURL by default setting opens in anon-whonix.
qubes.WhonixOpenURL would be used by Whonix[-gw] by default.

qubes.OpenURL by default settings opens in a non-anonymous DispVM.
qubes.OpenURL would be used by other templates by default.

Two services, to give the user the option to use qubes.OpenURL for their
'mail-work' VM as opposed to be using qubes.WhonixOpenURL for their
'mail-anon' VM.

marmarek added a comment.Dec 12 2015, 8:17 PM

You can set that in qrexec policy:

mail-anon $anyvm ask,target=anon-whonix
mail-work $anyvm ask,target=$dispvm

and so on.

Patrick added a comment.Apr 26 2016, 6:50 PM

allow sys-whonix, whonix-gw and whonix-ws by default to open links in anon-whonix:
https://github.com/marmarek/qubes-core-agent-linux/pull/68

Patrick added a comment.Apr 26 2016, 7:00 PM

Do you think the /etc/open_link_confirm.d/31_default.conf settings

link_confirmation_target_vm="anon-whonix"
link_confirmation_vm_open_tool="qvm-open-in-vm"

( https://github.com/Whonix/open-link-confirmation/blob/7dc3af9002b1b6ccbb54b837b6901f5d14d0a28c/etc/open_link_confirm.d/31_default.conf#L20-L37 )

are okay as is or should be somehow configured by dom0 qubes-rpc policy?

/usr/bin/qvm-open-in-vm currently requires the vmname argument. It does not have an autodetection / fallback. So to have dom0 qubes-rpc policy set target to anon-whonix I would have to emulate /usr/bin/qvm-open-in-vm. Perhaps qubes.OpenURL will have an vmname autodetection / fallback mechanism?

Patrick closed this task as Resolved.Apr 26 2016, 7:02 PM
Patrick claimed this task.

open links from Qubes-Whonix-Gateway inside a Qubes-Whonix-Workstation works. Once allow sys-whonix, whonix-gw and whonix-ws by default to open links in anon-whonix lands, it will just be one confirmation question (by open-link-confirmation) rather than an extra one (dom0 qubes-rpc policy).

Whonix Issue Tracker · Unread Notifications · Open Issues · Homepage · Blog · Forum · Github · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer