When Whonix Workstation (for example anon-whonix) is properly shutdown, it executes whonix.NewStatus+anon-whonix_shutdown call to unregister itself from sdwdate in Whonix Gateway. But when anon-whonix is killed or crashed, that unregister call isn't made, and sdwdate still periodically calls whonix.SdwdateStatus, which causes anon-whonix started again.
Ideas how to solve this:
- make one call whonix.NewStatus that a) registers new domain, b) waits for EOF from the other end (cat >/dev/null or such) c) unregisters domain. This way, when the other end is terminated, the EOF will still be delivered, as the connection will be terminated.
- Use just one call ws->gw to receive status updates, to avoid whonix.SdwdateStatus calls at all. If data flow would be tricky to do this natively, whonix.NewStatus (or renamed if appropriate) could listen on on a unix socket (with a VM name in path) with socat, and whatver would call whonix.SdwdateStatus, could connect to that socket instead.
- Modify qrexec policy syntax to allow autostart=no or similar in the policy. This way, whonix.SdwdateStatus could be configured to not start the domain. (I think I want this feature anyway, but not sure if this is really the best fit to fix this issue).
- what whonix.SdwdateStatus calls are for? sdwdate gui runs and show status in sys-whonix, so why is anon-whonix making the calls?
- whonix.NewStatus seems to get remote VM name from an argument; this could be spoofed by the source VM; reliable way to get remote domain name in qrexec service is QREXEC_REMOTE_DOMAIN env variable. BTW for some reason this disappeared from qrexec3 documentation, it's only mentioned in qrexec2...