Page MenuHomePhabricator
Feed Advanced Search

Sun, Jul 21

marmarek added a comment to T925: whonixcheck false positive in check_journal.

Sounds good, thanks.

Sun, Jul 21, 8:26 PM · Whonix

Jul 21 2019

marmarek added a comment to T925: whonixcheck false positive in check_journal.
Does lowering "severity could be lowered to "info" and not causing
non-zero exit codes" + `journalctl -p err -b` sound like a good solution?
Jul 21 2019, 3:26 PM · Whonix
marmarek created T925: whonixcheck false positive in check_journal.
Jul 21 2019, 3:03 AM · Whonix

Jul 16 2019

marmarek added a comment to T913: bug: not all files form /etc/skel are copied to /home/user / create user "user" at boot time.
In T913#18744, @Patrick wrote:

Do you see any issues with "create home directory on first login" in Qubes?

Jul 16 2019, 1:07 AM · whonix-base-files, live-mode, Whonix 15, Whonix

Jul 15 2019

marmarek added a comment to T913: bug: not all files form /etc/skel are copied to /home/user / create user "user" at boot time.

Can you give some more context here? Is it the problem that user is created too early (before /etc/skel is fully populated)? Or is it a problem that it's created at all? Should there be a difference between Qubes and non-Qubes case?

Jul 15 2019, 11:58 PM · whonix-base-files, live-mode, Whonix 15, Whonix

Jul 6 2019

marmarek added a comment to T857: Why? Keep? Qubes-Whonix /sbin/ethtool -K ${INTERFACE} sg off | /sbin/ethtool -K ${INTERFACE} tx off.

It was copied from native setup_ip script, details here:
https://github.com/qubesos/qubes-core-agent-linux/commit/5cbb38a2
https://github.com/qubesos/qubes-issues/issues/700
It definitely was relevant for old stubdomain hosting qemu (which is still possible to use in R4.0). Not sure if applies to new linux-based stubdomain.
It may be not needed anymore. To verify that, try removing those lines and check networking in Windows (or other OS without Xen PV drivers).

Jul 6 2019, 3:45 PM · Whonix 16, Whonix, qubes-whonix

Jun 29 2019

marmarek added a comment to T324: Add package needrestart.
In T324#18696, @Patrick wrote:

What is a good way to detect that users are using VM kernel in Qubes? @marmarek If uname -r outputs 4.19.43-1.pvops.qubes.x86_64 i.e. matches *pvops* it means that no VM kernel is being used?

Jun 29 2019, 12:55 PM · upstream, usability, enhancement, anon-meta-packages, Whonix

Jun 27 2019

marmarek added a comment to T923: Some texts on whonix connection wizard are truncated.

I see.
BTW it's certainly about fonts. here you can select whonix_firstrun-whonix-14-firstrun-20180915 from the dropdown above the screenshot (click eye icon at the right) and slide vertical bar to see old and new version.

Jun 27 2019, 2:47 PM · anon-connection-wizard, Whonix, Whonix 15
marmarek added a comment to T923: Some texts on whonix connection wizard are truncated.

Maybe different fonts installed? Is there a reason for fixed geometry of those widgets, instead of letting Qt figure it out based on the content? I suppose there may be more problems like this in the future. Especially if proper HiDPI support will come into play...

Jun 27 2019, 2:34 PM · anon-connection-wizard, Whonix, Whonix 15
marmarek created T923: Some texts on whonix connection wizard are truncated.
Jun 27 2019, 1:26 PM · anon-connection-wizard, Whonix, Whonix 15

Jun 23 2019

marmarek added a comment to T883: configure Qubes-Whonix XFCE default start menu entries (whitelisted appmenus).

How have you created sys-whonix? Default applications list is copied from template only at VM creation time. If you modify it (using VM settings for example), or just switch template, it isn't re-copied from template (it would break user's changes).

Jun 23 2019, 12:57 PM · Whonix 15, Whonix, qubes-template-whonix

Jun 21 2019

marmarek added a comment to T883: configure Qubes-Whonix XFCE default start menu entries (whitelisted appmenus).

It works for me (checked with qubes-template-whonix-gw-15-4.0.1-201906201340).

Jun 21 2019, 4:18 AM · Whonix 15, Whonix, qubes-template-whonix
marmarek added a comment to T912: qubes integration tools missing.

I cannot reproduce. I've installed qubes-template-whonix-15-4.0.1-201905241112, updated it with qubes testing repository enabled and I see all the actions available in thunar.
But I do see some warnings on thunar's stderr, like this:

(Thunar:27375): Gtk-WARNING **: 01:41:41.317: Refusing to add non-unique action 'uca-action-1507455450991127-4' to action group 'ThunarActions'

Looks like actions are added multiple times to /etc/xdg/Thunar/uca.xml, which is later copied to /home/user/.cnfig/Thunar/uca.xml. Relevant code in https://github.com/QubesOS/qubes-core-agent-linux/blob/master/debian/qubes-core-agent-thunar.postinst

Jun 21 2019, 3:50 AM · Whonix, Qubes

Apr 18 2019

marmarek added a comment to T895: Proposed Download Directory Structure / download redirects / stable download links / permalinks.

I suggest not permanent redirection, otherwise browsers may cache old version.

Apr 18 2019, 9:22 AM · server-ssh-access-required, website, Whonix

Apr 4 2019

marmarek added a comment to T670: Activating Lockdown.

This looks like focused on kernel protection from attacker having full user (or even root) access already. Something very desirable on server/multi user systems, but not so much meaningful in a single-user AppVM.
Also, disabling modules loading at all may break attaching devices (block, usb etc).
Other than modules loading, it shouldn't harm, though.

Apr 4 2019, 8:51 PM · Debian version 10 codename Buster, Whonix

Feb 15 2019

marmarek added a comment to T709: port Whonix package build process to Qubes package build process.

To build a package with qubes-builder, you need to add Makefile.builder file with just one line: DEBIAN_BUILD_DIRS := debian. This will tell qubes-builder that given repository contains Debian package.
Alternatively, if that would be too much of a problem, it should be easy to add an option that do auto detection (probably just looks for debian directory).

Feb 15 2019, 12:20 AM · security, Qubes, build, Whonix

Sep 18 2018

marmarek added a comment to T691: sdwdate sclockadj change time without spamming logs.

Actually, the "apt-daily.timer: Adding 1h 17min 24.927437s random time" message have real impact, not only noise. Each time sdwdate change time, systemd adds a random delay to those timers. which means the timer will never expire (unless that random delay will happen to be very close to 0 - i.e. below the time until sdwdate change the time, which looks to be 1s).

Sep 18 2018, 3:55 AM · systemd, research, sclockadj, sdwdate, Whonix

Sep 2 2018

marmarek added a comment to T824: Graphical issue inside Dolphine (xfce nautilus working fine).

I'd guess breeze-icon-theme.

Sep 2 2018, 10:40 PM · qubes-template-whonix, Whonix, qubes-whonix
marmarek added a comment to T824: Graphical issue inside Dolphine (xfce nautilus working fine).

Do you have non-qubes instance to compare?

Sep 2 2018, 6:07 PM · qubes-template-whonix, Whonix, qubes-whonix
marmarek added a comment to T824: Graphical issue inside Dolphine (xfce nautilus working fine).

whonix.onion links looks invalid (I know what you meant...)

Sep 2 2018, 3:07 PM · qubes-template-whonix, Whonix, qubes-whonix

Jul 18 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

The easiest way would be to have a new entry for qubesdb-read, in addition to qubes-gateway which holds the IP address.
Something like qubesdb-read /qubes-gateway-name.

Jul 18 2018, 12:12 AM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 29 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

Json handling looks fine. Not sure about using the data loaded from there - for example if self.message require sanitization. AFAIR some Qt widgets support html formatting, so it may be undesirable to allow that.

Jan 29 2018, 3:44 PM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 26 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

Probably no. But I,m not an expert in security or attacks.
pickle load deserialize an object, in our case a DICTionary. Anything not in that form would raise an exception.

Jan 26 2018, 6:49 PM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 22 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

Obviously they'll have to be in sdwdate. They are some issues regarding the format of the argument in qrexec-client-vm sys-whonix whonix.test+"[argument]" when it reaches the target vm. It's sanitized, no problem there, it can be parsed, but it's truncated at 51 bytes, which limits what we can pass.

Jan 22 2018, 3:11 AM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 12 2018

marmarek added a comment to T72: Whonix Greeter.
In T72#15372, @Patrick wrote:

Does Qubes have any thoughts on internationalization? How to get it localized into several native languages? There is dom0 window manager, Debian template, Fedora template. @marmarek
Whonix is only a small piece in the bigger picture of Qubes internationalization, which would then follow how it is implemented for Debian templates.

Jan 12 2018, 11:12 PM · whonix-setup-wizard, Whonix, usability, desktop

Nov 9 2017

marmarek added a comment to T84: Should we enable HTTP Public Key Pinning (HPKP) for whonix.org?.

Well, google is going to deprecate HPKP in chrome/chromium.

Nov 9 2017, 5:38 PM · infrastructure, security, research, Whonix, website

Nov 3 2017

marmarek added a comment to T725: add proxy capabiltiies (provides_network) to Whonix-Workstation / move Qubes updates proxy to Whonix-Workstation.

VM do not need to be a ProxyVM or have provides_network=True to serve as updatevm on Qubes 4.0. You just need to start updates proxy there (tinyproxy, enabled with qvm-service --enable vmname qubes-updates-proxy), and just qrexec policy of qubes.UpdatesProxy to direct the traffic there.

Nov 3 2017, 2:46 PM · Whonix, Whonix 16

Oct 29 2017

marmarek added a comment to T641: Qubes R4: install pulseaudio-qubes in Whonix 14 for audio support / pulseaudio and vlc should not be installed in sys-whonix.

(highest available version is 3.2.18-1+deb9u1)

Oct 29 2017, 5:53 PM · Whonix 14, Whonix, anon-meta-packages, Qubes

Oct 28 2017

marmarek added a comment to T641: Qubes R4: install pulseaudio-qubes in Whonix 14 for audio support / pulseaudio and vlc should not be installed in sys-whonix.

Will that really works for 4.0? There is also qubes-gui-agent package, so it isn't clear to me that pulseaudio-qubes will really be installed. Perhaps pulseaudio-qubes | qubes-gui-agent (<< 4.0.0)?

Oct 28 2017, 4:52 PM · Whonix 14, Whonix, anon-meta-packages, Qubes

Oct 20 2017

marmarek added a comment to T491: port whonixcheck and tb-updater to Qubes qrexec based updates proxy.

Is that changing to 127.0.0.1 work on Qubes 3.2? Anyway, yes, it should be good enough for Qubes 4.0.

Oct 20 2017, 3:33 PM · Whonix 14, Whonix 13, tb-updater, Whonix, Qubes, whonixcheck
marmarek added a comment to T723: Qubes R4 RC1 - Whonix 13 - updates proxy test failing sometimes.

sys-whonix is started by first request to updates proxy (if not already running). In most cases it will be that connectivity check. I think connect timeout doesn't matter here, as connection (in terms of TCP) is to localhost, instant. Only the response comes later.
I guess the problem is that the warning is displayed, while the connectivity check is still running (i.e. race condition). Since sys-whonix takes some time to start, it happens reliably. Maybe some dependencies between those services would help (is it possible to order GUI application after system service startup?). Or some lock file to synchronize those things?
If none of above is possible, some solution would be ordering connectivity check with Before=qubes-gui-agent.service. But I'd treat this as last resort.

Oct 20 2017, 3:18 PM · Whonix, Whonix 13, Whonix 14

Oct 8 2017

marmarek added a comment to T710: qubes-whonix build failure.

https://github.com/Whonix/qubes-template-whonix/pull/1

Just setting tbb_version or tbb_hardcoded_version variable isn't enough, because it isn't propagated through all the layers to postinst of tb-updater. But creating temporarily a configuration file works (in /etc/torbrowser.d).
Use tbb_version there, because tbb_hardcoded_version is unconditionally overridden by /usr/share/tb-updater/tbb_hardcoded_version. But later is ignored if tbb_version is already set.

Oct 8 2017, 10:56 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix

Oct 7 2017

marmarek added a comment to T710: qubes-whonix build failure.

The problem is back again, 7.0.4 is no longer available at https://dist.torproject.org/torbrowser/
What is the easiest/elegant way to choose different version, without modifying tb-updater package? Some env variable? Some config file? I don't consider https://github.com/SimonSelg/qubes-template-whonix/blob/SimonSelg-fix-tb-updater/whonix-gateway/04_install_qubes_post.sh#L65-L79 elegant...

Oct 7 2017, 3:39 PM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix

Sep 26 2017

marmarek added a comment to T698: check Qubes-Whonix compatilbity with Qubes 4.0.

Out of curiosity, where is the R4.0 rc2 download for fresh install?

Sep 26 2017, 1:16 AM · Whonix 14, Whonix, Qubes

Sep 24 2017

marmarek added a comment to T698: check Qubes-Whonix compatilbity with Qubes 4.0.

As for policy for updates proxy, see this: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/commit/977362ee27ccc116512fc428c0807063600655cc

Sep 24 2017, 4:35 PM · Whonix 14, Whonix, Qubes

Sep 20 2017

marmarek added a comment to T491: port whonixcheck and tb-updater to Qubes qrexec based updates proxy.

Since https://github.com/Whonix/qubes-whonix/commit/01964e3c8c53b49aa14e56f7924fce5e88b5a448, other places can simply source /usr/lib/qubes-whonix/utility_function.sh and use PROXY_SERVER variable to get appropriate proxy address.

Sep 20 2017, 10:43 PM · Whonix 14, Whonix 13, tb-updater, Whonix, Qubes, whonixcheck

Sep 14 2017

marmarek added a comment to T463: Qubes-Whonix-Workstation DispVM Support.

https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/pull/5

Sep 14 2017, 2:36 AM · Whonix, Qubes
marmarek added a comment to T463: Qubes-Whonix-Workstation DispVM Support.

qubes-devel discussion: https://groups.google.com/d/msgid/qubes-devel/0f80b2a7-af84-fe3c-db9b-5d9bbeedfea6%40riseup.net

Sep 14 2017, 2:24 AM · Whonix, Qubes

Sep 12 2017

marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.
In T697#14525, @Patrick wrote:

Merged.

Note that I've created PR against Whonix13 branch instead of master intentionally. While it should be mergeable to master too, it would be good to have it in Whonix13. The current version from master branch is already incompatible with Whonix 13.

I couldn't merge / cherry-pick it. Manually emulated.
https://github.com/Whonix/qubes-whonix/commit/9a8d4b94865efceec7928d5498260a44241d96b2
Could you check please the master branch has it all? (Because that will go into Whonix 14.)
Whonix13 branch i.e. qubes-whonix 5.7.2.1-1 uploaded to Whonix jessie-proposed-updates repository.

Sep 12 2017, 3:12 AM · anon-meta-packages, Whonix 14, Qubes, Whonix

Sep 11 2017

marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.

Done: https://github.com/Whonix/qubes-whonix/pull/5
Note that I've created PR against Whonix13 branch instead of master intentionally. While it should be mergeable to master too, it would be good to have it in Whonix13. The current version from master branch is already incompatible with Whonix 13.

Sep 11 2017, 9:45 PM · anon-meta-packages, Whonix 14, Qubes, Whonix
marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.

According to debian policy, << is the syntax for "strictly older than".

Sep 11 2017, 2:59 PM · anon-meta-packages, Whonix 14, Qubes, Whonix
marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.

https://github.com/Whonix/qubes-whonix/pull/4

Sep 11 2017, 2:25 AM · anon-meta-packages, Whonix 14, Qubes, Whonix

Aug 26 2017

marmarek added a comment to T710: qubes-whonix build failure.

Yes, it works now: https://travis-ci.org/marmarek/qubes-template-whonix/builds/263033873

Aug 26 2017, 1:38 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix

Aug 25 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

The idea was to keep X newest entries. not oldest, right? So the first order is right (the code skip X "first" directories). Also, I'd trust more file names, not modification time - the later is easy to mess up (and a consequence will be removing wrong directory - possibly containing just modified data).

Aug 25 2017, 7:46 PM · Whonix 13, Whonix 14, Qubes, Whonix

Aug 15 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

I've tried glob, but I need reversed order and failed to do that with glob. ls -dr should do. Unless $tb_browser_folder itself contains spaces...

Aug 15 2017, 8:03 PM · Whonix 13, Whonix 14, Qubes, Whonix

Aug 12 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

Proposed fix here: https://github.com/Whonix/tb-updater/pull/1

Aug 12 2017, 12:49 PM · Whonix 13, Whonix 14, Qubes, Whonix

Aug 10 2017

marmarek added a comment to T710: qubes-whonix build failure.

Indeed, TEMPLATE_OPTIONS variable wasn't properly propagated. Fixing this fixes whonix-gateway build:
https://travis-ci.org/marmarek/qubes-template-whonix/builds/263033866

Aug 10 2017, 1:16 PM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix

Aug 9 2017

marmarek added a comment to T710: qubes-whonix build failure.

Also, it worked before (when tor browser 7.0 was still downloadable)... See builds history on travis (https://travis-ci.org/marmarek/qubes-template-whonix/builds).

Aug 9 2017, 2:28 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix
marmarek added a comment to T710: qubes-whonix build failure.

In above linked travis job, workstation build (17.6) fails with:

(Debugging information: curl_status_message: [22] - [HTTP page not retrieved. The requested url was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.])

Probably package installation order is non-deterministic here...

Aug 9 2017, 2:23 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix
marmarek added a comment to T710: qubes-whonix build failure.

Are you sure about that? According to build log, the issue with whonix-ws is missing 7.0.0 version on server. anon-gw-dns-conf is not installed in whonix-ws

Aug 9 2017, 2:07 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix
marmarek added a comment to T710: qubes-whonix build failure.

Ah, you're right. So the second line in my comment _is_ a blocker too.

Aug 9 2017, 1:56 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix
marmarek added a comment to T710: qubes-whonix build failure.

I prefer the proper fix, which is a chain of three tickets in total: https://phabricator.whonix.org/T671#14310
Independently (not a blocker), it would be good to find out why tb-updater is installed in whonix-gw.

Aug 9 2017, 1:42 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix

Aug 7 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

What exactly is the use case when removing old /var/cache/tb-binary/.tb/tor-browser.old.* is bad?
IIUC this ticket is blocking tb-updater stable upgrade (T690), which would fix qubes-whonix build failure (T710). Which is a blocker for having Whonix templates for Qubes 4.0.

Aug 7 2017, 10:41 PM · Whonix 13, Whonix 14, Qubes, Whonix

Jul 30 2017

marmarek added a comment to T710: qubes-whonix build failure.

What does it mean in practice?
Also "Couldn't resolve host" doesn't look like file removed from torproject's download server...

Jul 30 2017, 12:20 AM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix

Jul 29 2017

marmarek created T710: qubes-whonix build failure.
Jul 29 2017, 2:12 PM · tb-updater, build, Whonix 14, Whonix 13, Qubes, Whonix

Jul 7 2017

marmarek added a comment to T695: Whonix running as Qubes DispVM uses saved clock.

Yes to both of you:

  • should just work on Qubes 4.0 (savefiles are not used there anymore)
  • calling qubes.GetRandomizedTime as post-suspend action would fix that too
Jul 7 2017, 8:13 PM · Whonix 14, Whonix 13, Whonix, sclockadj

Jul 4 2017

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).
In T534#13990, @Patrick wrote:

@marmarek is there some qubesdb-read to find out from anon-whonix that its NetVM is sys-whonix?
(Required to qrexec target variable. Trying to cover the case where one is using multiple Whonix-Gateway's.)

Jul 4 2017, 3:59 AM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jun 8 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

Looks like at least NTP and chrony use ntp_adjtime/adjtimex

Jun 8 2017, 1:30 AM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

Jun 7 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

adjtimex/ntp_adjtime looks quite complex, but also allow precise control on how time should be adjusted. From those two, according to manual page ntp_adjtime is preferred.

Jun 7 2017, 12:42 AM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

Jun 5 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

I've left you some minor comments here: https://github.com/JasonJAyalaP/sclockadj/commit/e9bf84e3a400f7a8ef01e5f00dcefc013d0a9efe

Jun 5 2017, 10:54 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code
marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

What about using adjtime() syscall instead of all this? It would avoid trashing logs with Time has been changed every single second, and possibly other side effects.

Jun 5 2017, 10:44 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

May 20 2017

marmarek added a comment to T677: research and document secure downloads using Tor Browser.

Well, if you explicitly type/paste "https://" in the url, sslstrip and
similar do not apply. But very few people do that, most follow some
link, or type just "www.torproject.org" instead of
"https://www.torproject.org".

May 20 2017, 12:16 PM · Whonix, user documentation, research, Whonix 14

Apr 14 2017

marmarek added a comment to T658: Qubes-Whonix 14 timesync vs usabilty decision.
In T658#12969, @Patrick wrote:

Another issue at the moment with sdwdate-gui in Qubes is, that users
cannot really know which sdwdate-gui belong to which VM. The coloring of
the sys-tray works, but you could not distinguish them if both used the
same color.
That's more of a general Qubes issue. Should I try to work around it by
adding the Qubes VM name to the sdwdate-gui right click menu?
Same is true for the hover over passive tooltips. Should I add the Qubes
VM name there as well?

Apr 14 2017, 8:09 PM · sdwdate, Whonix 14, Qubes, Whonix

Apr 13 2017

marmarek added a comment to T658: Qubes-Whonix 14 timesync vs usabilty decision.

What about hiding sdwdate-gui icon when time is synchronized? So, have an icon only when there is some problem or sdwdate is still bootstrapping? This isn't ideal as actions like restart/stop will be unavailable, but maybe good enough for now?

Apr 13 2017, 3:57 PM · sdwdate, Whonix 14, Qubes, Whonix
marmarek added a comment to T658: Qubes-Whonix 14 timesync vs usabilty decision.

I'm not sure about sdwdate-gui details, but could it be started in a mode without tray icon and only show notifications? Maybe also make sure that notifications do not expire until sdwdate succeed. Or maybe hide tray icon when time is synchronized?
Those should be much easier to do than full T534.

Apr 13 2017, 2:53 PM · sdwdate, Whonix 14, Qubes, Whonix

Mar 16 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

Can't find what debian package ship debug symbols, there is no -dbg package there: https://packages.debian.org/source/stretch/ruby2.3

Mar 16 2017, 4:52 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code
marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

Ah, it's ruby... So, python-dbg is irrelevant, but trying gdb may still be a good idea.

Mar 16 2017, 4:51 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code
marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

I don't see any loop there and only very simple function calls, so I don't see how that would trigger such bug...

Mar 16 2017, 4:35 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

Mar 5 2017

marmarek added a comment to T599: bindp libindp.so C code fixes.
@marmarek If the problem is only with applications listening on both AF_INET and AF_UNIX,
Mar 5 2017, 10:34 PM · bindp, security, Whonix 14, C Code, Whonix

Mar 1 2017

marmarek added a comment to T629: fix sdwdate sigterm handling during remote_times.py get_time_from_servers.

Also, Python >= 3.4 comes with great API for concurrent execution - asyncio - much more powerful version of asyncore. In this case it could be used to avoid threads at all. But I'm still learning how to use it... You may want to read/watch this: https://fosdem.org/2017/schedule/event/python_coroutines/ if you want quick intro.

Mar 1 2017, 11:09 PM · python, bug, Whonix, sdwdate
marmarek added a comment to T629: fix sdwdate sigterm handling during remote_times.py get_time_from_servers.

Where the other thread is created? For me it looks like get_time_from_servers is running in the main thread, so simply not catching SystemExit should be enough. At the point where it was raised, you already called sys.exit (which is how SystemExit is raised), so exit_handler was already called.

Mar 1 2017, 11:04 PM · python, bug, Whonix, sdwdate

Feb 23 2017

marmarek added a comment to T599: bindp libindp.so C code fixes.

The problem is not in connect function, but in bind. It assume AF_INET family, casting sk pointer to struct sockaddr_in. But if socket family is something different, the structure also may be different (for example struct sockaddr_un for AF_UNIX). In practice, besides misusing this library, the problem only applies to applications listening on both locak (AF_UNIX) and network (AF_INET) sockets. Because you don't use this library for AF_UNIX-only applications.

Feb 23 2017, 2:03 AM · bindp, security, Whonix 14, C Code, Whonix

Feb 20 2017

marmarek added a comment to T633: Non-Qubes-Whonix KDE plasma 5 fixes.

Slightly reduced duplication:

if [ -z "$XDG_CONFIG_DIRS" ]; then
    XDG_CONFIG_DIRS=/etc/xdg
fi
export XDG_CONFIG_DIRS=/usr/share/kde-dolphin-menubar-enable/:$XDG_CONFIG_DIRS
Feb 20 2017, 1:38 AM · Whonix 15, Whonix, kde
marmarek added a comment to T633: Non-Qubes-Whonix KDE plasma 5 fixes.

Try adding the default value too (/etc/xdg).

Feb 20 2017, 12:59 AM · Whonix 15, Whonix, kde

Jan 30 2017

marmarek added a comment to T620: clean up qubes-whonix package dependencies to resolve issues upgrading to stretch.

Related: https://github.com/QubesOS/qubes-issues/issues/2572 (meta-packages for Qubes)
As for the above list:

  • drop all notification-related packages - those are not up to qubes-whonix
  • gnome-*, network-manager* - should be moved to some qubes-metapackage (recommended flavor, probably not installed in Whonix)
Jan 30 2017, 12:40 PM · Whonix 14, Whonix, Qubes
marmarek added a comment to T509: Consider nftables as a replacement for iptables.

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

Jan 30 2017, 12:06 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 21 2017

marmarek added a comment to T610: use tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false";.
Perhaps it's better to implement this rather minimally inside the https://phabricator.whonix.org/tag/qubes-whonix/ package? A simple one socat listener port 9050 only redirection from whonix-gw TemplateVM to sys-whonix?
Jan 21 2017, 11:15 PM · Whonix, anon-shared-build-apt-sources-tpo, build, whonix-repository, anon-apt-sources-list, Whonix 14
marmarek added a comment to T610: use tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false";.
In T610#11722, @Patrick wrote:

I haven't updated whonix_repository_uri= in https://github.com/Whonix/qubes-template-whonix/blob/master/whonix-gateway/04_install_qubes_post.sh to onion yet. I guess there we should use onion plus Acquire::BlockDotOnion "false";?

Jan 21 2017, 1:12 AM · Whonix, anon-shared-build-apt-sources-tpo, build, whonix-repository, anon-apt-sources-list, Whonix 14

Jan 19 2017

marmarek added a comment to T610: use tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false";.

What about tor-over-tor issue here? And starting tor in template by having apt-transport-tor installed? Are those issues mitigated somehow else?

Jan 19 2017, 1:18 PM · Whonix, anon-shared-build-apt-sources-tpo, build, whonix-repository, anon-apt-sources-list, Whonix 14

Jan 11 2017

marmarek added a comment to T561: find way to have Tor ephermal hidden service using applications in Whonix-Workstation bind on all interfaces.
In T561#11317, @Patrick wrote:

a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.

Won't happen by the time this ends up in stretch. Anyhow. Should go for it optionally so any other workarounds can later be abolished.

b) Some solution using bindp.

I decided to go for that solution since the other solutions aren't looking feasible/great. bindp has been packaged by me, automated as wrapper and added it uwt. Will git push it soon.
Could you please have a look bindp and comment on the C code from a security perspective? @marmarek Without comments it's just 5 lines of make and 100 lines of C code.
https://github.com/yongboy/bindp

Jan 11 2017, 12:58 AM · uwt, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy)

Jan 6 2017

marmarek added a comment to T583: try kloak anti keystroke deanonymization tool and leave feedback.
In T583#11241, @Patrick wrote:

Wondering... Where are we going to install that tool? Wouldn't the anti keystroke deanonymization tool be better installed on the host / dom0 rather than inside Whonix VMs?

  • a) Having it installed inside the VM defeats keystroke deanonymization by remote servers (ssh, web, ...). Would be great!
  • b) Having it installed on the host / dom0 defeats a) as well as defeats keystroke deanonymization after VM compromise? Would be even better, no?!
Jan 6 2017, 2:51 AM · research, Whonix 14, Whonix

Dec 24 2016

marmarek added a comment to T583: try kloak anti keystroke deanonymization tool and leave feedback.

The above application grabs the input device, randomly delays the key
events, and writes the events to a user-level input device via uinput.

Dec 24 2016, 11:20 PM · research, Whonix 14, Whonix

Dec 23 2016

marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

What about retrying qubes-whonix-torified-updates-proxy-check.service on
connection failure?

Dec 23 2016, 9:53 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 19 2016

marmarek added a comment to T486: Disable conntrack helper?.
In T486#11057, @Patrick wrote:

I don't know what to think of this which warns of conntrack... https://lists.torproject.org/pipermail/tor-talk/2016-December/042717.html

Dec 19 2016, 1:38 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Oct 6 2016

marmarek added a comment to T466: Qubes sys-whonix does not do its job as Qubes FirewallVM.

Actually the later is also done (slightly differently - see my comment there).
Default static firewall (blocking INPUT etc) still uses iptables, but it doesn't matter on Whonix, since it uses its own version. Dynamic part (qubes-firewall service) use nftables (when installed) and should not interfere with other firewall rules.

Oct 6 2016, 1:18 AM · iptables, whonix-gw-firewall, Qubes, Whonix

Sep 27 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.
In T448#10482, @Patrick wrote:

I guess we don't get around unit testing now. Do you have any examples where I can define function names, inputs and expected outputs?

Sep 27 2016, 7:40 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 23 2016

marmarek added a comment to T553: Emergency Crash Script to Protect Host FDE.

On Qubes it results in kernel message: sysrq: SysRq : This sysrq operation is disabled.
Default value of /proc/sys/kernel/sysrq on Qubes dom0 is 16. Changing to 1 does not work either:

[1363616.422789] sysrq: SysRq : Power Off
[1363616.423456] xenbus: xenbus_dev_shutdown: backend/console/1069/0: Initialising != Connected, skipping
[1363621.427069] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51760 timeout closing device
[1363626.430065] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51744 timeout closing device
[1363631.434062] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51728 timeout closing device
[1363636.437593] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51712 timeout closing device
[1363636.437595] xenbus: xenbus_dev_shutdown: backend/console/1068/0: Initialising != Connected, skipping
[1363641.441056] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51760 timeout closing device
[1363646.443064] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51744 timeout closing device
[1363651.446038] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51728 timeout closing device
[1363656.447016] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51712 timeout closing device
[1363656.447016] xenbus: xenbus_dev_shutdown: backend/console/1067/0: Initialising != Connected, skipping
[1363661.448050] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51760 timeout closing device
[1363666.451077] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51744 timeout closing device
[1363671.454069] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51728 timeout closing device
[1363676.457060] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51712 timeout closing device
[1363676.457118] xenbus: xenbus_dev_shutdown: backend/console/711/0: Initialising != Connected, skipping
[1363681.460065] xenbus: xenbus_dev_shutdown: backend/vbd/711/51760 timeout closing device

And finally shutdown after timing out for every VM - 20s per VM. Not good, at least.
Sysrq-c makes dom0 frozen for some time (5s?) and then reboots. Also after changing sysctl setting.

Sep 23 2016, 9:43 PM · user documentation, Whonix 14, Whonix, Whonix-Host
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.
In T448#10419, @Patrick wrote:

Do you think DaemonRunner is still of any use or could be removed?

Sep 23 2016, 9:30 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.
In T448#10396, @Patrick wrote:

Security aspects...
Do you think Whonix-Workstation could spoof its client_ip and therefore lead to an security issue?

Sep 23 2016, 1:00 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 21 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

nc connection to cpfpy no longer works. (Should work, because it also works with real Tor Control Port.)

Sep 21 2016, 11:16 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

https://github.com/Whonix/control-port-filter-python/pull/5

Sep 21 2016, 11:13 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

I'm on it.

Sep 21 2016, 11:06 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 19 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

https://github.com/Whonix/control-port-filter-python/pull/4

Sep 19 2016, 1:04 AM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 18 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

https://github.com/Whonix/control-port-filter-python/pull/3

Sep 18 2016, 3:10 AM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

Working on it, will push something in half an hour.

Sep 18 2016, 2:31 AM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 17 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

Commented in that last commit. Generally looks good. Few things to consider:

  • switching to asyncore completely - even for handling new incoming connections, replacing StreamServer - not sure if worth the effort, but will make the code even cleaner. Generally better use one API for handling sockets at the time.
  • filtering responses (is it needed?)
Sep 17 2016, 3:24 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 16 2016

marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

I'd expect some more problems, but nothing serious. For example CUPS may
not work...

Sep 16 2016, 1:40 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

Network shouldn't be needed for GUI applications as long as DISPLAY
environment variable is correctly set. Make sure it's :0, and not
localhost:0.

Sep 16 2016, 1:16 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 3 2016

marmarek added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

I'd expect that PV VM can't control c-states, so on Qubes it will not be
that simple, at least in default configuration. But worth a try.

Aug 3 2016, 9:20 AM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, research, Whonix

Aug 1 2016

marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.

In the failed one (job #13.5)

Aug 1 2016, 10:06 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug