Page MenuHomePhabricator
Feed Advanced Search

Thu, Apr 18

marmarek added a comment to T895: Proposed Download Directory Structure.

I suggest not permanent redirection, otherwise browsers may cache old version.

Thu, Apr 18, 9:22 AM · server-ssh-access-required, website, Whonix

Thu, Apr 4

marmarek added a comment to T670: Activating Lockdown.

This looks like focused on kernel protection from attacker having full user (or even root) access already. Something very desirable on server/multi user systems, but not so much meaningful in a single-user AppVM.
Also, disabling modules loading at all may break attaching devices (block, usb etc).
Other than modules loading, it shouldn't harm, though.

Thu, Apr 4, 8:51 PM · Debian version 10 codename Buster, Whonix

Feb 15 2019

marmarek added a comment to T709: port Whonix package build process to Qubes package build process.

To build a package with qubes-builder, you need to add Makefile.builder file with just one line: DEBIAN_BUILD_DIRS := debian. This will tell qubes-builder that given repository contains Debian package.
Alternatively, if that would be too much of a problem, it should be easy to add an option that do auto detection (probably just looks for debian directory).

Feb 15 2019, 12:20 AM · security, Qubes, build, Whonix

Sep 18 2018

marmarek added a comment to T691: sdwdate sclockadj change time without spamming logs.

Actually, the "apt-daily.timer: Adding 1h 17min 24.927437s random time" message have real impact, not only noise. Each time sdwdate change time, systemd adds a random delay to those timers. which means the timer will never expire (unless that random delay will happen to be very close to 0 - i.e. below the time until sdwdate change the time, which looks to be 1s).

Sep 18 2018, 3:55 AM · systemd, research, sclockadj, sdwdate, Whonix

Sep 2 2018

marmarek added a comment to T824: Graphical issue inside Dolphine (xfce nautilus working fine).

I'd guess breeze-icon-theme.

Sep 2 2018, 10:40 PM · qubes-template-whonix, qubes-whonix, Whonix
marmarek added a comment to T824: Graphical issue inside Dolphine (xfce nautilus working fine).

Do you have non-qubes instance to compare?

Sep 2 2018, 6:07 PM · qubes-template-whonix, qubes-whonix, Whonix
marmarek added a comment to T824: Graphical issue inside Dolphine (xfce nautilus working fine).

whonix.onion links looks invalid (I know what you meant...)

Sep 2 2018, 3:07 PM · qubes-template-whonix, qubes-whonix, Whonix

Jul 18 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

The easiest way would be to have a new entry for qubesdb-read, in addition to qubes-gateway which holds the IP address.
Something like qubesdb-read /qubes-gateway-name.

Jul 18 2018, 12:12 AM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 29 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

Json handling looks fine. Not sure about using the data loaded from there - for example if self.message require sanitization. AFAIR some Qt widgets support html formatting, so it may be undesirable to allow that.

Jan 29 2018, 3:44 PM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 26 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

Probably no. But I,m not an expert in security or attacks.

pickle load deserialize an object, in our case a DICTionary. Anything not in that form would raise an exception.

Jan 26 2018, 6:49 PM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 22 2018

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).

Obviously they'll have to be in sdwdate. They are some issues regarding the format of the argument in qrexec-client-vm sys-whonix whonix.test+"[argument]" when it reaches the target vm. It's sanitized, no problem there, it can be parsed, but it's truncated at 51 bytes, which limits what we can pass.

Jan 22 2018, 3:11 AM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jan 12 2018

marmarek added a comment to T72: Whonix Greeter.
In T72#15372, @Patrick wrote:

Does Qubes have any thoughts on internationalization? How to get it localized into several native languages? There is dom0 window manager, Debian template, Fedora template. @marmarek

Whonix is only a small piece in the bigger picture of Qubes internationalization, which would then follow how it is implemented for Debian templates.

Jan 12 2018, 11:12 PM · whonix-setup-wizard, Whonix, usability, desktop

Nov 9 2017

marmarek added a comment to T84: Should we enable HTTP Public Key Pinning (HPKP) for whonix.org?.

Well, google is going to deprecate HPKP in chrome/chromium.

Nov 9 2017, 5:38 PM · infrastructure, security, research, Whonix, website

Nov 3 2017

marmarek added a comment to T725: add proxy capabiltiies (provides_network) to Whonix-Workstation / move Qubes updates proxy to Whonix-Workstation.

VM do not need to be a ProxyVM or have provides_network=True to serve as updatevm on Qubes 4.0. You just need to start updates proxy there (tinyproxy, enabled with qvm-service --enable vmname qubes-updates-proxy), and just qrexec policy of qubes.UpdatesProxy to direct the traffic there.

Nov 3 2017, 2:46 PM · Whonix, Whonix 16

Oct 29 2017

marmarek added a comment to T641: Qubes R4: install pulseaudio-qubes in Whonix 14 for audio support / pulseaudio and vlc should not be installed in sys-whonix.

(highest available version is 3.2.18-1+deb9u1)

Oct 29 2017, 5:53 PM · Whonix 14, Whonix, anon-meta-packages, Qubes

Oct 28 2017

marmarek added a comment to T641: Qubes R4: install pulseaudio-qubes in Whonix 14 for audio support / pulseaudio and vlc should not be installed in sys-whonix.

Will that really works for 4.0? There is also qubes-gui-agent package, so it isn't clear to me that pulseaudio-qubes will really be installed. Perhaps pulseaudio-qubes | qubes-gui-agent (<< 4.0.0)?

Oct 28 2017, 4:52 PM · Whonix 14, Whonix, anon-meta-packages, Qubes

Oct 20 2017

marmarek added a comment to T491: port whonixcheck and tb-updater to Qubes qrexec based updates proxy.

Is that changing to 127.0.0.1 work on Qubes 3.2? Anyway, yes, it should be good enough for Qubes 4.0.

Oct 20 2017, 3:33 PM · Whonix 14, Whonix 13, tb-updater, Whonix, Qubes, whonixcheck
marmarek added a comment to T723: Qubes R4 RC1 - Whonix 13 - updates proxy test failing sometimes.

sys-whonix is started by first request to updates proxy (if not already running). In most cases it will be that connectivity check. I think connect timeout doesn't matter here, as connection (in terms of TCP) is to localhost, instant. Only the response comes later.
I guess the problem is that the warning is displayed, while the connectivity check is still running (i.e. race condition). Since sys-whonix takes some time to start, it happens reliably. Maybe some dependencies between those services would help (is it possible to order GUI application after system service startup?). Or some lock file to synchronize those things?
If none of above is possible, some solution would be ordering connectivity check with Before=qubes-gui-agent.service. But I'd treat this as last resort.

Oct 20 2017, 3:18 PM · Whonix, Whonix 13, Whonix 14

Oct 8 2017

marmarek added a comment to T710: qubes-whonix build failure.

https://github.com/Whonix/qubes-template-whonix/pull/1

Just setting tbb_version or tbb_hardcoded_version variable isn't enough, because it isn't propagated through all the layers to postinst of tb-updater. But creating temporarily a configuration file works (in /etc/torbrowser.d).
Use tbb_version there, because tbb_hardcoded_version is unconditionally overridden by /usr/share/tb-updater/tbb_hardcoded_version. But later is ignored if tbb_version is already set.

Oct 8 2017, 10:56 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes

Oct 7 2017

marmarek added a comment to T710: qubes-whonix build failure.

The problem is back again, 7.0.4 is no longer available at https://dist.torproject.org/torbrowser/
What is the easiest/elegant way to choose different version, without modifying tb-updater package? Some env variable? Some config file? I don't consider https://github.com/SimonSelg/qubes-template-whonix/blob/SimonSelg-fix-tb-updater/whonix-gateway/04_install_qubes_post.sh#L65-L79 elegant...

Oct 7 2017, 3:39 PM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes

Sep 26 2017

marmarek added a comment to T698: check Qubes-Whonix compatilbity with Qubes 4.0.

Out of curiosity, where is the R4.0 rc2 download for fresh install?

Sep 26 2017, 1:16 AM · Whonix 14, Whonix, Qubes

Sep 24 2017

marmarek added a comment to T698: check Qubes-Whonix compatilbity with Qubes 4.0.

As for policy for updates proxy, see this: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/commit/977362ee27ccc116512fc428c0807063600655cc

Sep 24 2017, 4:35 PM · Whonix 14, Whonix, Qubes

Sep 20 2017

marmarek added a comment to T491: port whonixcheck and tb-updater to Qubes qrexec based updates proxy.

Since https://github.com/Whonix/qubes-whonix/commit/01964e3c8c53b49aa14e56f7924fce5e88b5a448, other places can simply source /usr/lib/qubes-whonix/utility_function.sh and use PROXY_SERVER variable to get appropriate proxy address.

Sep 20 2017, 10:43 PM · Whonix 14, Whonix 13, tb-updater, Whonix, Qubes, whonixcheck

Sep 14 2017

marmarek added a comment to T463: Qubes-Whonix-Workstation DispVM Support.

https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/pull/5

Sep 14 2017, 2:36 AM · Whonix, Qubes
marmarek added a comment to T463: Qubes-Whonix-Workstation DispVM Support.

qubes-devel discussion: https://groups.google.com/d/msgid/qubes-devel/0f80b2a7-af84-fe3c-db9b-5d9bbeedfea6%40riseup.net

Sep 14 2017, 2:24 AM · Whonix, Qubes

Sep 12 2017

marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.
In T697#14525, @Patrick wrote:

Merged.

Note that I've created PR against Whonix13 branch instead of master intentionally. While it should be mergeable to master too, it would be good to have it in Whonix13. The current version from master branch is already incompatible with Whonix 13.

I couldn't merge / cherry-pick it. Manually emulated.

https://github.com/Whonix/qubes-whonix/commit/9a8d4b94865efceec7928d5498260a44241d96b2

Could you check please the master branch has it all? (Because that will go into Whonix 14.)

Whonix13 branch i.e. qubes-whonix 5.7.2.1-1 uploaded to Whonix jessie-proposed-updates repository.

Sep 12 2017, 3:12 AM · anon-meta-packages, Whonix 14, Qubes, Whonix

Sep 11 2017

marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.

Done: https://github.com/Whonix/qubes-whonix/pull/5
Note that I've created PR against Whonix13 branch instead of master intentionally. While it should be mergeable to master too, it would be good to have it in Whonix13. The current version from master branch is already incompatible with Whonix 13.

Sep 11 2017, 9:45 PM · anon-meta-packages, Whonix 14, Qubes, Whonix
marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.

According to debian policy, << is the syntax for "strictly older than".

Sep 11 2017, 2:59 PM · anon-meta-packages, Whonix 14, Qubes, Whonix
marmarek added a comment to T697: sort out meta packages compatiblity with Qubes 3.2 and Qubes R4.0.

https://github.com/Whonix/qubes-whonix/pull/4

Sep 11 2017, 2:25 AM · anon-meta-packages, Whonix 14, Qubes, Whonix

Aug 26 2017

marmarek added a comment to T710: qubes-whonix build failure.

Yes, it works now: https://travis-ci.org/marmarek/qubes-template-whonix/builds/263033873

Aug 26 2017, 1:38 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes

Aug 25 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

The idea was to keep X newest entries. not oldest, right? So the first order is right (the code skip X "first" directories). Also, I'd trust more file names, not modification time - the later is easy to mess up (and a consequence will be removing wrong directory - possibly containing just modified data).

Aug 25 2017, 7:46 PM · Whonix 13, Whonix 14, Qubes, Whonix

Aug 15 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

I've tried glob, but I need reversed order and failed to do that with glob. ls -dr should do. Unless $tb_browser_folder itself contains spaces...

Aug 15 2017, 8:03 PM · Whonix 13, Whonix 14, Qubes, Whonix

Aug 12 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

Proposed fix here: https://github.com/Whonix/tb-updater/pull/1

Aug 12 2017, 12:49 PM · Whonix 13, Whonix 14, Qubes, Whonix

Aug 10 2017

marmarek added a comment to T710: qubes-whonix build failure.

Indeed, TEMPLATE_OPTIONS variable wasn't properly propagated. Fixing this fixes whonix-gateway build:
https://travis-ci.org/marmarek/qubes-template-whonix/builds/263033866

Aug 10 2017, 1:16 PM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes

Aug 9 2017

marmarek added a comment to T710: qubes-whonix build failure.

Also, it worked before (when tor browser 7.0 was still downloadable)... See builds history on travis (https://travis-ci.org/marmarek/qubes-template-whonix/builds).

Aug 9 2017, 2:28 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes
marmarek added a comment to T710: qubes-whonix build failure.

In above linked travis job, workstation build (17.6) fails with:

(Debugging information: curl_status_message: [22] - [HTTP page not retrieved. The requested url was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.])

Probably package installation order is non-deterministic here...

Aug 9 2017, 2:23 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes
marmarek added a comment to T710: qubes-whonix build failure.

Are you sure about that? According to build log, the issue with whonix-ws is missing 7.0.0 version on server. anon-gw-dns-conf is not installed in whonix-ws

Aug 9 2017, 2:07 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes
marmarek added a comment to T710: qubes-whonix build failure.

Ah, you're right. So the second line in my comment _is_ a blocker too.

Aug 9 2017, 1:56 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes
marmarek added a comment to T710: qubes-whonix build failure.

I prefer the proper fix, which is a chain of three tickets in total: https://phabricator.whonix.org/T671#14310
Independently (not a blocker), it would be good to find out why tb-updater is installed in whonix-gw.

Aug 9 2017, 1:42 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes

Aug 7 2017

marmarek added a comment to T671: old Tor Browser versions in /var/cache/tb-binary/.tb/ accumulate in Qubes-Whonix, users run into full up disk error issues.

What exactly is the use case when removing old /var/cache/tb-binary/.tb/tor-browser.old.* is bad?
IIUC this ticket is blocking tb-updater stable upgrade (T690), which would fix qubes-whonix build failure (T710). Which is a blocker for having Whonix templates for Qubes 4.0.

Aug 7 2017, 10:41 PM · Whonix 13, Whonix 14, Qubes, Whonix

Jul 30 2017

marmarek added a comment to T710: qubes-whonix build failure.

What does it mean in practice?
Also "Couldn't resolve host" doesn't look like file removed from torproject's download server...

Jul 30 2017, 12:20 AM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes

Jul 29 2017

marmarek created T710: qubes-whonix build failure.
Jul 29 2017, 2:12 PM · tb-updater, build, Whonix 14, Whonix 13, Whonix, Qubes

Jul 7 2017

marmarek added a comment to T695: Whonix running as Qubes DispVM uses saved clock.

Yes to both of you:

  • should just work on Qubes 4.0 (savefiles are not used there anymore)
  • calling qubes.GetRandomizedTime as post-suspend action would fix that too
Jul 7 2017, 8:13 PM · Whonix 14, Whonix 13, Whonix, sclockadj

Jul 4 2017

marmarek added a comment to T534: make sdwdate-gui Qubes friendly (sdwdate-gui-qubes).
In T534#13990, @Patrick wrote:

@marmarek is there some qubesdb-read to find out from anon-whonix that its NetVM is sys-whonix?

(Required to qrexec target variable. Trying to cover the case where one is using multiple Whonix-Gateway's.)

Jul 4 2017, 3:59 AM · Whonix, python, Qubes, usability, security, enhancement, sdwdate, sdwdate-gui

Jun 8 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

Looks like at least NTP and chrony use ntp_adjtime/adjtimex

Jun 8 2017, 1:30 AM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

Jun 7 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

adjtimex/ntp_adjtime looks quite complex, but also allow precise control on how time should be adjusted. From those two, according to manual page ntp_adjtime is preferred.

Jun 7 2017, 12:42 AM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

Jun 5 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

I've left you some minor comments here: https://github.com/JasonJAyalaP/sclockadj/commit/e9bf84e3a400f7a8ef01e5f00dcefc013d0a9efe

Jun 5 2017, 10:54 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code
marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

What about using adjtime() syscall instead of all this? It would avoid trashing logs with Time has been changed every single second, and possibly other side effects.

Jun 5 2017, 10:44 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

May 20 2017

marmarek added a comment to T677: research and document secure downloads using Tor Browser.

Well, if you explicitly type/paste "https://" in the url, sslstrip and
similar do not apply. But very few people do that, most follow some
link, or type just "www.torproject.org" instead of
"https://www.torproject.org".

May 20 2017, 12:16 PM · Whonix, user documentation, research, Whonix 14

Apr 14 2017

marmarek added a comment to T658: Qubes-Whonix 14 timesync vs usabilty decision.
In T658#12969, @Patrick wrote:

Another issue at the moment with sdwdate-gui in Qubes is, that users
cannot really know which sdwdate-gui belong to which VM. The coloring of
the sys-tray works, but you could not distinguish them if both used the
same color.

That's more of a general Qubes issue. Should I try to work around it by
adding the Qubes VM name to the sdwdate-gui right click menu?

Same is true for the hover over passive tooltips. Should I add the Qubes
VM name there as well?

Apr 14 2017, 8:09 PM · sdwdate, Whonix 14, Qubes, Whonix

Apr 13 2017

marmarek added a comment to T658: Qubes-Whonix 14 timesync vs usabilty decision.

What about hiding sdwdate-gui icon when time is synchronized? So, have an icon only when there is some problem or sdwdate is still bootstrapping? This isn't ideal as actions like restart/stop will be unavailable, but maybe good enough for now?

Apr 13 2017, 3:57 PM · sdwdate, Whonix 14, Qubes, Whonix
marmarek added a comment to T658: Qubes-Whonix 14 timesync vs usabilty decision.

I'm not sure about sdwdate-gui details, but could it be started in a mode without tray icon and only show notifications? Maybe also make sure that notifications do not expire until sdwdate succeed. Or maybe hide tray icon when time is synchronized?
Those should be much easier to do than full T534.

Apr 13 2017, 2:53 PM · sdwdate, Whonix 14, Qubes, Whonix

Mar 16 2017

marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

Can't find what debian package ship debug symbols, there is no -dbg package there: https://packages.debian.org/source/stretch/ruby2.3

Mar 16 2017, 4:52 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code
marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

Ah, it's ruby... So, python-dbg is irrelevant, but trying gdb may still be a good idea.

Mar 16 2017, 4:51 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code
marmarek added a comment to T650: review 30 lines of sclockadj inline C code.

I don't see any loop there and only very simple function calls, so I don't see how that would trigger such bug...

Mar 16 2017, 4:35 PM · Whonix 14, Whonix, sclockadj, sdwdate, C Code

Mar 5 2017

marmarek added a comment to T599: bindp libindp.so C code fixes.
@marmarek If the problem is only with applications listening on both AF_INET and AF_UNIX,
Mar 5 2017, 10:34 PM · bindp, security, Whonix 14, C Code, Whonix

Mar 1 2017

marmarek added a comment to T629: fix sdwdate sigterm handling during remote_times.py get_time_from_servers.

Also, Python >= 3.4 comes with great API for concurrent execution - asyncio - much more powerful version of asyncore. In this case it could be used to avoid threads at all. But I'm still learning how to use it... You may want to read/watch this: https://fosdem.org/2017/schedule/event/python_coroutines/ if you want quick intro.

Mar 1 2017, 11:09 PM · python, bug, Whonix, sdwdate
marmarek added a comment to T629: fix sdwdate sigterm handling during remote_times.py get_time_from_servers.

Where the other thread is created? For me it looks like get_time_from_servers is running in the main thread, so simply not catching SystemExit should be enough. At the point where it was raised, you already called sys.exit (which is how SystemExit is raised), so exit_handler was already called.

Mar 1 2017, 11:04 PM · python, bug, Whonix, sdwdate

Feb 23 2017

marmarek added a comment to T599: bindp libindp.so C code fixes.

The problem is not in connect function, but in bind. It assume AF_INET family, casting sk pointer to struct sockaddr_in. But if socket family is something different, the structure also may be different (for example struct sockaddr_un for AF_UNIX). In practice, besides misusing this library, the problem only applies to applications listening on both locak (AF_UNIX) and network (AF_INET) sockets. Because you don't use this library for AF_UNIX-only applications.

Feb 23 2017, 2:03 AM · bindp, security, Whonix 14, C Code, Whonix

Feb 20 2017

marmarek added a comment to T633: Non-Qubes-Whonix KDE plasma 5 fixes.

Slightly reduced duplication:

if [ -z "$XDG_CONFIG_DIRS" ]; then
    XDG_CONFIG_DIRS=/etc/xdg
fi
export XDG_CONFIG_DIRS=/usr/share/kde-dolphin-menubar-enable/:$XDG_CONFIG_DIRS
Feb 20 2017, 1:38 AM · Whonix 15, Whonix, kde
marmarek added a comment to T633: Non-Qubes-Whonix KDE plasma 5 fixes.

Try adding the default value too (/etc/xdg).

Feb 20 2017, 12:59 AM · Whonix 15, Whonix, kde

Jan 30 2017

marmarek added a comment to T620: clean up qubes-whonix package dependencies to resolve issues upgrading to stretch.

Related: https://github.com/QubesOS/qubes-issues/issues/2572 (meta-packages for Qubes)
As for the above list:

  • drop all notification-related packages - those are not up to qubes-whonix
  • gnome-*, network-manager* - should be moved to some qubes-metapackage (recommended flavor, probably not installed in Whonix)
Jan 30 2017, 12:40 PM · Whonix 14, Whonix, Qubes
marmarek added a comment to T509: Consider nftables as a replacement for iptables.

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

Jan 30 2017, 12:06 PM · iptables, vpn-firewall, whonix-ws-firewall, whonix-gw-firewall, Whonix, refactoring, research

Jan 21 2017

marmarek added a comment to T610: use tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false";.
Perhaps it's better to implement this rather minimally inside the https://phabricator.whonix.org/tag/qubes-whonix/ package? A simple one socat listener port 9050 only redirection from whonix-gw TemplateVM to sys-whonix?
Jan 21 2017, 11:15 PM · Whonix, anon-shared-build-apt-sources-tpo, build, whonix-repository, anon-apt-sources-list, Whonix 14
marmarek added a comment to T610: use tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false";.
In T610#11722, @Patrick wrote:

I haven't updated whonix_repository_uri= in https://github.com/Whonix/qubes-template-whonix/blob/master/whonix-gateway/04_install_qubes_post.sh to onion yet. I guess there we should use onion plus Acquire::BlockDotOnion "false";?

Jan 21 2017, 1:12 AM · Whonix, anon-shared-build-apt-sources-tpo, build, whonix-repository, anon-apt-sources-list, Whonix 14

Jan 19 2017

marmarek added a comment to T610: use tor+http / apt-transport-tor rather than Acquire::BlockDotOnion "false";.

What about tor-over-tor issue here? And starting tor in template by having apt-transport-tor installed? Are those issues mitigated somehow else?

Jan 19 2017, 1:18 PM · Whonix, anon-shared-build-apt-sources-tpo, build, whonix-repository, anon-apt-sources-list, Whonix 14

Jan 11 2017

marmarek added a comment to T561: find way to have Tor ephermal hidden service using applications in Whonix-Workstation bind on all interfaces.
In T561#11317, @Patrick wrote:

a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.

Won't happen by the time this ends up in stretch. Anyhow. Should go for it optionally so any other workarounds can later be abolished.

b) Some solution using bindp.

I decided to go for that solution since the other solutions aren't looking feasible/great. bindp has been packaged by me, automated as wrapper and added it uwt. Will git push it soon.

Could you please have a look bindp and comment on the C code from a security perspective? @marmarek Without comments it's just 5 lines of make and 100 lines of C code.

https://github.com/yongboy/bindp

Jan 11 2017, 12:58 AM · uwt, Whonix 14, onion-grater (Control Port Filter Proxy), Whonix

Jan 6 2017

marmarek added a comment to T583: try kloak anti keystroke deanonymization tool and leave feedback.
In T583#11241, @Patrick wrote:

Wondering... Where are we going to install that tool? Wouldn't the anti keystroke deanonymization tool be better installed on the host / dom0 rather than inside Whonix VMs?

  • a) Having it installed inside the VM defeats keystroke deanonymization by remote servers (ssh, web, ...). Would be great!
  • b) Having it installed on the host / dom0 defeats a) as well as defeats keystroke deanonymization after VM compromise? Would be even better, no?!
Jan 6 2017, 2:51 AM · research, Whonix 14, Whonix

Dec 24 2016

marmarek added a comment to T583: try kloak anti keystroke deanonymization tool and leave feedback.

The above application grabs the input device, randomly delays the key
events, and writes the events to a user-level input device via uinput.

Dec 24 2016, 11:20 PM · research, Whonix 14, Whonix

Dec 23 2016

marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

What about retrying qubes-whonix-torified-updates-proxy-check.service on
connection failure?

Dec 23 2016, 9:53 PM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Dec 19 2016

marmarek added a comment to T486: Disable conntrack helper?.
In T486#11057, @Patrick wrote:

I don't know what to think of this which warns of conntrack... https://lists.torproject.org/pipermail/tor-talk/2016-December/042717.html

Dec 19 2016, 1:38 AM · Whonix, whonix-ws-firewall, whonix-gw-firewall, enhancement, security

Oct 6 2016

marmarek added a comment to T466: Qubes sys-whonix does not do its job as Qubes FirewallVM.

Actually the later is also done (slightly differently - see my comment there).
Default static firewall (blocking INPUT etc) still uses iptables, but it doesn't matter on Whonix, since it uses its own version. Dynamic part (qubes-firewall service) use nftables (when installed) and should not interfere with other firewall rules.

Oct 6 2016, 1:18 AM · iptables, whonix-gw-firewall, Whonix, Qubes

Sep 27 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.
In T448#10482, @Patrick wrote:

I guess we don't get around unit testing now. Do you have any examples where I can define function names, inputs and expected outputs?

Sep 27 2016, 7:40 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 23 2016

marmarek added a comment to T553: Emergency Crash Script to Protect Host FDE.

On Qubes it results in kernel message: sysrq: SysRq : This sysrq operation is disabled.
Default value of /proc/sys/kernel/sysrq on Qubes dom0 is 16. Changing to 1 does not work either:

[1363616.422789] sysrq: SysRq : Power Off
[1363616.423456] xenbus: xenbus_dev_shutdown: backend/console/1069/0: Initialising != Connected, skipping
[1363621.427069] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51760 timeout closing device
[1363626.430065] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51744 timeout closing device
[1363631.434062] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51728 timeout closing device
[1363636.437593] xenbus: xenbus_dev_shutdown: backend/vbd/1069/51712 timeout closing device
[1363636.437595] xenbus: xenbus_dev_shutdown: backend/console/1068/0: Initialising != Connected, skipping
[1363641.441056] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51760 timeout closing device
[1363646.443064] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51744 timeout closing device
[1363651.446038] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51728 timeout closing device
[1363656.447016] xenbus: xenbus_dev_shutdown: backend/vbd/1068/51712 timeout closing device
[1363656.447016] xenbus: xenbus_dev_shutdown: backend/console/1067/0: Initialising != Connected, skipping
[1363661.448050] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51760 timeout closing device
[1363666.451077] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51744 timeout closing device
[1363671.454069] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51728 timeout closing device
[1363676.457060] xenbus: xenbus_dev_shutdown: backend/vbd/1067/51712 timeout closing device
[1363676.457118] xenbus: xenbus_dev_shutdown: backend/console/711/0: Initialising != Connected, skipping
[1363681.460065] xenbus: xenbus_dev_shutdown: backend/vbd/711/51760 timeout closing device

And finally shutdown after timing out for every VM - 20s per VM. Not good, at least.
Sysrq-c makes dom0 frozen for some time (5s?) and then reboots. Also after changing sysctl setting.

Sep 23 2016, 9:43 PM · user documentation, Whonix 14, Whonix, Whonix-Host
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.
In T448#10419, @Patrick wrote:

Do you think DaemonRunner is still of any use or could be removed?

Sep 23 2016, 9:30 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.
In T448#10396, @Patrick wrote:

Security aspects...

Do you think Whonix-Workstation could spoof its client_ip and therefore lead to an security issue?

Sep 23 2016, 1:00 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 21 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

nc connection to cpfpy no longer works. (Should work, because it also works with real Tor Control Port.)

Sep 21 2016, 11:16 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

https://github.com/Whonix/control-port-filter-python/pull/5

Sep 21 2016, 11:13 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

I'm on it.

Sep 21 2016, 11:06 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 19 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

https://github.com/Whonix/control-port-filter-python/pull/4

Sep 19 2016, 1:04 AM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 18 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

https://github.com/Whonix/control-port-filter-python/pull/3

Sep 18 2016, 3:10 AM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement
marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

Working on it, will push something in half an hour.

Sep 18 2016, 2:31 AM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 17 2016

marmarek added a comment to T448: support for Tor control protocol events (setevent) by Control Port Filter Proxy.

Commented in that last commit. Generally looks good. Few things to consider:

  • switching to asyncore completely - even for handling new incoming connections, replacing StreamServer - not sure if worth the effort, but will make the code even cleaner. Generally better use one API for handling sockets at the time.
  • filtering responses (is it needed?)
Sep 17 2016, 3:24 PM · Debian version 9 codename Stretch, Whonix 14, Whonix, onion-grater (Control Port Filter Proxy), enhancement

Sep 16 2016

marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

I'd expect some more problems, but nothing serious. For example CUPS may
not work...

Sep 16 2016, 1:40 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate
marmarek added a comment to T533: iptables block network access until sdwdate succeeded.

Network shouldn't be needed for GUI applications as long as DISPLAY
environment variable is correctly set. Make sure it's :0, and not
localhost:0.

Sep 16 2016, 1:16 AM · Whonix, usability, whonix-ws-firewall, whonix-gw-firewall, iptables, python, security, enhancement, sdwdate-gui, sdwdate

Aug 3 2016

marmarek added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

I'd expect that PV VM can't control c-states, so on Qubes it will not be
that simple, at least in default configuration. But worth a try.

Aug 3 2016, 9:20 AM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research

Aug 1 2016

marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.

In the failed one (job #13.5)

Aug 1 2016, 10:06 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.

For 3.1 - yes, this is expected, qubes-core-agent package currently is available only in testing repository (will be in stable in two days) - https://github.com/QubesOS/qubes-issues/issues/2205

Aug 1 2016, 9:39 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.
In T527#9691, @Patrick wrote:

The build succeeded, however there was an error at the end.

./create_template_list.sh: line 13: xenstore-read: command not found

Aug 1 2016, 7:50 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.
In T527#9688, @Patrick wrote:

I have the override file in place.

https://github.com/adrelanos/qubes-template-whonix/blob/master/.travis.yml

But it is ignored. Still failing for the same reason.

How do I make changes to override.conf take effect from command line? (usually I use ./setup, but that gui tool won't work for TravisCI)

Aug 1 2016, 5:49 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.
In T527#9680, @Patrick wrote:

Using that now.

Yet BUILDER_PLUGINS is missing it.

BUILDER_PLUGINS:

     builder-fedora, builder-debian, mgmt-salt,

Hence, build still failing.

Makefile:45: *** Building template whonix-gateway not supported by any of configured plugins. Stop.

log:
https://s3.amazonaws.com/archive.travis-ci.org/jobs/148863490/log.txt

Aug 1 2016, 4:04 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.
In T527#9675, @Patrick wrote:

Package anon-workstation-packages-recommended is not configured yet.

This is likely just be a symptom. [I also would have wondered what could have broken dependencies.] The build breaks on purpose. "Failing closed." The culprit is:

Failed to download: https://dist.torproject.org/torbrowser/5.5.5/sha256sums.txt.asc

Aug 1 2016, 4:02 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.
In T527#9673, @Patrick wrote:

Added .travis.yml:

https://github.com/adrelanos/qubes-template-whonix/blob/master/.travis.yml

sudo ln -s sid /usr/share/debootstrap/scripts/stretch is failing. Log:

https://api.travis-ci.org/jobs/148761324/log.txt?deansi=true

Any idea? Is it even needed? I try without. (Without is also better for more consistent results.)

Aug 1 2016, 11:16 AM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T528: fix qubes-whonix-firewall systemd service start in Q2198 branch.

It means the service will not be stopped at VM shutdown. In case of
firewall indeed it may be ok, but for network setup I think it may be a
bug.

Aug 1 2016, 1:40 AM · Qubes, Whonix, Whonix 13

Jul 31 2016

marmarek added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

In Qubes (or Xen in general), VM cannot disable c-states. This is possible only from dom0. Using this command (at every system startup):

xenpm set-max-cstate 0

There is probably also Xen command line option for this, but as you've pointed out, it's easier to maintain a command running at startup.

Jul 31 2016, 4:49 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research

Jul 30 2016

marmarek added a comment to T528: fix qubes-whonix-firewall systemd service start in Q2198 branch.

I think that's fine. Because it serves very similar purpose as
networking.service. But this alone probably will not fix all the
problems, as it will have the same dependencies, which are added using
drop-ins:

user@host:~$ systemctl status networking
● networking.service - LSB: Raise network interfaces.
   Loaded: loaded (/etc/init.d/networking)
  Drop-In: /lib/systemd/system/networking.service.d
           └─40_qubes.conf
        /run/systemd/generator/networking.service.d
           └─50-insserv.conf-$network.conf
        /lib/systemd/system/networking.service.d
           └─network-pre.conf
   Active: inactive (dead)
           start condition failed at Tue 2016-07-26 22:45:03 UTC; 3 days ago
           ConditionPathExists=!/usr/lib/qubes-whonix was not met
Jul 30 2016, 10:37 PM · Qubes, Whonix, Whonix 13

Jul 29 2016

marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.

Hmm, this is all strange. As you can see in the build log, I've build from https://github.com/marmarek/qubes-template-whonix, master branch. And there I see WHONIX_APT_REPOSITORY_OPTS ?= stable
Is this setting ignored?

Jul 29 2016, 12:44 AM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T528: fix qubes-whonix-firewall systemd service start in Q2198 branch.

Apparently network-pre.target is implicitly ordered before basic.target, which is automatically added (as After=) by DefaultDependencies=yes. Which would mean that any service with Before=network-pre.target also needs 'DefaultDependencies=no`.
I can't find any other example with Before=netowork-pre.target, but all the units I can find on Debian with Before=network.target also have DefaultDependencies=no. On the other hand, on Fedora I see multiple services with Before=network.target, but with DefaultDependencies=yes, so this looks like something Debian-specific. I guess it's about networking.service:

$ systemctl show networking.service |grep 'After=\|Before=\|DefaultDependencies='
Before=sysinit.target shutdown.target network.target
After=mountkernfs.service local-fs.target systemd-random-seed.service network-pre.target systemd-journald.socket system.slice
DefaultDependencies=no

This impose ordering: networ-pre.target -> networking.service -> sysinit.target (which is before basic.target).
I have no idea whether it is some design decision, or unexpected side effect...

Jul 29 2016, 12:19 AM · Qubes, Whonix, Whonix 13

Jul 28 2016

marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.
In T527#9609, @Patrick wrote:
In T527#9607, @marmarek wrote:

R3.2-rc2 is already released...
But - the whole thing applied only to workstation template - gateway build was ok and new one is included there - I've just checked and it has legacy function in /usr/lib/qubes-bind-dirs.d/41_qubes-whonix.conf.

I wonder where /usr/lib/qubes-bind-dirs.d/41_qubes-whonix.conf comes from. I haven't added it to the stable repository.

Jul 28 2016, 11:25 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug
marmarek added a comment to T527: Build failure of whonix-workstation Qubes template for R3.2 / add qubes-template-whonix to continuous integration service TravisCI.

R3.2-rc2 is already released...
But - the whole thing applied only to workstation template - gateway build was ok and new one is included there - I've just checked and it has legacy function in /usr/lib/qubes-bind-dirs.d/41_qubes-whonix.conf.

Jul 28 2016, 10:18 PM · Whonix 14, Whonix, Qubes, Whonix 13, bug