Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

comment out /etc/qubes-rpc/policy/qubes.UpdatesProxy #487

Merged
merged 1 commit into from
Dec 16, 2022
Merged

comment out /etc/qubes-rpc/policy/qubes.UpdatesProxy #487

merged 1 commit into from
Dec 16, 2022

Conversation

adrelanos
Copy link
Member

Because legacy. Already replaced by /etc/qubes/policy.d/90-default.policy.

part of QubesOS/qubes-issues#7724

@adrelanos
comment out /etc/qubes-rpc/policy/qubes.UpdatesProxy
3999386 
Because legacy. Already replaced by `/etc/qubes/policy.d/90-default.policy`.

part of QubesOS/qubes-issues#7724
@adrelanos adrelanos mentioned this pull request Aug 30, 2022
Closed
@codecov
Copy link

codecov bot commented Aug 30, 2022
edited
Loading

Codecov Report

Merging #487 (3999386) into master (e7aa7b5) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #487   +/-   ##
=======================================
  Coverage   65.82%   65.82%           
=======================================
  Files          53       53           
  Lines       10017    10017           
=======================================
  Hits         6594     6594           
  Misses       3423     3423
Flag Coverage Δ
unittests 65.82% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@Minimalist73
Copy link

Minimalist73 commented Aug 30, 2022
edited
Loading

I was curious about this because I still use /etc/qubes-rpc/policy/qubes.UpdatesProxy to manage my updates through Whonix. I discovered that the default rule in /etc/qubes/policy.d/90-default.policy is set to update all my Templates using sys-net even if I checked the "update through Tor" in the Qubes installation (I did it few weeks ago). It means that if this PR is merged and the file is commented out, all my updates would go through sys-net which will leak all the traffic to my ISP. I don't know if that's just me, but it needs to be checked before anything, because a lot of people can be in this situation.

Here's my /etc/qubes/policy.d/90-default.policy file:

# HTTP proxy for downloading updates
# Upgrade all TemplateVMs through sys-whonix.
#qubes.UpdatesProxy     *    @type:TemplateVM        @default    allow target=sys-whonix
# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy      *   @tag:whonix-updatevm    @default    allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
qubes.UpdatesProxy      *   @tag:whonix-updatevm    @anyvm      deny
# Default rule for all TemplateVMs - direct the connection to sys-net
qubes.UpdatesProxy      *   @type:TemplateVM        @default    allow target=sys-net
qubes.UpdatesProxy      *   @anyvm                  @anyvm      deny

@adrelanos
Copy link
Member Author

Not sure this should be discussed in the pull request or in the ticket? Ticket seems to have better visibility.

@Minimalist73
Copy link

Ticket seems to have better visibility.

You are right, I re-posted my message in the main ticket.

@marmarek marmarek merged commit 4a62228 into QubesOS:master Dec 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmarek marmarek marmarek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adrelanos @Minimalist73 @marmarek