Stop leaking dom0 timezone to Qubes-Whonix

[adrelanos]

Qubes OS release

R4.2

Brief summary

Qubes VMs leak timezone.

Reported by @chessjazz.

Steps to reproduce

qubesdb-read /qubes-timezone

Expected behavior

No command available to leak dom0 timezone.

Actual behavior

Dom0 timezone can be leaked in VM if malware is running inside the VM.

Additional information

For issue tracking.

• issue caused by Qubes-Whonix: no
• affects Qubes-Whonix: yes, because Whonix sets timezone to UTC as it should be hidden. (It doesn't leak to remote websites but malware with local code execution could read dom0 timezone.)
• only relevant for Whonix: Dunno if there are also other users who would prefer not to leak this information to VMs.

Suggested solution

If qvm-features or similar mechanism has whonix-ws 1, whonix-gw 1, notimezone 1, then don't write /qubes-timezone to qubesdb.

[adrelanos]

quote:

the keyboard-layout is also available as a data point for non-US keyboards.

Not sure it's worth making separate issues or keeping them all inside this ticket and call it qubesdb VM informational leak issues or something.

[marmarek]

the keyboard-layout is also available as a data point for non-US keyboards.

Well, this I consider necessary. The system will be barely usable if you'll have different keyboard layouts in different VMs. If you consider leaking non-US layout a problem, do not set non-US layout system-wide.

[DemiMarie]

the keyboard-layout is also available as a data point for non-US keyboards.

Well, this I consider necessary. The system will be barely usable if you'll have different keyboard layouts in different VMs. If you consider leaking non-US layout a problem, do not set non-US layout system-wide.

Is Wayland a solution here? That could allow handling keyboard layouts entirely on the host, which avoids this problem.

[marmarek]

Is Wayland a solution here? That could allow handling keyboard layouts entirely on the host, which avoids this problem.

I don't think it's relevant to this issue, which is about what is currently there.

[p1llule]

Well, this I consider necessary. The system will be barely usable if you'll have different keyboard layouts in different VMs. If you consider leaking non-US layout a problem, do not set non-US layout system-wide.

Well this is open to discussion, I guess... You can hide your real keyboard layout by doing a translation of the input before it go to the VMs. This can be done with software as kmonad or even with pure XKB overlays. Eventually if you still need keys that are not in the US layout, you have to modify the XKB keymap inside the VM but still, you can lie on the name of the layout and its options.

[andrewdavidwong]

The keyboard layout stuff belongs in a separate issue. It doesn't seem to have anything to do with the timezone issue aside from both being about privacy leaks, which would be far too broad for a single issue. (Every issue must be about a single, actionable thing.)