Create sys-ops-whonix
VM for Enhanced Security and Isolation in Qubes-Whonix
#9294
Labels
C: Whonix
This issue impacts Qubes-Whonix
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
security
This issue pertains to the security of Qubes OS.
T: enhancement
Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
The problem you're addressing (if any)
Currently the Whonix-Gateway
sys-whonix
,updatevm
(global preference for dom0 updates),clockvm
(global preference).This is non-ideal for security and anonymity.
The main issue of having these services running is it undermines the proxy isolation of Whonix-Gateway and Whonix-Workstation separation.
In case of non-Whonix, clearnet use, where it is fine to use
sys-firewall
for those tasks, even though it is a Net Qube,sys-firewall
is not the qube for proxy settings as well assys-whonix
is not the qube for running Qubes services, which is a task for a Whonix-Workstation, not a Whonix-Gateway, for better leak-proofness.A vulnerability in tinyproxy marked as CVE-2023-49606 states that a specially crafted HTTP header could lead to remote code execution. In the Qubes case of using
sys-whonix
for hosting the tinyproxy, compromise of the Gateway means compromise of the user identity.The solution you'd like
sys-ops-whonix
- UpdatesProxy, UpdateVM, ClockVM - a new, dedicated service VM.Proposal: An App Qube or named Disposable Whonix-Workstation with the name
sys-ops-whonix
The
sys-ops-whonix
would be based on the Whonix-Workstation Template and its Net Qube will be set tosys-whonix
by default.The value to a user, and who that user might be
Better security and higher leak-proofness of Qubes-Whonix.
Details
anon-whonix
assys-ops-whonix
(UpdatesProxy, UpdateVM, ClockVM)? Becauseanon-whonix
is intended for user interaction with applications such as Tor Browser. It is an App Qube.sys-ops-whonix
would be a service qube.sys-ops-whonix
default Qubes dom0 AppMenu: User applications would be removed from the app menu and Tor Browser would be prevented from starting.sys-net
andsys-firewall
can be disposables with Salt declarations. A persistentsys-ops-whonix
can be interesting for caching purposes ofUpdatesProxy
, but that is not a Qubes default and is unnecessary forclockvm
andupdatevm
. Makingsys-ops-whonix
persistent for the purpose ofcacher
would be a task for acacher
Salt state.The name
sys-ops-whonix
To make clear what the VM's function is, the VM's name should probably start with
sys-
and should also includewhonix
.sys-whonix-ops
would perhaps be more easily confused withsys-whonix
.ops
standing for operations. What operations? UpdatesProxy, UpdateVM, ClockVM.If the name is non-ideal, suggestions are welcome.
Completion criteria checklist
The migration would involve:
sys-ops-whonix
qube with Salt.sys-whonix
forsys-ops-whonix
when appropriate.The text was updated successfully, but these errors were encountered: