Block browser startup in template vms

nyxnor · July 8, 2022, 2:14pm

Kicksecure/tb-starter/blob/329daee153a86798eec6380d010d1a23ac186cc8/usr/bin/torbrowser#L233

      
        
                  true "Not running in TemplateVM."
                  return 0
               fi
            
            
   if [ "$tb_allow_start_in_templatevm" = "true" ]; then
                  true "tb_allow_start_in_templatevm is true."
                  return 0
               fi
            
            
   tb_qubes_wiki="in_qubes-whonix"
               local MSG="<p>Do not run $tb_title in Template.<br></br>
            <br></br>
            More info: <a href=https://www.whonix.org/wiki/$tb_wiki#$tb_qubes_wiki>https://www.whonix.org/wiki/$tb_wiki#$tb_qubes_wiki</a></p>"
               $output ${output_opts[@]} --messagex --typex "error" --titlex "$TITLE" --message "$MSG" --done
               $output ${output_opts[@]} --messagecli --typecli "error" --titlecli "$TITLE" --message "$MSG" --done
            
            
   exit 3
            }
            
            
tb_qubes_dvm_template() {
               ## Avoid running in Qubes DVM Template.

Can this be done to firefox as well? Just firefox and chromium I have in mind.

Ideally I think this should be implemented upstream by qubes, but they don’t modify DomU applications, sometimes only add some patches to work with Qubes, but nothing to block an application.

The update proxy is a minimal mitigation that requires applications to be configured to use the proxy but it is very easy to circumvent that. It is the bare minimal to avoid using a browser on the template as stated in that page.

What I am thinking is that if this is done in Kicksecure then later moved to qubes package to templates, qubes-template-browser-block, they can remove the update proxy that does not guard much against anything besides the browser, the templates will be networked again, the template updates will be stream isolated.

nyxnor · July 8, 2022, 2:19pm

I mean, probably kicksecure is the wrong forum, this is an upstream issue. I just opened here because for torbrowser it is in the kicksecure repo, and with kicksecure being the base layer for whonix but without tor, then why not do it for firefox and chromium…

Patrick · July 9, 2022, 2:15pm

Should be reported at and implemented in upstream, in Qubes.