Block browser startup in template vms

Can this be done to firefox as well? Just firefox and chromium I have in mind.

Ideally I think this should be implemented upstream by qubes, but they don’t modify DomU applications, sometimes only add some patches to work with Qubes, but nothing to block an application.

The update proxy is a minimal mitigation that requires applications to be configured to use the proxy but it is very easy to circumvent that. It is the bare minimal to avoid using a browser on the template as stated in that page.

What I am thinking is that if this is done in Kicksecure then later moved to qubes package to templates, qubes-template-browser-block, they can remove the update proxy that does not guard much against anything besides the browser, the templates will be networked again, the template updates will be stream isolated.

1 Like

I mean, probably kicksecure is the wrong forum, this is an upstream issue. I just opened here because for torbrowser it is in the kicksecure repo, and with kicksecure being the base layer for whonix but without tor, then why not do it for firefox and chromium…

1 Like

Should be reported at and implemented in upstream, in Qubes.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]