Merge branch 'QubesOS:main' into main

2025-03-13 18:26:30 -04:00 · 2024-07-28 18:10:10 -04:00 · 2024-07-28 18:10:10 -04:00 · 5941ae92ec
commit 5941ae92ec
parent a60dc3ad87 9c94144d25
12 changed files with 68 additions and 20 deletions
--- a/developer/building/qubes-builder.md
+++ b/developer/building/qubes-builder.md
@ -13,7 +13,7 @@ title: Qubes builder
 <div class="alert alert-warning" role="alert">
  <i class="fa fa-exclamation-circle"></i>
  <b>Note:</b> These instructions concern the older Qubes builder (v1). It supports
-  only building Qubes 4.1 or earlier.<br>The build process has been completely rewritten in <a href="https://github.com/QubesOS/qubes-builderv2/">qubes-builder v2</a>. This can be used for building Qubes R4.1 and later, and all related components.
+  only building Qubes 4.2 or earlier.<br>The build process has been completely rewritten in <a href="https://github.com/QubesOS/qubes-builderv2/">qubes-builder v2</a>. This can be used for building Qubes R4.2 and later, and all related components.
 </div>

 **Note: See [ISO building instructions](/doc/qubes-iso-building/) for a streamlined overview on how to use the build system.**
--- a/developer/building/qubes-iso-building.md
+++ b/developer/building/qubes-iso-building.md
@ -15,7 +15,7 @@ title: Qubes ISO building
 <div class="alert alert-warning" role="alert">
  <i class="fa fa-exclamation-circle"></i>
  <b>Note:</b> These instructions concern the older Qubes builder (v1). It supports
-  only building Qubes 4.1 or earlier.<br>The build process has been completely rewritten in <a href="https://github.com/QubesOS/qubes-builderv2/">qubes-builder v2</a>. This can be used for building Qubes R4.1 and later, and all related components.
+  only building Qubes 4.2 or earlier.<br>The build process has been completely rewritten in <a href="https://github.com/QubesOS/qubes-builderv2/">qubes-builder v2</a>. This can be used for building Qubes R4.2 and later versions, and all related components.
 </div>

 Build Environment
--- a/developer/debugging/vm-interface.md
+++ b/developer/debugging/vm-interface.md
@ -22,6 +22,7 @@ Qubes VM have some settings set by dom0 based on VM settings. There are multiple

 ### Keys exposed by dom0 to VM

+- `/qubes-base-template` - base template
 - `/qubes-vm-type` - VM type, the same as `type` field in `qvm-prefs`. One of `AppVM`, `ProxyVM`, `NetVM`, `TemplateVM`, `HVM`, `TemplateHVM`
 - `/qubes-vm-updatable` - flag whether VM is updatable (whether changes in root.img will survive VM restart). One of `True`, `False`
 - `/qubes-vm-persistence` - what data do persist between VM restarts:
@ -33,7 +34,7 @@ Qubes VM have some settings set by dom0 based on VM settings. There are multiple
 - `/keyboard-layout` - keyboard layout based on GuiVM layout. Its syntax can be `layout+variant+options`, `layout+variant`, `layout++options` or simply `layout`. For example, `fr+oss`, `pl++compose:caps` or `fr`. This is meant only as some default value, VM can ignore this option and choose its own keyboard layout (this is what keyboard setting from Qubes Manager does).
 - `/qubes-debug-mode` - flag whether VM has debug mode enabled (qvm-prefs setting). One of `1`, `0`
 - `/qubes-service/SERVICE_NAME` - subtree for VM services controlled from dom0 (using the `qvm-service` command or Qubes Manager). One of `1`, `0`. Note that not every service will be listed here, if entry is missing, it means "use VM default". A list of currently supported services is in the `qvm-service` man page.
- `/qubes-netmask` - network mask (only when VM has netvm set); currently hardcoded "255.255.255.0"
+- `/qubes-netm ask` - network mask (only when VM has netvm set); currently hardcoded "255.255.255.0"
 - `/qubes-ip` - IP address for this VM (only when VM has netvm set)
 - `/qubes-gateway` - default gateway IP (only when VM has netvm set); VM should add host route to this address directly via eth0 (or whatever default interface name is)
 - `/qubes-primary-dns` - primary DNS address (only when VM has netvm set)
--- a/developer/releases/4_2/release-notes.md
+++ b/developer/releases/4_2/release-notes.md
@ -54,6 +54,20 @@ We strongly recommend [updating Qubes OS](/doc/how-to-update/) immediately after

 - Qubes 4.2 does not support Debian 11 templates (see [supported template releases](/doc/supported-releases/#templates)). Please [upgrade your Debian templates](/doc/templates/debian/#upgrading) to Debian 12.

+- Qubes 4.2.2 includes a fix for [#8332: File-copy qrexec service is overly restrictive](https://github.com/QubesOS/qubes-issues/issues/8332). As explained in the issue comments, we introduced a change in Qubes 4.2.0 that caused inter-qube file-copy/move actions to reject filenames containing, e.g., non-Latin characters and certain symbols. The rationale for this change was to mitigate the security risks associated with unusual unicode characters and invalid encoding in filenames, which some software might handle in an unsafe manner and which might cause confusion for users. Such a change represents a trade-off between security and usability.
+  
+  After the change went live, we received several user reports indicating more severe usability problems than we had anticipated. Moreover, these problems were prompting users to resort to dangerous workarounds (such as packing files into an archive format prior to copying) that carry far more risk than the original risk posed by the unrestricted filenames. In addition, we realized that this was a backward-incompatible change that should not have been introduced in a minor release in the first place.
+  
+  Therefore, we have decided, for the time being, to restore the original (pre-4.2) behavior by introducing a new `allow-all-names` argument for the `qubes.Filecopy` service. By default, `qvm-copy` and similar tools will use this less restrictive service (`qubes.Filecopy +allow-all-names`) whenever they detect any files that would be have been blocked by the more restrictive service (`qubes.Filecopy +`). If no such files are detected, they will use the more restrictive service.
+  
+  Users who wish to opt for the more restrictive 4.2.0 and 4.2.1 behavior can do so by modifying their RPC policy rules. To switch a single rule to the more restrictive behavior, change `*` in the argument column to `+` (i.e., change "any argument" to "only empty"). To use the more restrictive behavior globally, add the following "deny" rule before all other relevant rules:
+  
+  ```
+  qubes.Filecopy    +allow-all-names    @anyvm    @anyvm    deny
+  ```
+  
+  For more information, see [RPC policies](/doc/rpc-policy/) and [Qube configuration interface](/doc/vm-interface/#qubes-rpc).
+
 ## Download

 All Qubes ISOs and associated [verification files](/security/verifying-signatures/) are available on the [downloads](/downloads/) page.
--- a/user/advanced-topics/managing-vm-kernels.md
+++ b/user/advanced-topics/managing-vm-kernels.md
@ -224,7 +224,7 @@ Kernel for a VM is stored in `/var/lib/qubes/vm-kernels/KERNEL_VERSION` director
 * `modules.img` - ext4 filesystem image containing Linux kernel modules (to be mounted at `/lib/modules`); additionally it should contain a copy of `vmlinuz` and `initramfs` in its root directory (for loading by qemu inside stubdomain)
 * `default-kernelopts-common.txt` - default kernel options, in addition to those specified with `kernelopts` qube property (can be disabled with `no-default-kernelopts` feature)

-All the files besides `vmlinuz` and `initramfs` are optional in Qubes R4.0 or newer.
+All the files besides `vmlinuz` are optional in Qubes R4.2 or newer.

 ## Using kernel installed in the VM

@ -279,7 +279,9 @@ Then shutdown the VM.

 * You may also use `PV` mode instead of `HVM` but this is not recommended for security purposes.
 * If you require `PV` mode, install `grub2-xen-pvh` in dom0 and change the template's kernel to `pvgrub2-pvh`.
-* Booting to a kernel inside the template is not supported under `PVH`.
+* If you require `PVH` mode, install `grub2-xen-pvh` in dom0 and change the kernel to `pvgrub2-pvh`.
+* To install `grub2-xen-pvh` run the command `sudo qubes-dom0-update pvgrub2-pvh` in dom0.
+

 ### Installing kernel in Debian VM

@ -314,7 +316,7 @@ Depends on `Virtualization` mode setting:

 * `Virtualization` mode `PV`: Possible, however use of `Virtualization` mode `PV` mode is discouraged for security purposes.
  * If you require `Virtualization` mode `PV` mode, install `grub2-xen-pvh` in dom0. This can be done by running command `sudo qubes-dom0-update pvgrub2-pvh` in dom0.
-* `Virtualization` mode `PVH`: Possible.
+* `Virtualization` mode `PVH`: Possible. Install `grub2-xen-pvh` in dom0.
 * `Virtualization` mode `HVM`: Possible.

 The `Kernel` setting of the `Virtualization` mode setting:
--- a/user/advanced-topics/salt.md
+++ b/user/advanced-topics/salt.md
@ -555,6 +555,17 @@ Additional pillar data is available to ease targeting configurations (for exampl

 **Note:** This list is subject to change in future releases.

+### `qubes:features`
+
+Features the qube has. Only some values are included:
+
+- `service.*` - services enabled or disabled in the qube
+- `vm-config.*` - features also exposed to qubesdb
+
+### `qubes:tags`
+
+Tags the qube has.
+
 ### `qubes:type`

 qube type. Possible values:
--- a/user/downloading-installing-upgrading/installation-guide.md
+++ b/user/downloading-installing-upgrading/installation-guide.md
@ -125,7 +125,7 @@ Select the option to test this media and install Qubes OS.

 <div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
-  <b>Note:</b> If the latest stable release is not compatible with your hardware, you may wish to consider installing using the latest kernel. Be aware that this has not been as well testes as the standard kernel.
+  <b>Note:</b> If the latest stable release is not compatible with your hardware, you may wish to consider installing using the latest kernel. Be aware that this has not been as well tested as the standard kernel.
 </div>

 If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an [advanced reboot](https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings).
--- a/user/downloading-installing-upgrading/supported-releases.md
+++ b/user/downloading-installing-upgrading/supported-releases.md
@ -22,7 +22,7 @@ Qubes OS releases are supported for **six months** after each subsequent major o
 | Release 3.1 | 2016-03-09 | 2017-03-29 | Unsupported    |
 | Release 3.2 | 2016-09-29 | 2019-03-28 | Unsupported    |
 | Release 4.0 | 2018-03-28 | 2022-08-04 | Unsupported    |
-| Release 4.1 | 2022-02-04 | 2024-06-18 | Supported      |
+| Release 4.1 | 2022-02-04 | 2024-06-18 | [Extended security support](/news/2024/06/18/qubes-os-4-1-has-reached-end-of-life-extended-security-support-continues-until-2024-07-31/)|
 | Release 4.2 | 2023-12-18 | TBA        | Supported      |
 | Release 4.3 | TBA        | TBA        | In development |

@ -58,7 +58,7 @@ It is the responsibility of each distribution to clearly notify its users in adv
 | Qubes OS    | Fedora | Debian |
 | ----------- | ------ | ------ |
 | Release 4.1 | 39     | 11, 12 |
-| Release 4.2 | 39     | 12     |
+| Release 4.2 | 39, 40 | 12     |

 ### Note on Debian support

--- a/user/how-to-guides/how-to-use-disposables.md
+++ b/user/how-to-guides/how-to-use-disposables.md
@ -22,6 +22,28 @@ From inside an app qube, choosing the `Open in disposable` option on a file will

 This diagram provides a general example of how disposables can be used to safely open untrusted links and attachments in disposables. See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a disposable.

+## Named disposables and disposable templates
+
+There is a difference between [named disposable qubes](/doc/glossary/#named-disposable) and [disposable templates](/doc/glossary/#disposable-template).
+
+In a default QubesOS Installation, you would probably use the 'whonix-ws-16-dvm' disposable template to, for example, browse the Tor network with an disposable qube. Every time you start an application using this disposable template, a new disposable qube - named `dispX` (where X is a random number) starts. If you close the application window, the `dispX` qube shuts down and vanishes from your system. That is how disposable templates are used.
+
+Named disposables are also built upon disposable templates, but they have a fixed name. The named disposable seems to behave like an ordinary app qube - every application you open will start in the same qube, and you need to manually shutdown the qube. But when you shutdown *any changes you made in the named disposable will be lost*. Except for this non-persistance, they feel like usual app qubes.
+
+### How to create disposable templates
+
+First, you need to create an app qube. You can run it normally, set up any necessary settings (like browser settings) you wish to be applied to every disposable qube ran from this template. Next, go to 'Qube Settings' of the app qube, set it as a _Disposable template_ in the _Advanced_ section and apply the change. 
+
+In Qubes 4.1, the entry in the Application menu is split into 'Disposable' and 'Template (disp)'. The settings for the disposable can be changed under **'Application Menu -> Template (disp) -> Template: Qubes Settings**
+
+In Qubes 4.2, the qube will now appear in the menu as a disposable template (in the Apps section), from which you can launch new disposable qubes. To change the settings of the template itself or run programs in it, use the menu item for the disposable template located in the Templates section.
+
+### How to create named disposables
+
+In Qubes 4.1: named disposables can be created under **Application Menu -> Create Qubes VM**, set the qube type  to be _DisposableVM_.
+
+In Qubes 4.2: named disposables can be created by **Application Menu -> Settings -> Qubes Settings -> Create New Qube**. Set the qube type to Named disposable_
+
 ## Security

 If a [disposable template](/doc/glossary/#disposable-template) becomes compromised, then any disposable based on that disposable template could be compromised. In particular, the *default* disposable template is important because it is used by the "Open in disposable" feature. This means that it will have access to everything that you open with this feature. For this reason, it is strongly recommended that you base the default disposable template on a trusted template.
--- a/user/security-in-qubes/split-gpg.md
+++ b/user/security-in-qubes/split-gpg.md
@ -32,7 +32,7 @@ While this might be true (unless the attacker can find a usually-very-expensive-
 However, there is usually nothing that could stop the attacker from requesting the smart card to perform decryption of all the user documents the attacker has found or need to decrypt.
 In other words, while protecting the user's private key is an important task, we should not forget that ultimately it is the user data that are to be protected and that the smart card chip has no way of knowing the requests to decrypt documents are now coming from the attacker's script and not from the user sitting in front of the monitor.
 (Similarly the smart card doesn't make the process of digitally signing a document or a transaction in any way more secure -- the user cannot know what the chip is really signing.
-Unfortunately this problem of signing reliability is not solvable by Split GPG)
+Unfortunately this problem of signing reliability is not solvable by Split GPG.)

 With Qubes Split GPG this problem is drastically minimized, because each time the key is to be used the user is asked for consent (with a definable time out, 5 minutes by default), plus is always notified each time the key is used via a tray notification from the domain where GPG backend is running.
 This way it would be easy to spot unexpected requests to decrypt documents.
--- a/user/templates/debian/debian.md
+++ b/user/templates/debian/debian.md
@ -58,19 +58,17 @@ There are two ways to upgrade your template to a new Debian release:

 This section contains notes about specific Debian releases.

-### Debian 10
+### Debian 12

-Debian 10 (buster) - minimal:
+If you want to use a Debian 12 template for salting Qubes, you **must** stop the salt-common and salt-ssh packages from being upgraded.
+Do this by marking these packages on hold *before* updating the template.

 ```
-[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl qubes-template-debian-10-minimal
-```
-
-Debian 10 (buster) - stable:
-
-```
-[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl qubes-template-debian-10
+sudo apt-mark hold salt-common salt-ssh
+sudo apt update
+sudo apt upgrade
 ```
+This is a [known bug](https://github.com/QubesOS/qubes-issues/issues/9129) in Salt which affects version 3006-5.

 ### Starting services

--- a/user/templates/templates.md
+++ b/user/templates/templates.md
@ -170,7 +170,7 @@ installing a template package in dom0, per the instructions
 dom0 in order to uninstall it:

 ```
-$ sudo dnf remove qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER>
+$ qvm-template remove qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER>
 ```

 `qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER>` is the name of the desired