mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-30 09:46:28 -05:00
commit
db81ee8ed5
@ -413,8 +413,8 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
|
|||||||
|
|
||||||
**Mentor**: [Rafał Wojdyła](/team/)
|
**Mentor**: [Rafał Wojdyła](/team/)
|
||||||
|
|
||||||
### Gui agent for Windows 8/10
|
### GUI agent for Windows 8/10
|
||||||
**Project**: Gui agent for Windows 8/10
|
**Project**: GUI agent for Windows 8/10
|
||||||
|
|
||||||
**Brief explanation**: Add support for Windows 8+ to the Qubes GUI agent and video driver. Starting from Windows 8, Microsoft requires all video drivers to conform to the WDDM display driver model which is incompatible with the current Qubes video driver. Unfortunately the WDDM model is much more complex than the old XPDM one and officially *requires* a physical GPU device (which may be emulated). Some progress has been made to create a full WDDM driver that *doesn't* require a GPU device, but the driver isn't working correctly yet. Alternatively, WDDM model supports display-only drivers which are much simpler but don't have access to system video memory and rendering surfaces (a key feature that would simplify seamless GUI mode). [#1861](https://github.com/QubesOS/qubes-issues/issues/1861)
|
**Brief explanation**: Add support for Windows 8+ to the Qubes GUI agent and video driver. Starting from Windows 8, Microsoft requires all video drivers to conform to the WDDM display driver model which is incompatible with the current Qubes video driver. Unfortunately the WDDM model is much more complex than the old XPDM one and officially *requires* a physical GPU device (which may be emulated). Some progress has been made to create a full WDDM driver that *doesn't* require a GPU device, but the driver isn't working correctly yet. Alternatively, WDDM model supports display-only drivers which are much simpler but don't have access to system video memory and rendering surfaces (a key feature that would simplify seamless GUI mode). [#1861](https://github.com/QubesOS/qubes-issues/issues/1861)
|
||||||
|
|
||||||
@ -480,6 +480,18 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
|
|||||||
|
|
||||||
**Mentor**: [Marek Marczykowski-Górecki](/team/)
|
**Mentor**: [Marek Marczykowski-Górecki](/team/)
|
||||||
|
|
||||||
|
### Generalize the Qubes PDF Converter to other types of files
|
||||||
|
|
||||||
|
**Project**: Qubes Converters
|
||||||
|
|
||||||
|
**Brief explanation**: One of the pioneering ideas of Qubes is to use disposable virtual machines to convert untrustworthy files (such as documents given to journalists by unknown and potentially malicious whistleblowers) into trusthworhty files. See [Joanna's blog on the Qubes PDF Convert](http://theinvisiblethings.blogspot.co.uk/2013/02/converting-untrusted-pdfs-into-trusted.html) for details of the idea. Joanna has implemented a prototype for PDF documents. The goal of this project would be to generalize beyond the simple prototype to accommodate a wide variety of file formats, including Word documents, audio files, video files, spreadsheets, and so on. The converters should prioritise safety over faithful conversion. For example the Qubes PDF converter typically leads to lower quality PDFs (e.g. cut and paste is no longer possible), because this makes the conversion process safer.
|
||||||
|
|
||||||
|
**Expected results**: We expect that in the timeframe, it will be possible to implement many converters for many file formats. However, if any unexpected difficulties arise, we would prioritise a small number of safe and high quality converters over a large number of unsafe or unuseful converters.
|
||||||
|
|
||||||
|
**Knowledge prerequisite**: Most of the coding will probably be implemented as shell scripts to interface with pre-existing converts (such as ImageMagick in the Qubes PDF converter). However, shell scripts are not safe for processing untrusted data, so any extra processing will need to be implemented in another language -- probably Python.
|
||||||
|
|
||||||
|
**Mentors**: Andrew Clausen and Jean-Philippe Ouellet
|
||||||
|
|
||||||
### Mitigate focus-stealing attacks
|
### Mitigate focus-stealing attacks
|
||||||
**Project**: Mitigate focus-stealing attacks
|
**Project**: Mitigate focus-stealing attacks
|
||||||
|
|
||||||
@ -489,7 +501,7 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
|
|||||||
|
|
||||||
**Knoledge prerequisite**: X APIs, Qubes GUI protocol, familiarity with the targeted window manager.
|
**Knoledge prerequisite**: X APIs, Qubes GUI protocol, familiarity with the targeted window manager.
|
||||||
|
|
||||||
**Mentor**:
|
**Mentor**: Inquire on [qubes-devel][ml-devel].
|
||||||
|
|
||||||
### Progress towards reproducible builds
|
### Progress towards reproducible builds
|
||||||
**Project**: Progress towards reproducible builds
|
**Project**: Progress towards reproducible builds
|
||||||
@ -506,7 +518,7 @@ for more information and qubes-specific background.
|
|||||||
|
|
||||||
**Knoledge prerequisite**: qubes-builder [[1]](https://www.qubes-os.org/doc/qubes-builder/) [[2]](https://www.qubes-os.org/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
|
**Knoledge prerequisite**: qubes-builder [[1]](https://www.qubes-os.org/doc/qubes-builder/) [[2]](https://www.qubes-os.org/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
|
||||||
|
|
||||||
**Mentor**:
|
**Mentor**: Inquire on [qubes-devel][ml-devel].
|
||||||
|
|
||||||
### Android development in Qubes
|
### Android development in Qubes
|
||||||
|
|
||||||
@ -521,19 +533,8 @@ Details, reference: [#2233](https://github.com/QubesOS/qubes-issues/issues/2233)
|
|||||||
|
|
||||||
**Knowledge prerequisite**:
|
**Knowledge prerequisite**:
|
||||||
|
|
||||||
**Mentor**:
|
**Mentor**: Inquire on [qubes-devel][ml-devel].
|
||||||
|
|
||||||
### Generalize the Qubes PDF Converter to other types of files
|
|
||||||
|
|
||||||
**Project**: Qubes Converters
|
|
||||||
|
|
||||||
**Brief explanation**: One of the pioneering ideas of Qubes is to use disposable virtual machines to convert untrustworthy files (such as documents given to journalists by unknown and potentially malicious whistleblowers) into trusthworhty files. See [Joanna's blog on the Qubes PDF Convert](http://theinvisiblethings.blogspot.co.uk/2013/02/converting-untrusted-pdfs-into-trusted.html) for details of the idea. Joanna has implemented a prototype for PDF documents. The goal of this project would be to generalize beyond the simple prototype to accommodate a wide variety of file formats, including Word documents, audio files, video files, spreadsheets, and so on. The converters should prioritise safety over faithful conversion. For example the Qubes PDF converter typically leads to lower quality PDFs (e.g. cut and paste is no longer possible), because this makes the conversion process safer.
|
|
||||||
|
|
||||||
**Expected results**: We expect that in the timeframe, it will be possible to implement many converters for many file formats. However, if any unexpected difficulties arise, we would prioritise a small number of safe and high quality converters over a large number of unsafe or unuseful converters.
|
|
||||||
|
|
||||||
**Knowledge prerequisite**: Most of the coding will probably be implemented as shell scripts to interface with pre-existing converts (such as ImageMagick in the Qubes PDF converter). However, shell scripts are not safe for processing untrusted data, so any extra processing will need to be implemented in another language -- probably Python.
|
|
||||||
|
|
||||||
**Mentors**: Andrew Clausen and Jean-Philippe Ouellet
|
|
||||||
----
|
----
|
||||||
|
|
||||||
We adapted some of the language here about GSoC from the [KDE GSoC page](https://community.kde.org/GSoC).
|
We adapted some of the language here about GSoC from the [KDE GSoC page](https://community.kde.org/GSoC).
|
||||||
|
@ -77,7 +77,7 @@ redirect_from:
|
|||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
## 4: Downloading and verifying the "Qubes Automated Build System"
|
## 4: Downloading and verifying the integrity of the "Qubes Automated Build System"
|
||||||
|
|
||||||
* Import the Qubes master key
|
* Import the Qubes master key
|
||||||
|
|
||||||
@ -98,9 +98,10 @@ redirect_from:
|
|||||||
|
|
||||||
* Copy your gpg keyrings to your local copy of the repository. (Otherwise you will be asked to download the keys again.)
|
* Copy your gpg keyrings to your local copy of the repository. (Otherwise you will be asked to download the keys again.)
|
||||||
|
|
||||||
# Assuming qubes-builder is in your home directory
|
# Execute the following commands in your home directory.
|
||||||
cp .gnupg/pubring.gpg qubes-builder/keyrings/git/
|
# It is assumed that the path to the repository is '~/qubes-builder'.
|
||||||
cp .gnupg/trustdb.gpg qubes-builder/keyrings/git/
|
mkdir -p qubes-builder/keyrings/git
|
||||||
|
cp -t qubes-builder/keyrings/git/ .gnupg/pubring.gpg .gnupg/trustdb.gpg
|
||||||
|
|
||||||
* Verify the integrity of the downloaded repository. The last line should read `gpg: Good signature from`...
|
* Verify the integrity of the downloaded repository. The last line should read `gpg: Good signature from`...
|
||||||
|
|
||||||
|
@ -18,20 +18,24 @@ Most of the AppVMs (domains) are based on a *TemplateVM*, which means that their
|
|||||||
|
|
||||||
In addition to saving on the disk space, and reducing domain creation time, another advantage of such scheme is the possibility for centralized software update. It's just enough to do the update in the template VM, and then all the AppVMs based on this template get updates automatically after they are restarted.
|
In addition to saving on the disk space, and reducing domain creation time, another advantage of such scheme is the possibility for centralized software update. It's just enough to do the update in the template VM, and then all the AppVMs based on this template get updates automatically after they are restarted.
|
||||||
|
|
||||||
The default template is called **fedora-14-x64** in Qubes R1 and **fedora-20-x64** in Qubes R2.
|
The default template is called **fedora-23** in Qubes R3.2 and **fedora-26** in Qubes R4.0.
|
||||||
|
|
||||||
The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home` or `/usr/local` then it will disappear after the AppVM reboot (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally install software in the TemplateVM, not in AppVMs.**
|
The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home`, `/usr/local`, or `/rw` then it will disappear after the AppVM reboots (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally installs software in the TemplateVM, not in AppVMs.**
|
||||||
|
|
||||||
Unlike VM private filesystems, the template VM root filesystem does not support discard, so deleting files does not free the space in dom0. See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0.
|
Unlike VM private filesystems, under R3.x the template VM root filesystem does not support discard by default, so deleting files does not free the space in dom0. See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0.
|
||||||
|
|
||||||
|
In R4.0 and higher, the template root filesystem is created in a thin pool so manual trims are no longer needed.
|
||||||
|
|
||||||
|
See [here](/doc/disk-trim) for further discussion on enabling discards/trim support under all versions.
|
||||||
|
|
||||||
Installing (or updating) software in the TemplateVM
|
Installing (or updating) software in the TemplateVM
|
||||||
----------------------------------------------------
|
----------------------------------------------------
|
||||||
|
|
||||||
In order to permanently install new software, you should:
|
In order to permanently install new software, you should:
|
||||||
|
|
||||||
- Start the template VM and then start either console (e.g. `gnome-terminal`) or dedicated software management application, such as `gpk-application` (*Start-\>Applications-\>Template: fedora-XX-x64-\>Add/Remove software*),
|
- Start the template VM and then start either console (e.g. `gnome-terminal`) or dedicated software management application, such as `gpk-application` (*Start-\>Applications-\>Template: fedora-XX-\>Add/Remove software*),
|
||||||
|
|
||||||
- Install/update software as usual (e.g. using yum, or the dedicated GUI application). Then, shutdown the template VM,
|
- Install/update software as usual (e.g. using dnf, or the dedicated GUI application). Then, shutdown the template VM,
|
||||||
|
|
||||||
- You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You will restart others whenever this will be convenient to you.
|
- You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You will restart others whenever this will be convenient to you.
|
||||||
|
|
||||||
@ -73,9 +77,14 @@ Debian also has three Qubes VM testing repositories (where `*` denotes the Relea
|
|||||||
repository; mostly experimental debugging packages
|
repository; mostly experimental debugging packages
|
||||||
|
|
||||||
To enable or disable any of these repos permanently, uncomment the corresponding `deb` line in
|
To enable or disable any of these repos permanently, uncomment the corresponding `deb` line in
|
||||||
`/etc/apt/sources.list.d/qubes-r3.list`
|
`/etc/apt/sources.list.d/qubes-r*.list`
|
||||||
|
|
||||||
Reverting changes to a TemplateVM
|
Reverting changes to a TemplateVM (R4.0)
|
||||||
|
---------------------------------
|
||||||
|
|
||||||
|
TBD- Qubes 4.0 uses a CoW system that permits snapshotting. To revert changes, one would...
|
||||||
|
|
||||||
|
Reverting changes to a TemplateVM (R3.2)
|
||||||
---------------------------------
|
---------------------------------
|
||||||
|
|
||||||
Perhaps you've just updated your TemplateVM, and the update broke your template.
|
Perhaps you've just updated your TemplateVM, and the update broke your template.
|
||||||
@ -127,7 +136,7 @@ Some popular questions:
|
|||||||
|
|
||||||
As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and got infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
|
As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and got infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
|
||||||
|
|
||||||
- But why trusting Fedora?
|
- But why trust Fedora?
|
||||||
|
|
||||||
Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter.
|
Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter.
|
||||||
|
|
||||||
@ -170,12 +179,12 @@ Temporarily allowing networking for software installation
|
|||||||
|
|
||||||
Some third-party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access third-party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decided by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
|
Some third-party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access third-party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decided by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
|
||||||
|
|
||||||
Updates proxy
|
Updates proxy (some content applies only to versions earlier than R3.2)
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
Updates proxy is a service which filter http access to allow access to only something that looks like yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
|
Updates proxy is a service which filter http access to allow access to only something that looks like yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
|
||||||
|
|
||||||
The proxy is running in selected VMs (by default all the NetVMs (1)) and intercept traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allows that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure yum to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
|
The proxy is running in selected VMs (by default all the NetVMs (1)) and intercept traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allows that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure dnf to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
|
||||||
|
|
||||||
(1) Services tab -\> "qubes-yum-proxy" entry; check qvm-service manual for details
|
(1) Services tab -\> "qubes-yum-proxy" entry; check qvm-service manual for details
|
||||||
|
|
||||||
@ -199,12 +208,12 @@ The proxy is running in selected VMs (by default all the NetVMs (1)) and interce
|
|||||||
|
|
||||||
line, or be empty. Note that this file is specifically included from main yum.conf, yum does not support real conf.d configuration style...
|
line, or be empty. Note that this file is specifically included from main yum.conf, yum does not support real conf.d configuration style...
|
||||||
|
|
||||||
Note on treating AppVM's root filesystem non-persistency as a security feature
|
Note on treating AppVM's root filesystem non-persistence as a security feature
|
||||||
------------------------------------------------------------------------------
|
------------------------------------------------------------------------------
|
||||||
|
|
||||||
As explained above, any AppVM that is based on a Template VM (i.e. which is not a Standalone VM) has its root filesystem non-persistent across the VM reboots. In other words whatever changes the VM makes (or the malware running in this AppVM makes) to its root filesystem, are automatically discarded whenever one restarts the AppVM. This might seem like an excellent anti-malware mechanism to be used inside the AppVM...
|
As explained above, any AppVM that is based on a Template VM (i.e. which is not a Standalone VM) has its root filesystem non-persistent across the VM reboots. In other words whatever changes the VM makes (or the malware running in this AppVM makes) to its root filesystem, are automatically discarded whenever one restarts the AppVM. This might seem like an excellent anti-malware mechanism to be used inside the AppVM...
|
||||||
|
|
||||||
However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free. This is because the non-persistency, in case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons. It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
|
However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free. This is because the non-persistence, in case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons. It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
|
||||||
|
|
||||||
One advantage of the non-persistent rootfs though, is that the malware is still inactive before the user's filesystem gets mounted and "processed" by system/applications, which might theoretically allow for some scanning programs (or a skilled user) to reliably scan for signs of infections of the AppVM. But, of course, the problem of finding malware hooks in general is hard, so this would work likely only for some special cases (e.g. an AppVM which doesn't use Firefox, as otherwise it would be hard to scan the Firefox profile directory reliably to find malware hooks there). Also note that the user filesystem's metadata might got maliciously modified by malware in order to exploit a hypothetical bug in the AppVM kernel whenever it mounts the malformed filesystem. However, these exploits will automatically stop working (and so the infection might be cleared automatically) after the hypothetical bug got patched and the update applied (via template update), which is an exceptional feature of Qubes OS.
|
One advantage of the non-persistent rootfs though, is that the malware is still inactive before the user's filesystem gets mounted and "processed" by system/applications, which might theoretically allow for some scanning programs (or a skilled user) to reliably scan for signs of infections of the AppVM. But, of course, the problem of finding malware hooks in general is hard, so this would work likely only for some special cases (e.g. an AppVM which doesn't use Firefox, as otherwise it would be hard to scan the Firefox profile directory reliably to find malware hooks there). Also note that the user filesystem's metadata might got maliciously modified by malware in order to exploit a hypothetical bug in the AppVM kernel whenever it mounts the malformed filesystem. However, these exploits will automatically stop working (and so the infection might be cleared automatically) after the hypothetical bug got patched and the update applied (via template update), which is an exceptional feature of Qubes OS.
|
||||||
|
|
||||||
|
40
configuration/w3m.md
Normal file
40
configuration/w3m.md
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
---
|
||||||
|
layout: doc
|
||||||
|
title: Reducing the fingerprint of the text-based web browser w3m
|
||||||
|
permalink: /doc/w3m/
|
||||||
|
redirect_from:
|
||||||
|
- /en/doc/mutt/
|
||||||
|
- /doc/W3m/
|
||||||
|
- /wiki/W3m/
|
||||||
|
---
|
||||||
|
|
||||||
|
Reducing the fingerprint of the text-based web browser w3m
|
||||||
|
====
|
||||||
|
|
||||||
|
TL;DR: You can reduce the amount of information w3m gives about itself and the environment it is running in (and, by extension, you). **It will not make you anonymous; your fingerprint will still be unique.** But it may improve your privacy.
|
||||||
|
|
||||||
|
[w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.'
|
||||||
|
|
||||||
|
You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) by applying the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. (If you have not run w3m yet, you might need to copy the config file from elsewhere.) You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`).
|
||||||
|
|
||||||
|
* Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`.
|
||||||
|
|
||||||
|
By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the Tor Browser Bundle (TBB). One in fourteen browsers finderprinted by Panopticlick has this value.
|
||||||
|
|
||||||
|
* Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file:
|
||||||
|
|
||||||
|
accept_language en-US,en;q=0.5
|
||||||
|
accept_encoding gzip, deflate
|
||||||
|
accept_media text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
|
||||||
|
These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick.
|
||||||
|
|
||||||
|
Testing these settings on <https://browserprint.info> returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* (<https://panopticlick.eff.org> does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's locale settings or other specifics about it in the HTTP_ACCEPT headers. And while it may be inferred from your fingerprint that you use w3m, it is not be explicitly stated in the User-Agent header.
|
||||||
|
|
||||||
|
**Reminder: Do not rely on these settings for anonymity. Using w3m is all but guaranteed to make you stand out in the crowd.**
|
||||||
|
|
||||||
|
PS: You still need to delete cookies manually (`~/.w3m/cookie`) if you are not running w3m in a DispVM anyway. If you set w3m to not accept cookies, its fingerprint will change. (You can configure w3m to not use store cookies or accept new ones (or both), but the setting `use_cookie` seems to really mean `accept_cookie` and vice-versa, so maybe it is best to delete them manually for now.)
|
||||||
|
|
||||||
|
* * *
|
||||||
|
|
||||||
|
\* Does someone know how to fix this?
|
2
doc.md
2
doc.md
@ -116,6 +116,7 @@ Privacy Guides
|
|||||||
* [TorVM](/doc/torvm/)
|
* [TorVM](/doc/torvm/)
|
||||||
* [Martus](/doc/martus/)
|
* [Martus](/doc/martus/)
|
||||||
* [Signal](/doc/signal/)
|
* [Signal](/doc/signal/)
|
||||||
|
* [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/)
|
||||||
|
|
||||||
|
|
||||||
Configuration Guides
|
Configuration Guides
|
||||||
@ -245,7 +246,6 @@ Services
|
|||||||
* [Implementation of DisposableVMs](/doc/dvm-impl/)
|
* [Implementation of DisposableVMs](/doc/dvm-impl/)
|
||||||
* [Article about disposable VMs](http://theinvisiblethings.blogspot.com/2010/06/disposable-vms.html)
|
* [Article about disposable VMs](http://theinvisiblethings.blogspot.com/2010/06/disposable-vms.html)
|
||||||
* [Dom0 secure update mechanism](/doc/dom0-secure-updates/)
|
* [Dom0 secure update mechanism](/doc/dom0-secure-updates/)
|
||||||
* VM secure update mechanism (forthcoming)
|
|
||||||
|
|
||||||
Debugging
|
Debugging
|
||||||
---------
|
---------
|
||||||
|
@ -75,6 +75,9 @@ partition (e.g., `/dev/sda1`).
|
|||||||
On Windows, you can use the [Rufus] tool. Be sure to select "DD image" mode (you
|
On Windows, you can use the [Rufus] tool. Be sure to select "DD image" mode (you
|
||||||
need to do that **after** selecting the Qubes ISO):
|
need to do that **after** selecting the Qubes ISO):
|
||||||
|
|
||||||
|
**Warning:** If you do that on Windows 10, you can only install Qubes without
|
||||||
|
MediaTest, which isn't recommended.
|
||||||
|
|
||||||
<img src="/attachment/wiki/InstallationGuide/rufus-main-boxed.png" height="350">
|
<img src="/attachment/wiki/InstallationGuide/rufus-main-boxed.png" height="350">
|
||||||
|
|
||||||
Before proceeding with the installation, you are encouraged to first read all
|
Before proceeding with the installation, you are encouraged to first read all
|
||||||
|
@ -7,6 +7,11 @@ permalink: /doc/live-usb/
|
|||||||
Qubes Live USB (alpha)
|
Qubes Live USB (alpha)
|
||||||
======================
|
======================
|
||||||
|
|
||||||
|
NOTE: This content applies to Qubes versions earlier than R3.2. See the
|
||||||
|
[Installation Guide](/doc/installation-guide/) for instructions and warnings
|
||||||
|
on creating a USB boot drive for testing purposes with Qubes R3.2, R4.0, and
|
||||||
|
higher.
|
||||||
|
|
||||||
Qubes Live USB allows you to run and try Qubes OS without having to install it
|
Qubes Live USB allows you to run and try Qubes OS without having to install it
|
||||||
anywhere. Qubes Live USB is currently in alpha. If you use it, please consider
|
anywhere. Qubes Live USB is currently in alpha. If you use it, please consider
|
||||||
running the [HCL reporting tool](/hcl/) and sending us the results so that we
|
running the [HCL reporting tool](/hcl/) and sending us the results so that we
|
||||||
@ -16,7 +21,6 @@ please consider applying for a [Google Summer of Code][gsoc-page] scholarship
|
|||||||
(if you are eligible) and choosing the QubesOS Project as a mentor
|
(if you are eligible) and choosing the QubesOS Project as a mentor
|
||||||
organization. You can find our list of project ideas [here][project-page].
|
organization. You can find our list of project ideas [here][project-page].
|
||||||
|
|
||||||
|
|
||||||
Introduction
|
Introduction
|
||||||
------------
|
------------
|
||||||
|
|
||||||
|
@ -32,22 +32,23 @@ A prebuilt template is available only for Qubes 3.2. Before Qubes 3.2, it should
|
|||||||
|
|
||||||
## Binary packages activation
|
## Binary packages activation
|
||||||
|
|
||||||
The update repository is disabled when you install (signed) template package. You can however choose to trust it by registering it into pacman.
|
The Qubes update repository is disabled by default in the Archlinux template. You can however choose to trust it by registering it into pacman.
|
||||||
|
|
||||||
Enable the repository by running the following command:
|
Since November 2017, an activation package is present in the template. The update repository can thus be activated by running the following command inside the template:
|
||||||
|
|
||||||
# mv /etc/pacman.d/99-qubes-repository-3.2.disabled /etc/pacman.d/99-qubes-repository-3.2.conf
|
# pacman -sU /etc/pacman.d/qubes-vm-keyring*.pkg.tar.xz
|
||||||
|
|
||||||
|
It should be noted to this command will create a trust for packages provided by [Olivier Médoc](mailto:o_medoc@yahoo.fr) and signed by the PGP key above.
|
||||||
|
|
||||||
Then you need to install and sign the public GPG key of the package maintainer (note that accessing to GPG servers requires to temporarily disable the firewall in your template):
|
If the qubes-vm-keyring package is not present in `/etc/pacman.d/`, please refer to the section #Activating binary packages manually.
|
||||||
|
|
||||||
# pacman-key --recv-key 2043E7ACC1833B9C
|
## Optional Qubes packages
|
||||||
# pacman-key --finger 2043E7ACC1833B9C
|
|
||||||
|
|
||||||
If the fingerprint is correct, you can then sign the key:
|
|
||||||
|
|
||||||
# pacman-key --lsign-key 2043E7ACC1833B9C
|
Several Qubes packages are not necessarily installed by default in the Archlinux Template. These packages can be installed to add additional functionnalities to the template:
|
||||||
|
* `qubes-vm-networking`: Contains Qubes tools and dependencies required to use the template as a NetVM/ProxyVM
|
||||||
|
* `qubes-vm-pulseaudio`: Contains `Pulseaudio` agent enabling sound support in the template
|
||||||
|
|
||||||
## Default packages
|
## Default template packages
|
||||||
|
|
||||||
In order to keep the template as small and simple as possible, default installed package have been arbitrarily selected based on multiple subjective criterias that however essentially include libraries dependencies. This packages are:
|
In order to keep the template as small and simple as possible, default installed package have been arbitrarily selected based on multiple subjective criterias that however essentially include libraries dependencies. This packages are:
|
||||||
* Some font packages to keep good user experience
|
* Some font packages to keep good user experience
|
||||||
@ -60,6 +61,28 @@ In order to keep the template as small and simple as possible, default installed
|
|||||||
|
|
||||||
Note that Archlinux does not install GUI packages by default as this decision is left to users. This packages have only been selected to have a usable template.
|
Note that Archlinux does not install GUI packages by default as this decision is left to users. This packages have only been selected to have a usable template.
|
||||||
|
|
||||||
|
## Activating binary packages manually
|
||||||
|
|
||||||
|
Enable the repository by running the following command:
|
||||||
|
|
||||||
|
# rm /etc/pacman.d/99-qubes-repository-3.2.conf
|
||||||
|
# ln -s /etc/pacman.d/99-qubes-repository-3.2.disabled /etc/pacman.d/99-qubes-repository-3.2.conf
|
||||||
|
|
||||||
|
Then you need to install and sign the public GPG key of the package maintainer (note that accessing to GPG servers requires to temporarily disable the firewall in your template):
|
||||||
|
|
||||||
|
# pacman-key --recv-key 2043E7ACC1833B9C
|
||||||
|
# pacman-key --finger 2043E7ACC1833B9C
|
||||||
|
|
||||||
|
If the fingerprint is correct, you can then sign the key:
|
||||||
|
|
||||||
|
# pacman-key --lsign-key 2043E7ACC1833B9C
|
||||||
|
|
||||||
|
## Updating a Qubes-3.2 Archlinux Template
|
||||||
|
|
||||||
|
Because of changes in the Qubes-4.0 partition layout, and usage of XEN HVMs instead of pv-guests. It is not straightforward to update a Qubes-3.2 template to Qubes-4.0.
|
||||||
|
|
||||||
|
For this reason, it is recommended to start from a new template in Qubes-4.0.
|
||||||
|
|
||||||
## Updating a Qubes-3.1 Archlinux Template
|
## Updating a Qubes-3.1 Archlinux Template
|
||||||
|
|
||||||
If you decide to use binary packages but that you where using a Qubes-3.1 Template, your can follow these instructions to enable Qubes 3.2 agents.
|
If you decide to use binary packages but that you where using a Qubes-3.1 Template, your can follow these instructions to enable Qubes 3.2 agents.
|
||||||
@ -111,7 +134,6 @@ Finally, errors related to the GUI agent can be found inside the VM in `/home/us
|
|||||||
|
|
||||||
## Packages manager wrapper
|
## Packages manager wrapper
|
||||||
|
|
||||||
|
|
||||||
Powerpill is a full Pacman wrapper that not only give easy proxy configuration but further offers numerous other advantages.
|
Powerpill is a full Pacman wrapper that not only give easy proxy configuration but further offers numerous other advantages.
|
||||||
|
|
||||||
Please check out:
|
Please check out:
|
||||||
|
@ -72,12 +72,6 @@ In Qubes R4.0, sudo is not installed by default in the minimal template. To upd
|
|||||||
[user@dom0 ~]$ qvm-run -u root fedora-26-minimal xterm
|
[user@dom0 ~]$ qvm-run -u root fedora-26-minimal xterm
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
If you would like to skip this step in future, please install the `sudo` package:
|
|
||||||
|
|
||||||
~~~
|
|
||||||
[user@your-new-clone ~]$ dnf install sudo
|
|
||||||
~~~
|
|
||||||
|
|
||||||
In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be needed to make the customized minimal template work properly. These packages are:
|
In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be needed to make the customized minimal template work properly. These packages are:
|
||||||
|
|
||||||
- `qubes-core-agent-qrexec`: Qubes qrexec agent. Installed by default.
|
- `qubes-core-agent-qrexec`: Qubes qrexec agent. Installed by default.
|
||||||
@ -85,9 +79,11 @@ In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be neede
|
|||||||
- `qubes-core-agent-passwordless-root`, `polkit`: By default the 'fedora-26-minimal' template doesn't have passwordless root. These two packages fix the situation.
|
- `qubes-core-agent-passwordless-root`, `polkit`: By default the 'fedora-26-minimal' template doesn't have passwordless root. These two packages fix the situation.
|
||||||
- `qubes-core-agent-nautilus`: This package provides integration with the Nautilus file manager (without it things like "copy to VM/open in disposable VM" will not be shown in Nautilus).
|
- `qubes-core-agent-nautilus`: This package provides integration with the Nautilus file manager (without it things like "copy to VM/open in disposable VM" will not be shown in Nautilus).
|
||||||
- `qubes-core-agent-sysvinit`: Qubes unit files for SysV init style or upstart.
|
- `qubes-core-agent-sysvinit`: Qubes unit files for SysV init style or upstart.
|
||||||
- `qubes-core-agent-networking`: Networking support. Useful if the template has to be used for a `sys-net` VM.
|
- `qubes-core-agent-networking`: Networking support. Required if the template is to be used for a `sys-net` or `sys-firewall` VM.
|
||||||
- `qubes-core-agent-network-manager`: Integration for NetworkManager. Useful if the template has to be used for a `sys-net` VM.
|
- `qubes-core-agent-network-manager`: Integration for NetworkManager. Useful if the template is to be used for a `sys-net` VM.
|
||||||
- `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates. Any template which the VM respondible for 'dom0' updates is based on must contain this package.
|
- `network-manager-applet`: Useful (together with `dejavu-sans-fonts` and `notification-daemon`) to have a system tray icon if the template is to be used for a `sys-net` VM.
|
||||||
|
- `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates. Any template which the VM responsible for 'dom0' updates (e.g. `sys-firewall`) is based on must contain this package.
|
||||||
|
- `qubes-usb-proxy`: Required if the template is to be used for a USB qube (`sys-usb`) or for any destination qube to which USB devices are to be attached (e.g `sys-net` if using USB network adapter).
|
||||||
- `pulseaudio-qubes`: Needed to have audio on the template VM.
|
- `pulseaudio-qubes`: Needed to have audio on the template VM.
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user