From 732e9d02eeae18c3cfe3c10beceed1564f28c399 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Thu, 24 Mar 2022 11:57:37 -0400
Subject: [PATCH] Rip out the network-based updates proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It’s not used anymore and is useless attack surface.  Get rid of it.

Fixes QubesOS/qubes-issues#3285.
---
 Makefile                                   |  1 -
 debian/qubes-core-agent-networking.install |  1 -
 network/iptables-updates-proxy             | 22 ----------------------
 rpm_spec/core-agent.spec.in                |  1 -
 vm-systemd/qubes-updates-proxy.service     |  2 --
 5 files changed, 27 deletions(-)
 delete mode 100755 network/iptables-updates-proxy

diff --git a/Makefile b/Makefile
index 758e50bf4..f387f3074 100644
--- a/Makefile
+++ b/Makefile
@@ -168,7 +168,6 @@ install-netvm:
 	install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
-	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
 
 	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install
index c26f2518a..34a882bfe 100644
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@@ -18,7 +18,6 @@ usr/lib/qubes/init/network-proxy-setup.sh
 usr/lib/qubes/init/network-proxy-stop.sh
 usr/lib/qubes/init/network-uplink-wait.sh
 usr/lib/qubes/init/qubes-iptables
-usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns
 usr/lib/qubes/setup-ip
 usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
diff --git a/network/iptables-updates-proxy b/network/iptables-updates-proxy
deleted file mode 100755
index 5bda776d4..000000000
--- a/network/iptables-updates-proxy
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-
-RULE_FILTER="INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
-RULE_NAT="PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
-
-if [ "$1" = "start" ]; then
-cat <<__EOF__ | iptables-restore -n
-*filter
--I $RULE_FILTER
-COMMIT
-*nat
--I $RULE_NAT
-COMMIT
-__EOF__
-else
-    # Remove rules
-    # shellcheck disable=SC2086
-    iptables -D $RULE_FILTER
-    # shellcheck disable=SC2086
-    iptables -t nat -D $RULE_NAT
-    exit 0
-fi
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
index 11869ad0e..3a59581a6 100644
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@@ -832,7 +832,6 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/init/network-proxy-stop.sh
 /usr/lib/qubes/init/network-uplink-wait.sh
 /usr/lib/qubes/init/qubes-iptables
-/usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/qubes-setup-dnat-to-ns
 /usr/lib/qubes/setup-ip
 /usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
diff --git a/vm-systemd/qubes-updates-proxy.service b/vm-systemd/qubes-updates-proxy.service
index 0aec98dec..11688b937 100644
--- a/vm-systemd/qubes-updates-proxy.service
+++ b/vm-systemd/qubes-updates-proxy.service
@@ -4,9 +4,7 @@ ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy
 After=qubes-iptables.service
 
 [Service]
-ExecStartPre=/usr/lib/qubes/iptables-updates-proxy start
 ExecStart=/usr/lib/qubes/tinyproxy-wrapper -d -c /etc/tinyproxy/tinyproxy-updates.conf
-ExecStopPost=/usr/lib/qubes/iptables-updates-proxy stop
 Restart=on-failure
 RestartSec=5s