Package security-misc from Whonix to Qubes #1885
Comments
marmarek
added
enhancement
C: templates
P: major
|
Marek Marczykowski-Górecki:
I don't think this will be an issue. As long as the Qubes repository is
The Debian template should not trust the Whonix repository. |
|
This might be more interesting now.
|
|
QubesOS/qubes-core-agent-linux#161 /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar.xml by qubes-core-agent-thunar actually causes a package file conflict. |
|
I've created PRs with qubes-builder integration and rpm packaging (only build tested): But I'm not yet sure if this is the best possible approach. I see those options:
The first approach is less work in total (one place to update), but since upstream is focused on Debian only, rpm packaging may desynchronize. Some of it could be mitigated by adding CI (Travis). @adrelanos what do you think? |
|
Creating the File Now the complicated part is could auto generate the list of file names. Not sure about anything else such as maintainer scripts?
That would be good if we can make that work. [In any case you might want to fork it and build Qubes from the fork so in theory a malicious upstream wouldn't leak into Qubes. The fork would at most if not all times not do any Qubes specific modifications, just for security and review. Existence of https://github.com/QubesOS/qubes-python-xcffib/ indicates you have that in mind anyhow but good to spell out for other readers.] Having said above, do you think this is feasible?
Also ok however could be too much work for https://phabricator.whonix.org/T709 to ever materialize. Signed upstream tarballs for all Whonix packages already exist. Example: https://deb.whonix.org/pool/main/s/security-misc/ https://deb.whonix.org/pool/main/s/security-misc/security-misc_3.1-1.dsc Debian buster might be required for easy verification of the signature and extraction of the archive using |
FWIW, we do that the other way around: generate debian changelog from
In theory it's possible to list everything with wildcard (
Might be a good idea. Indeed I've copy&pasted significant part of it from
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_gconf There is also another possible issue - potential differences between Debian and Fedora (and other distributions if anyone would maintain it): different paths, different software versions. Generally it's manageable, but may require extra steps over automated |
|
Marek Marczykowski-Górecki:
There is also another possible issue - potential differences between
Debian and Fedora (and other distributions if anyone would maintain it):
different paths, different software versions. Generally it's manageable,
but may require extra steps over automated `genmkfile`.
I don't think I could maintain / bug triage / fix the Fedora package
versions long term. However, as it looks now, the Fedora packaging files
look really simple. So if it helps, these are already merged.
Somehow I misinterpreted "Package security-misc from Whonix to Qubes"
only as "make security-misc usable in the Qubes Debian templates too".
The genmkfile auto generation (and then commit to git) of the Fedora
packaging files part however looks doable which I could commit in the
near / mid future.
but may require extra steps over automated `genmkfile`.
FWIW, supports hooks, even drop-in folders for customization.
> Creating the `version` file could be automated. genmkfile already
> has `make make deb-chl-bumpup-major` and a new feature of adding
> upstream version number into `version` file would be easy for me.
FWIW, we do that the other way around: [generate debian
changelog](https://github.com/QubesOS/qubes-builder-debian/blob/master/scripts/debian-changelog.sh)
from `version` file and git changelog.
debian/changelog is also generated by manual run of genmkfile, and then
committed to git. In effect, many package should be Debian policy
conform and ready to be uploaded to packages.debian.org. Auto generation
of debian/changelog would prevent the package from ever entering
packages.debian.org.
> Now the complicated part is `rpm_spec/genmkfile.spec.in`. What I
> really don't like is keeping track of all file names (`%files`)
> manually.
In theory it's possible to list everything with wildcard (`/*` or
such), but it is considered bad practice.
Would (`/*` or such) still be better than not implementation or auto
generating (and then committing to git) all files?
> That's one of the main reasons why genmkfile was invented. I am
> wondering if genmkfile could auto generate
> rpm_spec/genmkfile.spec.in?
Might be a good idea. Indeed I've copy&pasted significant part of it
from `debian/control`. But the file should be committed to the
repository.
Committing to repository was what I had in mind. Important to have these
files ready for public review and patches. Having the help of a script
creating these files however would help making multiple of Whonix's
Debian packages by Whonix available in Qubes Debian based templates.
|
Yes, this is exactly what we do too. Simply the generator is different.
The idea of |
|
Marek Marczykowski-Górecki:
> Would (`/*` or such) still be better than not implementation or auto generating (and then committing to git) all files?
Not very relevant for `cp -r` type of package.
Alright.
Is `genmkfile` used once for package initialization, or do you re-run it from time to time (for example to synchronize `README` with `debian/control`)?
New packages are created manually. (By copying over an existing package
structure and then changing all of the files accordingly using mass
search and replace, manual verification.)
debian/control to README is done by script
https://github.com/Whonix/whonix-developer-meta-files/blob/master/debug-steps/packaging-helper-script
function pkg_readme_creator which gets manually run from time to time
(very low priority).
packaging-helper-script has also a function
pkg_need_version_bump_and_pkg_build_and_reprepro_add which:
- verifies we are using a signed commit (sanity test only, not security,
since all is manually verified on my local machine before singing)
- bumps debian/changelog
- refreshes changelog.upstream (which is just a git log dump)
- creates a signed git tag with the new version number
- builds the package (lintian --pedantic; inside cowbuilder chroot)
- adds the package to local repository
- which I'll then upload to deb.whonix.org developers repository
- which I'll then then
- when then flows to other repository suites
"builds the package" means "make deb-pkg" which runs a few genmkfile steps
- make dist
- make debdist
- make debdsc
- make deb-pkg-build
make deb-pkg-build uses cowbuilder (... or debuild ...) which internally
uses standard Debian build tools which internally uses "make install"
but with environment variable DESTDIR set to suit packaging.
"make install" in essence (shortened for simplicity) does:
make_folder_list_for_un_and_install="bin boot dev etc home lib opt sbin
srv sys usr var"
for d in $make_folder_list_for_un_and_install; do
cp -R "$d" "$DESTDIR"
I am using "make install" quite often manually during development just
because it is faster than full package reinstall (which of course
requires knowing the differences between "make install" and a full
package such as maintainer scripts). A standard "make install" is also
implemented to have a compliant, complete makefile to ease porting for
anyone who wishes to fork.
So if you want so, there is no auto generated packaging file which
describes which file gets copied where similar to %files. From genmkfile
readme:
Files in etc/... in root source folder will be installed to /etc/...,
files in usr/... will be installed to /usr/... and so forth. This should
make renaming, moving files around, packaging, etc. very simple.
Packaging of most packages can look very similar.
Renamed/removed/new files are mostly really out of my mind since this is
fully automated, abstracted away.
genmkfile kinda results in `/*`.
If you run it only once, I'd go with wildcards. Less work.
Basically the wildcards (actually just bin boot dev etc home lib opt
sbin srv sys usr var) are run on every build without having to think
about it.
But indeed, if Fedora needs different paths (or maintainer scripts),
then things get more complicated.
|
|
The auto generation of rpm spec files can be considered future work. Are these manually created rpm spec files good enough to continue with Qubes interrelation of this very security-misc package? |
Yes. If that's major problem for now, I could start with uploading to Debian repository first and upload to Fedora later. |
This could use security review. File https://github.com/Whonix/security-misc/blob/master/usr/share/pam-configs/permission-lockdown-security-misc effective results in files
A new following line:
Actual implementation is here: Security discussion: I had in mind if using malicious user names in /home leading to root code execution by users, but this isn't possible because to create a malicious user name, root access is required in the first place. And one who has root access, does not bother exploiting See also: Unfortunately adduser does not support hooks yet. |
|
I think module signing and kernel lockdown are very important parts. |
|
discussion
This has lead to a related discussion. Indeed no restrictions of user freedom. As far as I know, any /etc/sysctl.d drop-in or /etc/default/grub.d boot parameter drop-in can be disabled by:
|
|
Could you please review the new
Specifically important is that the systemd unit file won't cause any systemd dependency cycles or break Qubes (home) folder mounting. |
|
|
|
I vaguely remember it was fixed already, maybe outdated version? |
|
Yes. Fixed in git master, developers and testers repository.
|
|
Found it Kicksecure/security-misc@660837d As the latest stable build breaks with the As a workaround, I am adding |
|
The fixed package will migrate to all repositories as per usual. It's a
slow process since the tool chain is underdeveloped.
This issue wouldn't happen in the first place if there was proper
automated testing. Help welcome. Some starters:
https://forums.whonix.org/t/looking-for-contributor-automated-test-suite/5942
https://phabricator.whonix.org/T709
|
|
Responded in the thread about automated tests. Should I include some other repo in openqa tests too? I don't think I've seen |
|
Marek Marczykowski-Górecki:
Responded in the thread about automated tests.
Me too.
Or maybe the problem applies only to the fresh template build, not update?
Possible. Best to have test cases for both.
|
|
Not sure, but contributions would be appreciated. |
andrewdavidwong
added
the
security
|
@bluesteal: Please note that the issue tracker (qubes-issues) is not intended to be a place for fielding questions. Instead, we have other venues meant for asking questions, asking for help, and having discussions. (By contrast, the issue tracker is more of a technical tool intended to support our developers in their work.) Thank you for your understanding! |
|
Unfortunately @andrewdavidwong has to repeat the same thing over and over.
It's not a big deal if someone who has just learned of this project is ignorant of the guidelines and posts something here that doesn't belong into the issue tracker. Andrew will point to the guidelines, no harm done.
The real question is: how many reminders do you @bluesteal need before being constructive?
|
and others
Whonix has security-misc package, which is meant to be reusable across different security distributions. It would be good to include it also in Qubes. This would solve #1108 for example.
It would require:
Makefile.builderMaybe on Debian template it should be installed directly from Whonix repository? Probably bad idea, may pull another packages, have unwanted side effects.
Any opinion @adrelanos?
The text was updated successfully, but these errors were encountered: