Merge pull request #938 from freedomofpress/whonix-17

Support Whonix 17

Makefile

@@ -78,7 +78,7 @@ sd-app: prep-dev ## Provisions SD APP VM
 
 sd-whonix: prep-dev ## Provisions SD Whonix VM
 	sudo qubesctl --show-output state.sls sd-whonix
-	sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-16,sd-whonix state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets whonix-gateway-17,sd-whonix state.highstate
 
 sd-viewer: prep-dev ## Provisions SD Submission Viewing VM
 	sudo qubesctl --show-output state.sls sd-viewer

dom0/sd-dom0-files.sls

@@ -94,18 +94,6 @@ dom0-securedrop-icon:
     - require:
       - file: dom0-securedrop-icons-directory
 
-dom0-enabled-apparmor-on-whonix-gw-template:
-  qvm.vm:
-    - name: whonix-gw-16
-    - prefs:
-      - kernelopts: "nopat apparmor=1 security=apparmor"
-
-dom0-enabled-apparmor-on-whonix-ws-template:
-  qvm.vm:
-    - name: whonix-ws-16
-    - prefs:
-      - kernelopts: "nopat apparmor=1 security=apparmor"
-
 dom0-create-opt-securedrop-directory:
   file.directory:
     - name: /opt/securedrop

dom0/sd-sys-whonix-vms.sls

@@ -1,22 +1,61 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
+##
+# Install latest Whonix template, configure apparmor on installed templates,
+# and ensure sys-whonix and anon-whonix use latest version.
+##
+
 include:
   - sd-upgrade-templates
 
+{% set sd_supported_whonix_version = '17' %}
+
+whonix-gateway-installed:
+  qvm.template_installed:
+    - name: whonix-gateway-{{ sd_supported_whonix_version }}
+    - fromrepo: qubes-templates-community
+
+whonix-workstation-installed:
+  qvm.template_installed:
+    - name: whonix-workstation-{{ sd_supported_whonix_version }}
+    - fromrepo: qubes-templates-community
+
+dom0-enabled-apparmor-on-whonix-gw-template:
+  qvm.vm:
+    - name: whonix-gateway-{{ sd_supported_whonix_version }}
+    - prefs:
+      - kernelopts: "nopat apparmor=1 security=apparmor"
+    - require:
+      - sls: sd-upgrade-templates
+      - qvm: whonix-gateway-installed
+      - qvm: whonix-workstation-installed
+
+dom0-enabled-apparmor-on-whonix-ws-template:
+  qvm.vm:
+    - name: whonix-workstation-{{ sd_supported_whonix_version }}
+    - prefs:
+      - kernelopts: "nopat apparmor=1 security=apparmor"
+    - require:
+      - sls: sd-upgrade-templates
+      - qvm: whonix-gateway-installed
+      - qvm: whonix-workstation-installed
+
 # The Qubes logic is too polite about enforcing template
 # settings, using "present" rather than "prefs". Below
 # we force the template updates.
 sys-whonix-template-config:
   qvm.vm:
     - name: sys-whonix
     - prefs:
-      - template: whonix-gw-16
+      - template: whonix-gateway-{{ sd_supported_whonix_version }}
     - require:
-      - sls: sd-upgrade-templates
+      - qvm: dom0-enabled-apparmor-on-whonix-gw-template
 
 anon-whonix-template-config:
   qvm.vm:
     - name: anon-whonix
     - prefs:
-      - template: whonix-ws-16
+      - template: whonix-workstation-{{ sd_supported_whonix_version }}
+    - require:
+      - qvm: dom0-enabled-apparmor-on-whonix-ws-template

dom0/sd-whonix.sls

@@ -16,6 +16,7 @@
 
 include:
   - sd-upgrade-templates
+  - sd-sys-whonix-vms
 
 sd-whonix:
   qvm.vm:
@@ -24,7 +25,7 @@ sd-whonix:
       - label: purple
       - mem: 500
     - prefs:
-      - template: whonix-gw-16
+      - template: whonix-gateway-17
       - provides-network: true
       - netvm: "sys-firewall"
       - autostart: true
@@ -35,3 +36,4 @@ sd-whonix:
         - sd-{{ sdvars.distribution }}
     - require:
       - sls: sd-upgrade-templates
+      - sls: sd-sys-whonix-vms

dom0/securedrop-handle-upgrade

@@ -62,7 +62,7 @@ if [[ $TASK == "prepare" ]]; then
     # is not, we want to ensure a smooth upgrade.
     if qvm-check --quiet sd-whonix; then
         BASE_TEMPLATE=$(qvm-prefs sd-whonix template)
-        if [[ ! $BASE_TEMPLATE =~ "16" ]]; then
+        if [[ ! $BASE_TEMPLATE =~ "17" ]]; then
             qvm-shutdown --wait sd-proxy
             qvm-shutdown --wait sd-whonix
         fi
@@ -71,7 +71,7 @@ if [[ $TASK == "prepare" ]]; then
     # Kill sys-whonix, to make sure connected clients don't prevent shutdown.
     if qvm-check --quiet sys-whonix; then
         BASE_TEMPLATE=$(qvm-prefs sys-whonix template)
-        if [[ ! $BASE_TEMPLATE =~ "16" ]]; then
+        if [[ ! $BASE_TEMPLATE =~ "17" ]]; then
             if qvm-check --quiet --running sys-whonix; then
                 qvm-kill sys-whonix
                 # Wait for machine to stop fully, since qvm-kill doesn't block

launcher/sdw_updater_gui/Updater.py

@@ -46,7 +46,7 @@
     "sd-log": "sd-small-{}-template".format(DEBIAN_VERSION),
     "sd-devices": "sd-large-{}-template".format(DEBIAN_VERSION),
     "sd-proxy": "sd-small-{}-template".format(DEBIAN_VERSION),
-    "sd-whonix": "whonix-gw-16",
+    "sd-whonix": "whonix-gateway-17",
     "sd-gpg": "sd-small-{}-template".format(DEBIAN_VERSION),
 }
 

launcher/tests/test_updater.py

@@ -495,7 +495,7 @@ def test_shutdown_and_start_vms(
         call("fedora-38"),
         call("sd-large-{}-template".format(DEBIAN_VERSION)),
         call("sd-small-{}-template".format(DEBIAN_VERSION)),
-        call("whonix-gw-16"),
+        call("whonix-gateway-17"),
     ]
     app_vm_calls = [
         call("sd-app"),
@@ -541,7 +541,7 @@ def test_shutdown_and_start_vms_sysvm_fail(
         call("fedora-38"),
         call("sd-large-{}-template".format(DEBIAN_VERSION)),
         call("sd-small-{}-template".format(DEBIAN_VERSION)),
-        call("whonix-gw-16"),
+        call("whonix-gateway-17"),
     ]
     error_calls = [
         call("Error while killing system VM: sys-firewall"),

rpm-build/SPECS/securedrop-workstation-dom0-config.spec

@@ -125,7 +125,7 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \
 
 # Force full run of all Salt states - uncomment in release branch
 # mkdir -p /tmp/sdw-migrations
-# touch /tmp/sdw-migrations/f38-update
+# touch /tmp/sdw-migrations/whonix-17-update
 
 %changelog
 * Thu Nov 23 2023 SecureDrop Team <[email protected]> - 0.9.0

tests/base.py

@@ -9,7 +9,7 @@
 WANTED_VMS = ["sd-gpg", "sd-log", "sd-proxy", "sd-app", "sd-viewer", "sd-whonix", "sd-devices"]
 CURRENT_FEDORA_VERSION = "38"
 CURRENT_FEDORA_TEMPLATE = "fedora-" + CURRENT_FEDORA_VERSION
-CURRENT_WHONIX_VERSION = "16"
+CURRENT_WHONIX_VERSION = "17"
 
 
 # Lifted from launcher/sdw_util/Util.py

tests/test_vms_exist.py

@@ -51,7 +51,7 @@ def test_sd_whonix_config(self):
         self.assertTrue(nvm.name == "sys-firewall")
         wanted_kernelopts = "nopat apparmor=1 security=apparmor"
         self.assertEqual(vm.kernelopts, wanted_kernelopts)
-        self.assertTrue(vm.template == "whonix-gw-16")
+        self.assertTrue(vm.template == "whonix-gateway-17")
         self.assertTrue(vm.provides_network)
         self.assertTrue(vm.autostart is True)
         self.assertFalse(vm.template_for_dispvms)

tests/test_vms_platform.py

@@ -7,9 +7,10 @@
 
 
 BULLSEYE_STRING = "Debian GNU/Linux 11 (bullseye)"
+BOOKWORM_STRING = "Debian GNU/Linux 12 (bookworm)"
 
 SUPPORTED_SD_DEBIAN_DIST = "bullseye"
-SUPPORTED_WHONIX_PLATFORMS = [BULLSEYE_STRING]
+SUPPORTED_WHONIX_PLATFORMS = [BOOKWORM_STRING]
 
 
 apt_url = ""