Disable thumbnail previews in file managers in SecureDrop Workstation VMs

[redshiftzero]

OG desc:

Nautilus helpfully generates a thumbnail preview of many file types, including images.

However, in our use case, we want to to prevent the parsing of potentially malicious decrypted files in sd-app, so we should disable the thumbnail generation.

Note that to prevent parsing of these files disabling thumbnails is necessary but (possibly) not sufficient, more investigation needed.

With freedomofpress/securedrop-client#2057, a file manager (and thunar, not nautilus) would not be available in sd-app, only in viewer and export VMs, but thumbnail generation should still be disabled.

[adrelanos]

Whonix 14 will do that by default.

Package https://github.com/Whonix/security-misc is responsible for that.

References:

• https://phabricator.whonix.org/T500
• Kicksecure/security-misc@5ba2a5b
• Kicksecure/security-misc@dfe8a56
• Turn Auto File Previews off by default in Debian / Whonix templates QubesOS/qubes-issues#1108 (comment)

[adrelanos]

@redshiftzero can you reproduce this inside Qubes-Whonix?

If no, due to QubesOS/qubes-issues#1885 we might be able to close this one as duplicate.

[conorsch]

Have not tried to reproduce recently, but the original scope of this ticket was in the sd-svs VM, which is not based on the Qubes Whonix Workstation—presumably that's why we saw behavior different from what @adrelanos points out.

Now that we've got the client code coming together, we'll be dropping use of Nautilus altogether in the standard journalist workflow (#179). So the preview issue is now less important than when this issue was first opened. The previews may be relevant for forthcoming workflows such as export, however #84, so leaving open for now. (cc @redshiftzero if you disagree)

[eloquence]

sd-app (née sd-svs) still ships with Nautilus, but I'm not seeing rich previews at least for JPGs and PDFs. Have we already mitigated this in our config?

[zenmonkeykstop]

Need to confirm that tracker-miner has been disabled in sd-app altogether - nautilus may be replaced with thunar based on some issues encountered in the debian-12-based templates with grsec kernels, so we should make sure its equivalent service, if any, is also not processing files to produce thumbnails.

See also https://lwn.net/Articles/947288/

[zenmonkeykstop]

The equivalent service under xfce is tumblerd (which I cannot initially type without leaving out the "e" :/ ) - it's installed as a dependency of thunar but not actually required for it to run. So, we could:

• just uninstall it in the template
• add a config file for it under ~/.config that disables all its plugins
• both, for safety's sake

[legoktm]

Cross-referencing:

• Disable Tracker (the GNOME desktop search provider) by default QubesOS/qubes-issues#8372
• and then un-disabled in Do not disable tracker and evolution-data-server in AppVMs QubesOS/qubes-core-agent-linux#450

[zenmonkeykstop]

We should verify that the relevant services are disabled for 1.1.0