/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Logging endangers privacy (or worse) #3360

Open
ohreally opened this Issue Nov 30, 2017 · 3 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Far in the future
3 participants
@ohreally @marmarek @andrewdavidwong
@ohreally

ohreally commented Nov 30, 2017
edited
Edited 2 times
  • @ohreally ohreally edited Nov 30, 2017 (most recent)
  • @ohreally ohreally edited Nov 30, 2017

Qubes OS version:

R4.0-rc3

Some applications log the names of VMs to the dom0 systemd journal (journalctl). Examples:

dom0 qubesd[PID]: Activating the personal VM
dom0 qrexec[PID]: qubes.Filecopy: untrusted -> personal: allowed to personal
dom0 qrexec[PID]: qubes.NotifyUpdates: personal -> dom0: allowed to dom0
dom0 qrexec[PID]: qubes.WindowIconUpdater: personal -> dom0: allowed to dom0

It might be preferrable to replace the names of the VMs with numbers, as qmemman does:

dom0 qmemman.systemstate[PID]: mem-set domain 13 to 123456789
dom0 qmemman.systemstate[PID]: stat: dom '9' act=XXXXXXXXX pref=YYYYYYYYY
dom0 qmemman.daemon.algo[PID]: balloon: domain 11 has actual memory 987654321

Also, the logs for a deleted VM are not deleted (/var/log/qubes/* + /var/log/xen/* + /var/log/libvirt/*).

Until this is fixed, or if this won't be fixed at all, the user should be warned to choose the name wisely when creating a new VM, even if they plan to delete the VM before crossing a border, or doing other risky stuff. For some people a VM name like 'sandbox' or 'playground' may be a better idea than 'wikileaks-upload' or 'kimjongun-nudephotos'.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 30, 2017

Member

It might be preferrable to replace the names of the VMs with numbers, as qmemman does:

Well, those numbers are useless after domain shutdown, so it isn't suitable for most logs - you may want later analyze when domain accessed your gpg keys for example.
Also, just removing VM isn't mean to be forensic-proof. This isn't even true for DispVMs, but we're working on it - see #904.

If one want to cross border of "hostile" country, one should carefully prepare device for it (or not bring it at all). Safe step would be to wipe it and restore from the backup only "safe" content. On Qubes it is very simple thanks to our backup mechanism (just takes some time).
Member

marmarek commented Nov 30, 2017

It might be preferrable to replace the names of the VMs with numbers, as qmemman does:

Well, those numbers are useless after domain shutdown, so it isn't suitable for most logs - you may want later analyze when domain accessed your gpg keys for example.
Also, just removing VM isn't mean to be forensic-proof. This isn't even true for DispVMs, but we're working on it - see #904.

If one want to cross border of "hostile" country, one should carefully prepare device for it (or not bring it at all). Safe step would be to wipe it and restore from the backup only "safe" content. On Qubes it is very simple thanks to our backup mechanism (just takes some time).
@ohreally

This comment has been minimized.

Show comment
Hide comment
@ohreally

ohreally Nov 30, 2017

those numbers are useless after domain shutdown

Those specific numbers could be replaced by inode numbers, or anything else that anonimizes the VMs.

If one want to cross border of "hostile" country, one should carefully prepare device for it (or not bring it at all).

True. But if, instead of visiting a hostile country, one lives in a hostile country, one sometimes has to take risks, while still wanting to minimize those risks.
It's about layered security: if, for some reason, you cannot fully secure your stuff all the time, then at least close all the holes you can.

An alternative to using numbers instead of names, might be an option 'Do not log anything to dom0 for this VM.' on VM creation. I think there might be users who would gladly 'OK' the dialog that said 'If this VM is ever damaged or corrupted, you are on your own.'.

ohreally commented Nov 30, 2017

those numbers are useless after domain shutdown

Those specific numbers could be replaced by inode numbers, or anything else that anonimizes the VMs.

If one want to cross border of "hostile" country, one should carefully prepare device for it (or not bring it at all).

True. But if, instead of visiting a hostile country, one lives in a hostile country, one sometimes has to take risks, while still wanting to minimize those risks.
It's about layered security: if, for some reason, you cannot fully secure your stuff all the time, then at least close all the holes you can.

An alternative to using numbers instead of names, might be an option 'Do not log anything to dom0 for this VM.' on VM creation. I think there might be users who would gladly 'OK' the dialog that said 'If this VM is ever damaged or corrupted, you are on your own.'.

@andrewdavidwong andrewdavidwong added C: core enhancement help wanted labels Dec 1, 2017

@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Dec 1, 2017

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Dec 1, 2017

Member

This seems like a case where privacy and security can come apart. It's up to @rootkovska and @marmarek whether to accept this as a feature request. Classifying as a long-term "help wanted" enhancement for now.
Member

andrewdavidwong commented Dec 1, 2017

This seems like a case where privacy and security can come apart. It's up to @rootkovska and @marmarek whether to accept this as a feature request. Classifying as a long-term "help wanted" enhancement for now.

@andrewdavidwong andrewdavidwong added the privacy label Dec 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment