Denied: qubes.UpdatesProxy After Whonix Template Fresh Install

qubesn00b · April 22, 2022, 3:35am

I kept getting strange unknown bootstrapped messgaes in Whonix and so I wanted to reinstall the whonix template from scratch

This took me to whonix page and I followed instructions.

Then I get Denied: qubes.UpdatesProxy whenever trying to update using any Qube.

4.1 + was regular updated until a week ago.

Tried to change etc/qubes-rpc/policy/ after error started in proxyVM policy before discovering in 4.1 this doesn’t matter.

After error happen, went into /etc/qubes/policy.d after to see if could make a change to default policy. Never been there before. Lot of things, don’t know what change.

After still no change, deleted qubes.UpdateProxy file and now don’t get error but also no download of update

qubes · April 22, 2022, 8:14am

If you want all updatable vms to go through sys-whonix try settings below.

sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy

@type:TemplateVM @default allow,target=sys-whonix
@type:TemplateVM @anyvm deny

@tag:whonix-updatevm @default allow,target=sys-whonix
@tag:whonix-updatevm @anyvm deny

@type:StandaloneVM @default allow,target=sys-whonix
@type:StandaloneVM @anyvm deny

To update air-gapped StandaloneVM, add updates-proxy-setup in the vm’s settings from Services tap. Also, disable all updater checks and uncheck for dom0 updates and for qubes updates in Qubes Global Settings as far as I remember they do not go through whonix traffic.

Have a look at 90-default.policy and edit if any lines below are missing.

sudo nano /etc/qubes/policy.d/90-default.policy

# HTTP proxy for downloading updates
# Upgrade all TemplateVMs through sys-whonix.
#qubes.UpdatesProxy     *    @type:TemplateVM        @default    allow target=sys-whonix
# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy      *   @tag:whonix-updatevm    @default    allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
qubes.UpdatesProxy      *   @tag:whonix-updatevm    @anyvm      deny
# Default rule for all TemplateVMs - direct the connection to sys-whonix.
qubes.UpdatesProxy      *   @type:TemplateVM        @default    allow target=sys-whonix
qubes.UpdatesProxy	*   @type:TemplateVM	    @anyvm	deny
# rules for StandaloneVMs - direct the connection to sys-whonix.
qubes.UpdatesProxy	*   @type:StandaloneVM	    @default	allow target=sys-whonix
qubes.UpdatesProxy	*   @type:StandaloneVM	    @anyvm	deny

qubes.UpdatesProxy      *   @anyvm                  @anyvm      deny

In the official documents @ character is advised over $.

If fresh install files still have $ character in /etc/qubes-rpc/policy, then optionally you can try:

cd /etc/qubes-rpc/policy
for i in qubes* whonix*; do
sed -i 's/\$/\@/g' $i
done

This will replace every $ to @ in every files in /etc/qubes-rpc/policy.

qubesn00b · June 13, 2022, 8:04pm

I did this, the entire system crashed

i lost everything

it was all gone

until i reloaded the qubes from backup

qubes · October 27, 2022, 4:42pm

I just logged in and found out about this.
I’m so sorry to hear that you’ve gone through this.
I feel very bad

I did fresh install about a month ago
and I followed through this guide without any problem
except there should be a ‘sudo’ before sed -i
but that shouldn’t result in system crash.
It should prompt you back with simple permission error message
which was the case for me.
My guess is that you had some typo in sed -i command in dom0.

I would edit out any potentially dangerous and unnecessary stuff but
It doesn’t allow me to edit what I wrote now.
If others see this please be very careful in any typos.