Qrexec policy "tag": where does it come from?

Where do qubes get their “tag” from?

E.g. in /etc/qubes/policy.d/80-whonix.policy there is a line

whonix.SdwdateStatus +         @tag:anon-gateway @default          deny   notify=no

How can I find out which qubes are tagges with anon-gateway, and how did they get tagged?

Thank you in advance!

Can get/set tags using qvm-tags.

Ok. That is already interesting, but I did not set any tags with this command, yet, many qubes are tagged. Where did they get their tags from?

Probably from the developers making something (Salt?) automatically apply certain tags in certain circumstances. For example, my understanding is that the Whonix tags are the result of the Whonix devs using tags in order to enforce various things, e.g., ensuring that Whonix templates update always and only via a Whonix Gateway (e.g., sys-whonix).

1 Like

Yes, now I only need to know where in the salt or templates those things are introduced! :thinking:

When new VM is created based on a template with whonix-gw feature set it gets:

  • anon-gateway tag
1 Like

Aha! Thank you!

(I will mark that as a solution, although there probably more ways this happens?)

Or maybe related follow-up question: Does it make sense to add the tag anon-vm to qubes that don’t have a whonix-ws as template, but use a whonix-gw as netvm?

If you add this tag then your VMs won’t be able to get time from your clockvm (source):

VMs to communicate with the default clockvm (by default sys-net , adjustable via policy redirect as discussed below) to request the qubes.GetDate service

The whonix-ws is using sdwdate to update and randomize clock instead. So if you add sdwdate to your qubes that don’t have a whonix-ws as template than it should work.
Also here’s more info on tags:

1 Like