Stop users from changing their `anon-whonix` net qube to `sys-firewall` to avoid IP leaks

[adrelanos]

Qubes OS release

R4.2

Brief summary

Some users are shooting their own feet by setting the Net Qube of anon-whonix to sys-firewall. See this example.

There should be some protection in place in QVMM or otherwise to prevent this.

Steps to reproduce

1. configure the Net Qube of anon-whonix to be sys-firewall
2. curl.anondist-orig 1.1.1.1

Expected behavior

simplified:
Not possible to change anon-whonix to any VM other than sys-whonix as Net Qube.

formalized:
Prohibited by QVMM to change a VM with the anon-vm qvm-tag to use a VM without the anon-gateway qvm-tag.

(I wouldn't be opposed to this being only a warning that the user can choose to ignore. But that part does not seem important. That part could remain "patches welcome".)

Actual behavior

Functional networking. IP leak.

Additional information

Whonix for VirtualBox does not have the issue of new users being able to reconfigure this. While possible for advanced users, not something as simple as point and click as it can be done with Qubes. Details here: #3994 (comment)

[andrewdavidwong]

I could be wrong, but this definitely sounds like a feature request to me.

Prohibited by QVMM to change a VM with the anon-vm qvm-tag to use a VM without the anon-gateway qvm-tag.

Keep in mind that this won't affect changing it from the command line. I imagine you probably want at least a warning there too.

[adrelanos]

I could be wrong, but this definitely sounds like a feature request to me.

I would say this is a grave usability bug. But ultimately, it doesn't matter much if classified as bug or feature request.

Prohibited by QVMM to change a VM with the anon-vm qvm-tag to use a VM without the anon-gateway qvm-tag.

Keep in mind that this won't affect changing it from the command line. I imagine you probably want at least a warning there too.

That would be nice too.

[jamke]

Does not look like a bug to me. As I understand the out-of-box settings are properly set. So, the only case when something goes wrong is when user manually and explicitly change qube settings (NetVM). Is it so important to prevent it?

I mean it can happen with VPN netvm that user forgets, or other qube, that supposed to use whonix, but user decided to change the netvm. I would consider more important to prevent changing netvm for offline qubes (e.g. vault) based on tag or something, the chance that it happens is much higher than user breaking whonix qube.

Also in case the user does this, without understanding what they are doing, the onion sites will stop opening, and the user will be able to understand that they broke something.

I get it that anon-whonix is supposed to use anon-gateway, and it does be default. So, I would consider only adding a message dialog with a warning sign in the GUI tool qubes-vm-settings with the tag checks. Terminal commands can produce warning to stderr but not an interactive question because it would break scripts and contract.