Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable speaker output for domUs by default #2724

Open
rootkovska opened this issue Mar 23, 2017 · 8 comments
Open

Disable speaker output for domUs by default #2724

rootkovska opened this issue Mar 23, 2017 · 8 comments
Labels
C: audio P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. privacy This issue pertains to data or information privacy through technological means. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. ux User experience

Comments

@rootkovska
Copy link
Member

To prevent them from communicating to other mic-equipped devices and deanonymizing the user. (Note we do not expose mic to any AppVM by default since forever.)

Seems like we can easily do that during installation via Salt config. But maybe consider also some runtime check to ensure this also (in Qubes 4.x)?

/cc @adrelanos

@rootkovska rootkovska added C: Whonix This issue impacts Qubes-Whonix T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. privacy This issue pertains to data or information privacy through technological means. labels Mar 23, 2017
@rootkovska rootkovska added this to the Release 3.2 updates milestone Mar 23, 2017
@andrewdavidwong
Copy link
Member

This issue is being closed because:

If anyone believes that this issue should be reopened, please let us know in a comment here.

@adrelanos
Copy link
Member

Please re-open. Applies to any milestone.

@adrelanos
Copy link
Member

Microphones and speakers are a risk for all VMs, Whonix and non-Whonix, see:
https://www.kicksecure.com/wiki/Hardware_Threat_Minimization

Therefore this isn't a Whonix specific task. The sane default would be to attach neither a microphone nor a speaker to any VM. In other words, VMs should be microphone-less and speaker-less by default.

Suggested title (feel free to use a better one):
disable speaker output for all VMs by default

Opt-in could be similar to how android asks if a permission should be granted (such as GPS) as soon as the app attempts to use the device.

Therefore also tag C: Whonix is inappropriate.

@andrewdavidwong andrewdavidwong changed the title Disable speaker output for Whonix WS-based AppVMs by default Disable speaker output for domUs by default Jun 8, 2022
@andrewdavidwong andrewdavidwong added C: audio and removed C: Whonix This issue impacts Qubes-Whonix labels Jun 8, 2022
@andrewdavidwong andrewdavidwong modified the milestones: Release 4.2, Release TBD Jun 8, 2022
@andrewdavidwong andrewdavidwong added security This issue pertains to the security of Qubes OS. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. ux User experience labels Jun 8, 2022
@DemiMarie
Copy link

Instead of disabling audio output altogether, I think a much better approach would be for audio output to be enabled, but muted by default. I suspect this is much less likely to break buggy programs that do not handle audio device hotplug and/or stream corking well, and the attack surface is identical as 0 * x = 0 no matter what X is (no, floating point trickery is not useful here).

@brendanhoar
Copy link

I have a little bash menu script I run. Hitting 'm' mutes all VMs and dom0, while 'M' unmutes all.

Configuring anything more fiddly requires going into the PA control panel.

B

@3hhh
Copy link

3hhh commented Aug 10, 2022

I have a little bash menu script I run. Hitting 'm' mutes all VMs and dom0, while 'M' unmutes all.

I just added something like that here.

However the default on VM start should still be "muted" as that approach doesn't help with disposable VMs started later.

@brendanhoar
Copy link

Agreed.

Leaning toward auto-muting disposables (or perhaps all VMs?), perhaps controlled by a global setting (or two)?

Default setting might be audio enabled but guide could reference changing the flag (for vulnerable users). Really a development team call.

B

@3hhh
Copy link

3hhh commented Aug 11, 2022

As this issue is 5 years old, I rediceded and added a daemon to execute arbitrary code - incl. VM mutes - on VM starts, stops, ... etc. here.

@andrewdavidwong andrewdavidwong removed this from the Release TBD milestone Aug 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C: audio P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. privacy This issue pertains to data or information privacy through technological means. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. ux User experience
Projects
None yet
Development

No branches or pull requests

7 participants