Do not set timezone for VMs with anon-timezone feature

This is implemented as a feature so that the standard check-with-template mechanism can be used. VMs can request the feature using the standard mechanism. Fixes: QubesOS/qubes-issues#8381
QubesOS · Jan 8, 2025 · 2dbc1b8 · 2dbc1b8
1 parent 3494e02
commit 2dbc1b8
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 25 deletions.
diff --git a/qubes/ext/core_features.py b/qubes/ext/core_features.py
@@ -95,6 +95,7 @@ async def qubes_features_request(self, vm, event, untrusted_features):
             "gui-emulated",
             "qubes-firewall",
             "vmexec",
+            "anon-timezone",
         ):
             untrusted_value = untrusted_features.get(feature, None)
             if untrusted_value in ("1", "0"):

diff --git a/qubes/tests/vm/qubesvm.py b/qubes/tests/vm/qubesvm.py
@@ -2160,31 +2160,35 @@ def test_620_qdb_standalone(
             "-A FORWARD -i vif+ -o vif+ -j DROP\n"
             "COMMIT\n".format(datetime.datetime.now().ctime())
         )
+        data = {
+            "/name": "test-inst-test",
+            "/type": "StandaloneVM",
+            "/default-user": "user",
+            "/qubes-vm-type": "AppVM",
+            "/qubes-debug-mode": "0",
+            "/qubes-base-template": "",
+            "/qubes-timezone": "UTC",
+            "/qubes-random-seed": base64.b64encode(b"A" * 64),
+            "/qubes-vm-persistence": "full",
+            "/qubes-vm-updateable": "True",
+            "/qubes-block-devices": "",
+            "/qubes-usb-devices": "",
+            "/qubes-iptables": "reload",
+            "/qubes-iptables-error": "",
+            "/qubes-iptables-header": iptables_header,
+            "/qubes-service/qubes-update-check": "0",
+            "/qubes-service/meminfo-writer": "1",
+            "/connected-ips": "",
+            "/connected-ips6": "",
+        }
 
-        self.assertEqual(
-            test_qubesdb.data,
-            {
-                "/name": "test-inst-test",
-                "/type": "StandaloneVM",
-                "/default-user": "user",
-                "/qubes-vm-type": "AppVM",
-                "/qubes-debug-mode": "0",
-                "/qubes-base-template": "",
-                "/qubes-timezone": "UTC",
-                "/qubes-random-seed": base64.b64encode(b"A" * 64),
-                "/qubes-vm-persistence": "full",
-                "/qubes-vm-updateable": "True",
-                "/qubes-block-devices": "",
-                "/qubes-usb-devices": "",
-                "/qubes-iptables": "reload",
-                "/qubes-iptables-error": "",
-                "/qubes-iptables-header": iptables_header,
-                "/qubes-service/qubes-update-check": "0",
-                "/qubes-service/meminfo-writer": "1",
-                "/connected-ips": "",
-                "/connected-ips6": "",
-            },
-        )
+        self.assertEqual(test_qubesdb.data, data)
+
+        test_qubesdb.data.clear()
+        vm.features["anon-timezone"] = "1"
+        vm.create_qdb_entries()
+        del data["/qubes-timezone"]
+        self.assertEqual(test_qubesdb.data, data)
 
     @unittest.mock.patch("datetime.datetime")
     @unittest.mock.patch("qubes.utils.get_timezone")

diff --git a/qubes/vm/qubesvm.py b/qubes/vm/qubesvm.py
@@ -2612,8 +2612,12 @@ def create_qdb_entries(self):
                 )
 
         tzname = qubes.utils.get_timezone()
-        if tzname:
+        if tzname and not self.features.check_with_template(
+            "anon-timezone", False
+        ):
             self.untrusted_qdb.write("/qubes-timezone", tzname)
+        else:
+            self.untrusted_qdb.rm("/qubes-timezone")
 
         self.untrusted_qdb.write("/qubes-block-devices", "")
         self.untrusted_qdb.write("/qubes-usb-devices", "")