'Re: [qubes-devel] DispVM design decisions for Qubes 4.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] DispVM design decisions for Qubes 4.0
From:       Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= <marmarek () invisiblethingslab ! com>
Date:       2016-05-12 23:15:38
Message-ID: 20160512231538.GK25975 () mail-itl
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, May 12, 2016 at 04:17:06AM -0700, Andrew David Wong wrote:
> On 2016-05-12 03:13, Marek Marczykowski-Górecki wrote:
> > In principle it will be possible to start an AppVM in "disposable"
> > mode - which means changes to its private image (in addition to
> > root image as in normal AppVM) will be discarded after VM shutdown.
> > Technically any AppVM can be used for that, but practically it
> > makes sense to have dedicated "DispVM template" AppVMs (as
> > currently fedora-xx-dvm).
> > 
> 
> How will the risk of data loss/leaks be handled? RPC policy rules?
> 
> For example, I probably never want it to be possible for my
> mission-critical-data-vm to be launched as a DispVM, because if I
> forget to export a file before closing the DispVM (or accidentally
> close the original DispVM window), I'm toast.
> 
> Likewise, I probably never want it to be possible for my
> super-secret-data-vm to be started as a DispVM with a NetVM other than
> "none."

Yes, that should be done by either RPC policy rules, or having a
property like "allow this VM to be started as DispVM".

> > Since DispVM support will be basically rewritten from scratch, we
> > may change some things if there is need for it. Below is some
> > non-exhaustive list of things for consideration:
> > 
> > ### 1. How to choose which DispVM should be used?
> > 
> > For DispVM started directly from dom0 it should be easy - we may
> > simply have some command line option for that (like: qvm-run
> > --dispvm fedora-23-dvm). But how about DispVM started from another
> > VM (opening some document, link etc)? I think the most
> > straightforward solution would be to have another VM property:
> > which DispVM should be used for calls from this VM (simply called
> > "dispVM").
> 
> Perhaps we should try to avoid replicating the situation in which
> "NetVM" takes on three different meanings. :)

Yeah, any better idea for such property name?

> > But maybe there are other ideas? For example does it make sense
> > (and when?) to use different DispVM depending on what file/action
> > is opened? Should it be controlled by calling VM? If so, should a
> > VM be able to launch any DispVM, or only selected one (based on 
> > some setting and/or qrexec policy)?
> > 
> > ### 2. What should be properties of created DispVM?
> > 
> > Currently new DispVM inherit some properties from calling VM.
> > Those properties are: - label - netvm (based on dispvm_netvm
> > property from calling VM) - firewall rules
> > 
> > Does it make sense to extend/shrink this set?
> > 
> 
> Personally, I'm a fan of having no NetVM as the default, mainly for
> the reasons indicated here:
> 
> https://github.com/QubesOS/qubes-issues/issues/1988
> 
> I'm also a fan of allowing for not inheriting firewall rules, for the
> use case described here:
> 
> https://groups.google.com/d/topic/qubes-users/ZsHL3ASYUHU/discussion

I think we should differentiate two use cases here:
 - open a file
 - open a link

Which is somehow along the lines of this:
https://github.com/QubesOS/qubes-issues/issues/1487

Then opening a file should be in non-networked DispVM by default, but
opening a link in networked one (with the current rules for network
connection?). Not sure about firewall rules, but if opening a file would
be in network-isolated DispVM by default, it shouldn't matter anymore.

There are some use cases when you want to open a file in networked
DispVM, for example:
 - a document which will indeed need to communicate with some network
   service (like downloading images, or interactive PDF form with
   built-in "send" functionality)
 - printing a file

How to handle those? One more qrexec service (and context menu item)?
That would make even more complex UI...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXNQ6aAAoJENuP0xzK19csFIEH/3XPLmQrmjgVIsq2jTAMLqC5
QZrkLeCD7Aiel47rNPcW573aKW7cmE55Pns1JFLwk/KJhpQHPNpimDp8NBuUf4+C
9qFAk7hWGKZQ96KeRDOyKMi0u4sYpOkDdMiVXmNKfMsPUX6VwX26FkxumakRYt8q
uqRmmP0XBCQJVLepFwBzW5NwRKnA6n2dj/as2X++/2vcd85PYU6jwUCu+zS7I5qn
ZArvZd0GccuMxofQsGXcx5I13gvmP8Dvj6DIXeh+LCVXHUOFXo0cFAp2BMEsTDUo
83ZYO7WljXg9QxwVLv9l8SqVTBPjSCDuFYymo7bNEW4+qorFeR+abVVegz7pIhw=
=jYdE
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20160512231538.GK25975%40mail-itl. For \
more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic