Screen sharing and webcamera

[Eduardo Bellani]

Hello there guys.

First off, thanks for all the effort in producing this OS. I've been

using version 3.1 as my personal machine's OS for the past 5 months

and it has been nothing put a great experience.

I still have 2 things that I've not been able to achieve. One is to

pass through my webcamera from my usb-vm to an appVM and the other is

screen sharing with skype and google hangouts.

Do any of you has some pointers regarding this issues?

Thanks.

[raah...@gmail.com]

You're probably gonna have to just use it inside the usb-vm. It might be possible though if someone else has a suggestion. You can try making a second usb-vm you switch with your normal usb-vm. I have been having trouble doing this cause I get a xenlight error, so I would be curious your results.

you shut down your normal usb-vm and start the new one you created and pass the pci controller to it after removing it from the normal one. and see if you can start it.

[raah...@gmail.com]

but this also means you have to not have any other usb's plugged in if you don't want the webcam session exposed.

[Andrew]

Eduardo Bellani:

Currently, only USB block devices can be passed through to VMs like how
I think you expect it to work. For webcams or any other devices, you'll
have to assign to the AppVM the entire USB controller that the webcam
hangs off of (or use Skype or whatever other application you want in
your USBVM).

Screen sharing is a bit more problematic due to the Qubes GUI
architecture. Honestly I'm not sure this can be done at all without
serious effort, but I've never tried.

Andrew

[Salmiakki]

On Tuesday, May 3, 2016 at 9:45:10 PM UTC+2, Andrew wrote:

Screen sharing is a bit more problematic due to the Qubes GUI
architecture.  Honestly I'm not sure this can be done at all without
serious effort, but I've never tried.

Theoretically it could be allowed for sharing windows from the same VM but sharing the entire desktop or windows from other VMs is and must be impossible for security reasons.

[Unman]

I cant help with Skype or google - don't use them - but Screen/window
sharing from a qube is relatively easy to do.
A simple solution is to install x11vnc or another vnc server.

If you just want to share a single window from a qube, use xwinfo to get
the id of the window.
Then run x11vnc -id <xwinfo output>
On the remote machine use vncviewer to connect to the server on the
target qube and view the window output.

Remember you will have to route inbound traffic to the target qube, and
adjust iptables accordingly along the way. The documentation on this is
reasonably good.

To share a full VM desktop, the most reliable method I have found is to
fire up vncserver. I run openbox in the virtual desktop.
Use vncviewer with -shared parameter to connect to the vncserver on the
same VM. Now you have a virtual desktop for that qube running in a window
under Qubes.

If your colleague uses vncviewer to connect to the same desktop, she
will see a full desktop, with multiple windows,menu etc.
You can control whether the virtual desktop is shared or view only.

This is all simple to do, and the Qubes model makes it less risky than
sharing in other systems.
It's simple to pass vnc over a ssh tunnel for extra security.

Usual caveats apply

unman

[Franz]

another thread reports that screen management is easier with a standalone VM (even if obviously limited to that VM) have you tried it?

best

Fran

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160503233415.GB12185%40thirdeyesecurity.org.

For more options, visit https://groups.google.com/d/optout.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-03 12:45, Andrew wrote:
> Eduardo Bellani:
>> Hello there guys.
>>
>> First off, thanks for all the effort in producing this OS. I've
>> been using version 3.1 as my personal machine's OS for the past 5
>> months and it has been nothing put a great experience.
>>
>> I still have 2 things that I've not been able to achieve. One is
>> to pass through my webcamera from my usb-vm to an appVM and the
>> other is screen sharing with skype and google hangouts.
>>
>> Do any of you has some pointers regarding this issues?
>>
>> Thanks.
>>
>
> Currently, only USB block devices can be passed through to VMs like
> how I think you expect it to work. For webcams or any other
> devices, you'll have to assign to the AppVM the entire USB
> controller that the webcam hangs off of (or use Skype or whatever
> other application you want in your USBVM).
>

Andrew is correct. This is already documented here:

https://www.qubes-os.org/doc/usb/#tocAnchor-1-1-3

> Screen sharing is a bit more problematic due to the Qubes GUI
> architecture. Honestly I'm not sure this can be done at all
> without serious effort, but I've never tried.
>
> Andrew
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXKYq9AAoJENtN07w5UDAwyCMP/jxBBgctnnDzIw7LVkerXutM
P2CBywZkjpPlLXkKNcSDIC8wU7ioWIolffRGmg5WSBa3g8Ic73pAgMIvgalVlKSn
OK3aLR8D5lRbd3/CYWh99xtuUpSVCgQ8lWsKz9VQ3aIAIAKzbl3EnM7kR0OBeu9D
my2jI2VLP5z8u5/hKh39aDdFyMNLaMGOcie/CWV8CmSztS5qB1j4T43BIz2sKIK8
AdNVpNbdoZ1ML2nOplQou/yqkL0Y+GqSRA8VkD5QN4v1cPDsMB5iMoIoth5xeZxU
b2fRX18G4I9tTK6DsCM+6AdM68E+bq866+MrqXppQLut9JXTf9rcrQaaQhy1qlPe
aVPP0m1h7doMKWW8HUF249OYwW7x5sRSLJabadIKXLrwIjQ71EuyNidoN9cWu6ay
Un0/83SVj8AvAzjibdNF2rReJr0QYswNcH/WbX7VC2uKuTPuYB3/bO8a/X7ywm/m
1NjFk5FzKtMkpjDmvZ3p14iCIuL0FqDxO8vlGk0XGD0OThWgxiPvft9ABy3gH8Ql
rWQWXG9s8Q+kB6kZrQ9KcaWprw753jwPKkRNzYXWUsrOBqAPWqhGTBGyybbTM9wW
4Ox/w8jqeMO64qkAluMSDvj3goXtox6AzIhvW/AJX1G36uOZE5BQV6vNnbQV12Sk
yOu5xMPh8YislpI19sPE
=Lh1Y
-----END PGP SIGNATURE-----

[Eduardo Bellani]

Hey,

You're probably gonna have to just use it inside the usb-vm. 

The problem starts with my goal. I want to use the webcamera that came with my laptop for hangouts and skype calls. 

That means that:

* I need network on that VM 

* I need to use my account on that VM.

Even ignoring the leakage on having an account being used in the usb-vm, the usb-vm that ships with 3.1 has no netVM and no possibility of setting one, at least through the VM manager. 

 

  You can try making a second usb-vm  you switch with your normal usb-vm.   I have been having trouble doing this cause I get a xenlight error,   so I would be curious your results.

I've tried that, and I got this error while booting up the VM that I assigned the PCI device to:

"Error starting VM 'XX' : internal error: unable to reset PCI device YYYYYYY: no FLR, PM reset or bus reset available"

Has someone else seen this message?

Thanks.

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/LH7zs-lBARg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/debb8a2f-c3bc-41b7-bc02-e2399aba4feb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Eduardo Bellani

[Eduardo Bellani]

Hello Andrew,

Currently, only USB block devices can be passed through to VMs like how
I think you expect it to work.  For webcams or any other devices, you'll
have to assign to the AppVM the entire USB controller that the webcam
hangs off of (or use Skype or whatever other application you want in
your USBVM).

My problem with that is that assigning the PCI device to another VM results in an error when I boot the new VM:

"Error starting VM 'XX' : internal error: unable to reset PCI device YYYYYYY: no FLR, PM reset or bus reset available"

Any clues as to why?

 

Screen sharing is a bit more problematic due to the Qubes GUI
architecture.  Honestly I'm not sure this can be done at all without
serious effort, but I've never tried.

Andrew

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/LH7zs-lBARg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5728FFBC.5050704%40riseup.net.

For more options, visit https://groups.google.com/d/optout.

--

Eduardo Bellani

[Eduardo Bellani]

That would be exactly what I'm searching for.

 

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/LH7zs-lBARg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66702fb4-69e4-4e3e-9516-1efe1677aea8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Eduardo Bellani

[Eduardo Bellani]

I've tried, the results are the same as the other ones, just a blank screen in the screensharing selection.

 

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160503233415.GB12185%40thirdeyesecurity.org.

For more options, visit https://groups.google.com/d/optout.

--

Eduardo Bellani

[Eduardo Bellani]

Thanks for all the info Unman, I'll try that approach.

I still would like to know if support for google hangouts is available, since it is an important means of communication for me ATM.

Thanks again.

On Tue, May 3, 2016 at 8:34 PM, Unman <un...@thirdeyesecurity.org> wrote:

--

Eduardo Bellani

[Andrew]

Eduardo Bellani:

> Hello Andrew,
>
>>
>> Currently, only USB block devices can be passed through to VMs like how
>> I think you expect it to work. For webcams or any other devices, you'll
>> have to assign to the AppVM the entire USB controller that the webcam
>> hangs off of (or use Skype or whatever other application you want in
>> your USBVM).
>>
>
> My problem with that is that assigning the PCI device to another VM results
> in an error when I boot the new VM:
>
> "Error starting VM 'XX' : internal error: unable to reset PCI device
> YYYYYYY: no FLR, PM reset or bus reset available"
>
> Any clues as to why?
>

Sure. You need to run (in dom0) `qvm-prefs -s <appvmname>
pci_strictreset false`. This might have security implications, though.

Actually, this should be in the USB docs but I can't seem to find it...

Andrew

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

It's in the FAQ:

https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-
assigned-usb-controllers-to-it-now-the-usbvm-wont-boot

But, yes, it should also be added to the USB page.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXKgu+AAoJENtN07w5UDAwYlEQAIeHehscKLDtuAFPsVpcGts9
dUF9T59UnWlH+Y6wqkYpYykwzZHGPznvLJZdG4MXSA32EtkjS+E5C1JsmgMLfAMK
IEZHxLGzTA2C0C375sBfFlyxc8uYK9OvxjOKRKkEWOW/V1hRnheDbTZtcK81buC9
r47db3j+59HY0uIaFnruMlTJhOrvkYl0GH5wFLUSxIjHoEeDPMTGAPyLucCUzcWH
IJ0HzZxaI9H6KZQuJ4tyKqiHzrsA0kIo6MlcrzCUpwfT88EJGC/p+8EZPW6M6wA0
V/q4uEgMR2K+CeBob37Ew3LaIpTOM+fszdwy7Vp8XEG/OfmIn50Pg5ip2lMel+N0
jEBU7AU+cDrpE7X4/jD5IsuUV+XY+Whlmr5L+yHVsRkt/mCU1BNLmX4SHMQ5JRCA
wn1I+BnhLvlFTrriKsgHZTwdN4XlDzSUP2x6oct3ZW/NKnuiXW/kIzLvKj0rEZ3q
9/mXyN7EktNZd1ZU9YiAWnzYoFG/dnFOjKqygi1e19xr/ieo8Rj6dUd6Wu4P9IJO
gJg12/NUdvCFttPTrdTi+/ms5Jsz03t4VzL4cF3ba8rY862wjxEnCoxhdU7sNC/7
j2nmjFaqsdcvS8bL955304EDodRC9efBnZ9Vi3e0dyplcX31ydfvWbpHJLw1iIH0
ePBMlb+TU/W669zi6cxA
=gbD3
-----END PGP SIGNATURE-----

[raah...@gmail.com]

but why does he get the error only when making a second usb-vm?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-05-04 08:05, raah...@gmail.com wrote:
> but why does he get the error only when making a second usb-vm?
>

If the USB controller doesn't support any reset method and
pci_strictreset is enabled, then after the first USBVM is shut down,
the USB controller won't be permitted to be assigned to the second
USBVM. Disabling it should allow the USB controller to be assigned to
the second USBVM.

However, as mentioned earlier, this could be an attack vector. In
particular, since the USB controller doesn't support any reset method,
the first USBVM could, theoretically, attack the second USBVM.

You can read more about this here (under "pci_strictreset"):

https://www.qubes-os.org/doc/dom0-tools/qvm-prefs/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXKhKIAAoJENtN07w5UDAwfCcQAK2PIdvrNBcuUqvxYOW3eVhP
O1JXMDKgqCiyYF5fH4gLx5kGFzRdmLQjC0teLskuSXLGIwRBDar3QKSHaf2Rm/nY
Z8tMp6uxbb4LkqVhqoQq0r4L2+chh+d8idn/e6YTHYgsR+N7ztE8hgDwLprn4Gzw
34eJUihVtM7v2cnxCgywgh9fOTnLfgiXZTSUoEvKSCvL45rTyMQ//Rj98IuqGP6X
P3S2IAW5AXmFuGCf9MseblMVYTw+/Ay9dnJbQ74fgubvlPgVOk67xqDX+tlHnD8a
fEDC4W/NHIwff3jjHuptmzuzpKWGiqaeJJupp7xnCjmamRLB27kdcvuJbHbOP5oz
gtwrO1MSgg116Iqm2Hi5ZUrIl+BWppGgVbntA6igwlbU7Fgz4B/H0Zj+FGPQZ0VH
lbIA/4Xl51eKZbW50DS9S+vSjS3PWADKiGkjmtHsZAS84uMO2FaVw+3jPJ823Tw2
DpkvQ6HSuhtHoyuUGcOQAtOQfjEFYKSv0Y4ApRwjTR77EbQVV+i970/m6YI3KZAZ
xzFUAx4tSlll4XwCWte6ibYKz76iKILk+BfutivfNoV41IeaXz/TRwIkBrRVIu5m
MtaJfcDOAVaWHd7zmjbm9qevD28kIlEKNxJr6xlzuOsXlf+ydjymXafWqURDN3ge
wBxotUV1kHacIDI5nwja
=OZE2
-----END PGP SIGNATURE-----

[raah...@gmail.com]

I see, maybe the issue I have causing a xenlight error when trying to load a second usb-vm with the pci controller is related.