Can AppVMs detach or attach block devices?
62 views
Skip to first unread message
qber...@gmail.com
Dec 7, 2017, 3:41:37 AM12/7/17
to qubes-users
My understanding is that you attach and detach block devices from the dom0 side, and you mount, umount, and eject from the AppVM side.
Is it possible to detach and/or attach block devices from the AppVM side, or is this something that only dom0 can do?
Tom Zander
Dec 7, 2017, 4:26:49 AM12/7/17
to qubes...@googlegroups.com, qber...@gmail.com
compromised qube can’t get itself more resources.
--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel
qber...@gmail.com
Dec 7, 2017, 12:39:19 PM12/7/17
to qubes-users
On Thursday, December 7, 2017 at 2:26:49 AM UTC-7, Tom Zander wrote:
> Making them available is something only dom0 can do, to make sure that a
> compromised qube can’t get itself more resources.
That makes sense for attaching.
> Making them available is something only dom0 can do, to make sure that a
> compromised qube can’t get itself more resources.
What about detaching? Could a qube rid itself of resources?
Unman
Dec 7, 2017, 12:42:10 PM12/7/17
to qber...@gmail.com, qubes...@googlegroups.com
On Thu, Dec 07, 2017 at 10:26:44AM +0100, 'Tom Zander' via qubes-users wrote:
> On Thursday, 7 December 2017 09:41:37 CET qber...@gmail.com wrote:
> > My understanding is that you attach and detach block devices from the dom0
> > side, and you mount, umount, and eject from the AppVM side.
> >
> > Is it possible to detach and/or attach block devices from the AppVM side,
> > or is this something that only dom0 can do?
>
> Making them available is something only dom0 can do, to make sure that a
> compromised qube can’t get itself more resources.
>
It is possible to attach/detach from the qube side, by using a qrexec
> On Thursday, 7 December 2017 09:41:37 CET qber...@gmail.com wrote:
> > My understanding is that you attach and detach block devices from the dom0
> > side, and you mount, umount, and eject from the AppVM side.
> >
> > Is it possible to detach and/or attach block devices from the AppVM side,
> > or is this something that only dom0 can do?
>
> Making them available is something only dom0 can do, to make sure that a
> compromised qube can’t get itself more resources.
>
service.
You need a script in dom0 /etc/qubes-rpc which will do the actual block
attach, and a policy to allow the call to dom0.
Then use qrexec-client-vm dom0 ... to call the script.
If your use case is quite simple - One USB device to be attached to one
qube, then it's a simple script. You could identify the device from
output of qvm-block and then 'qvm-block -a ' that device.
If it's more complicated then you *could* parse input from the caller,
but this opens up dom0 to potentially compromised qubes, and wouldn't be
recommended.
In any case, if the situation is more complicated, you are probably
better off using the native tools.
But for the simple case, or where you want to attach at boot time (using
/rw/config/rc.local) it's certainly doable.
unman
Unman
Dec 7, 2017, 1:01:17 PM12/7/17
to qber...@gmail.com, qubes-users
To detach you only need a service file in dom0 like:
qvm-block -d $QREXEC_REMOTE_DOMAIN
and the corresponding policy file, to do this.
unman
qber...@gmail.com
Dec 7, 2017, 11:01:01 PM12/7/17
to qubes-users
On Thursday, December 7, 2017 at 11:01:17 AM UTC-7, Unman wrote:
> To detach you only need a service file in dom0 like:
> qvm-block -d $QREXEC_REMOTE_DOMAIN
>
> and the corresponding policy file, to do this.
> To detach you only need a service file in dom0 like:
> qvm-block -d $QREXEC_REMOTE_DOMAIN
>
> and the corresponding policy file, to do this.
Thanks for the tips!
Reply all
Reply to author
Forward
0 new messages