I would like to lock-down Qubes OS so that VMs can't be created or deleted, nor edited (e.g. modify the associated NetVM).
I already read documentation about qrexec policies, the Admin API and qubes-core-admin extensions.
If I understand correctly, the Admin API cannot be used to prevent the user from creating a VM from dom0. For example, from the dom0 terminal I tried adding the following line to `/etc/qubes-rpc/policy/admin.vm.Create.AppVM`:
```
$adminvm $adminvm deny
```
But then I am still able to run `qvm-create test --label blue`. Is there something I am missing here or is the policy not being honored on dom0? Why is that?
I also noticed that the Qubes extensions fire some events and it is possible to write hooks for those events (https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html). Would it be possible to write a Qubes extension that hooks to some event that is fired whenever a VM is created and use that mechanism to block VM creation?
Would the GUI domain that is planned for Qubes OS 4.1 change the situation or help implementing this at all?
The workaround I'm thinking about is to run Xfce4 in kiosk mode, remove application menu entries, keyboard shortcuts, desktop right click menu to prevent access to dom0 but this is just a workaround and it probably we can't be sure that it will work with upcoming Qubes OS releases. Any thoughts on that?
Thank you,
Nils