Opening links in your preferred AppVM

[Micah Lee]

I published a quick blog post explaining how I do this:

https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/

[raah...@gmail.com]

On Wednesday, June 22, 2016 at 2:38:22 PM UTC-4, Micah Lee wrote:
> I published a quick blog post explaining how I do this:
>
> https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/

cool! thanks!

[IX4 Svs]

Nice and simple. Thanks for sharing.

Alex

[Chris Laprise]

On 06/22/2016 02:38 PM, Micah Lee wrote:
> I published a quick blog post explaining how I do this:
>
> https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/
>

Hi Micah,

I liked your new article on messaging apps. Just wondering if you've
looked at Ring.cx yet... Its open source, has a Linux app and connects
through DHT so it doesn't have the server issues you mentioned.

Chris

[R.B.]

On 06/22/2016 08:38 PM, Micah Lee wrote:
> I published a quick blog post explaining how I do this:
>
> https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/
>

Great option! If you want to use a dvm, you can replace "qvm-open-in-vm
[preferred vm]" with qvm-open-in-dvm. One catch: You firewall rules are
inherited from the source vm....

For instance. If you have a Mail-vm with filtered internet for imap and
and smtp, the dvm that gets started will have the same limitations....

As an alternative you can use anon-whonix or another whonix-based vm.

Regards,

RB

[Gaiko]

On Wednesday, June 22, 2016 at 2:38:22 PM UTC-4, Micah Lee wrote:

> I published a quick blog post explaining how I do this:
>
> https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/

This would be awesome, I gave it a try but for some reason can't seem to get it to work, that is getting a link from an email in tbird to open up in a browser in my work vm.

I created an ~/.local/share/applications/open_work_vm.desktop

edited the exec line:

[Desktop Entry]
Encoding=UTF-8
Name=WorkBrowserVM
Exec=qvm-open-in-vm work %u
Terminal=false
X-MultipleArgs=false
Type=Application
Categories=Network;WebBrowser;
MimeType=x-scheme-handler/unknown;x-scheme-handler/about;text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;

ran xdg-settings:

xdg-settings set default-web-browser open_work_vm.desktop

(it created a mimeapps.list file) then tried it, nada.

I tried restarting the browser, then the tbirdVM, then the workvm, each time clicking on the link in the email in tbird and hoping the default browser (firefox) would pop up in my workVM. Instead nothing happened, the workVM didn't start up, firefox didn't open up (when I pre-started the work vm), and a tab didn't pop up when the workvm and ff were both pre-started.

I would really like to get this working for a variety of reasons, actually the absolute best would be to click on a link in tbird (or right click in a browser) and have a menu that gave a few options of where I'd like to open a page up like in a dispvm, anonvm, or just another regular appvm.

Thoughts?

[u+q...@bestemt.no]

Gaiko <gaikokuji...@gmail.com> [2017-05-01 21:34 +0200]:

What happens if you run `qvm-open-in-vm work https://qubes-os.org` in
tbirdVM and when you run xdg-open https://qubes-os.org in the work VM
(without the quotes)?

I actually just finished a how-to on setting default applications and
qvm-open-in-(d)vm:
https://github.com/QubesOS/qubes-doc/pull/379/files?short_path=83ca4e2#diff-83ca4e28de9bcee331783522a52c2bd0
(Any comments would be appreciated.)

--
ubestemt

[Ángel]

On 2017-05-01 at 12:34 -0700, Gaiko wrote:
> Thoughts?

Does your desktop file validate?
ie. run: desktop-file-validate open_work_vm.desktop

If the desktop file is malformed, it will be bypassed silently.

[Gaiko]

Thx for the reponse, I had no idea about desktop-file-validation. I tried it and got:

open_work_vm.desktop: warning: key "Encoding" in group "Desktop Entry" is deprecated

somehow that doesn't seem like a dealbreaker? but am not sure.

[Gaiko]

On Monday, May 1, 2017 at 4:37:37 PM UTC-4, u+q...@bestemt.no wrote:
> Gaiko [2017-05-01 21:34 +0200]:

> > On Wednesday, June 22, 2016 at 2:38:22 PM UTC-4, Micah Lee wrote:
> > > I published a quick blog post explaining how I do this:
> > >
> > > https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/
> >
> > This would be awesome, I gave it a try but for some reason can't seem to get it to work, that is getting a link from an email in tbird to open up in a browser in my work vm.
> >
> > I created an ~/.local/share/applications/open_work_vm.desktop
> >
> > edited the exec line:
> >
> > [Desktop Entry]
> > Encoding=UTF-8
> > Name=WorkBrowserVM
> > Exec=qvm-open-in-vm work %u
> > Terminal=false
> > X-MultipleArgs=false
> > Type=Application
> > Categories=Network;WebBrowser;
> > MimeType=x-scheme-handler/unknown;x-scheme-handler/about;text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
> >
> > ran xdg-settings:
> >
> > xdg-settings set default-web-browser open_work_vm.desktop
> >
> > (it created a mimeapps.list file) then tried it, nada.
> >
> > I tried restarting the browser, then the tbirdVM, then the workvm, each time clicking on the link in the email in tbird and hoping the default browser (firefox) would pop up in my workVM. Instead nothing happened, the workVM didn't start up, firefox didn't open up (when I pre-started the work vm), and a tab didn't pop up when the workvm and ff were both pre-started.
> >
> > I would really like to get this working for a variety of reasons, actually the absolute best would be to click on a link in tbird (or right click in a browser) and have a menu that gave a few options of where I'd like to open a page up like in a dispvm, anonvm, or just another regular appvm.
> >
> > Thoughts?
>

I will reply to your comments and then go read your how-to (i fear it might be over my head as I am an absolute desktop/qvm-open-in-vm noob but I am sure it will be a good start!)

> What happens if you run `qvm-open-in-vm work https://qubes-os.org` in
> tbirdVM

it seems to work just fine that way

> and when you run xdg-open https://qubes-os.org in the work VM
> (without the quotes)?

ok, xdg-open I hadn't tried. But regardless this seems to work fine as well.

>
> I actually just finished a how-to on setting default applications and
> qvm-open-in-(d)vm:
> https://github.com/QubesOS/qubes-doc/pull/379/files?short_path=83ca4e2#diff-83ca4e28de9bcee331783522a52c2bd0
> (Any comments would be appreciated.)
>
> --
> ubestemt

wil check it out!

[Ángel]

No, if it only reports that it should be fine.

[u+q...@bestemt.no]

Gaiko <gaikokuji...@gmail.com> [2017-05-02 03:36 +0200]:

> > What happens if you run `qvm-open-in-vm work https://qubes-os.org` in
> > tbirdVM
>
> it seems to work just fine that way
>
> > and when you run xdg-open https://qubes-os.org in the work VM
> > (without the quotes)?
>
> ok, xdg-open I hadn't tried. But regardless this seems to work fine as well.

Good! That means qvm-open-in-vm (sending the link to the work VM and
telling it to open it) and opening it internally in the work VM
works as intended.

What does ~/.local/share/applications/mimeapps.list in tbird look like?
It should look like this (from the mentioned how-to):

[Default Applications]
x-scheme-handler/unknown=open_work_vm.desktop
x-scheme-handler/about=open_work_vm.desktop
x-scheme-handler/http=open_work_vm.desktop
x-scheme-handler/https=open_work_vm.desktop
text/html=open_work_vm.desktop
text/xml=open_work_vm.desktop
image/gif=open_work_vm.desktop
image/jpeg=open_work_vm.desktop
image/png=open_work_vm.desktop
application/xhtml+xml=open_work_vm.desktop
application/xml=open_work_vm.desktop
application/vnd.mozilla.xul+xml=open_work_vm.desktop
application/rss+xml=open_work_vm.desktop
application/rdf+xml=open_work_vm.desktop

Remove the lines for any MIME types you don't want to open with your
work VM.

--
ubestemt

[wordsw...@gmail.com]

On Wednesday, June 22, 2016 at 2:38:22 PM UTC-4, Micah Lee wrote:

> I published a quick blog post explaining how I do this:
>
> https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/

Any thoughts (Micah or the community), on whether this creates an avenue for persistent compromise of a VM?

Maybe there's a way to make this change persistent from the TemplateVM, eg store the .desktop file outside /home and create a symlink in to it?

I'm a little wary of adding a handler for http/https links that resides in /home.

[Gaiko Kyofusho]

Thanks for the reply!

my ~/.local/share/applications/mimeapps.list is a bit different than yours, really I was most interested in it handling http/https 

[Default Applications]

text/html=open_work_vm.desktop

x-scheme-handler/http=open_work_vm.desktop

x-scheme-handler/https=open_work_vm.desktop

x-scheme-handler/about=open_work_vm.desktop

x-scheme-handler/unknown=open_work_vm.desktop

I tried just copying/pasting yours into mine (just for kicks) but that didn't work either :(

[u+q...@bestemt.no]

wordsw...@gmail.com <wordsw...@gmail.com> [2017-05-02 17:07
+0200]:

> Any thoughts (Micah or the community), on whether this creates an
> avenue for persistent compromise of a VM?
>
> Maybe there's a way to make this change persistent from the
> TemplateVM, eg store the .desktop file outside /home and create a
> symlink in to it?
>
> I'm a little wary of adding a handler for http/https links that
> resides in /home.

You can move both the *.desktop file(s) and mimeapps.list to
/usr/share/applications/

But I don't see how this measure alone will make your VMs more or less
secure.

--
ubestemt

[Nemo]

I'm thinking an attacker could:

1 Take control of the VM through any given means, and gain the ability to edit the .desktop file

2 Alter the desktop file so that it opens a malware URL in the VM dedicated to web browsing

3 Send information from the Thunderbird VM to the less-trusted web browsing VM via coding in the URL

The weakness is you're giving a persistent, user-editable file permission to control another VM - and the Qubes messaging service doesn't tell you exactly what action you are approving, and might even be set to "Yes to All" allowing transparent control by malware.

If you DON'T set "Yes to All", then you are queried every time you open a webpage, and if you don't read every approval carefully an attacker could force a third, higher-trust VM to open a malware URL.

Your suggestion re: /usr/share/applications is good though, I think that would mitigate some of the risk.

[u+q...@bestemt.no]

Nemo <wordsw...@gmail.com> [2017-05-03 19:50 +0200]:

> I'm thinking an attacker could:
>
> 1 Take control of the VM through any given means, and gain the ability to
> edit the .desktop file
> 2 Alter the desktop file so that it opens a malware URL in the VM dedicated
> to web browsing
> 3 Send information from the Thunderbird VM to the less-trusted web browsing
> VM via coding in the URL
>
> The weakness is you're giving a persistent, user-editable file permission
> to control another VM - and the Qubes messaging service doesn't tell you
> exactly what action you are approving, and might even be set to "Yes to
> All" allowing transparent control by malware.
>
> If you DON'T set "Yes to All", then you are queried every time you open a
> webpage, and if you don't read every approval carefully an attacker could
> force a third, higher-trust VM to open a malware URL.

If an attacker can edit the contents of your home folder, he/she can
accomplish the same by creating new *.desktop and mimeapps.list files in
~/.local/share/applications/.

Changes in the home directory stay persistent unless it is a DispVM.

--
ubestemt

[wordsw...@gmail.com]

This is a good point. So the fundamental security issue is the we cannot specifically confirm the URL that is being sent to the other VM as we are approving it.

I suppose this would need to be secured on the web browser VM end. Maybe create another .desktop file as the default HTTP/HTTP handler on the web browser VM that allows for user confirmation of the URL before opening in the actual browser?

[John Maher]

Gaiko, did you get this to work? I have the exact same experience. And placing the files in /usr/share/applications did not help.

When running "desktop-file-validate browser_vm.desktop" from ~/. I get "file does not exist". From ~/.local/share/applications I get 'browser_vm.desktop: warning: key "Encoding" in group "Desktop Entry" is deprecated', similar to you.

Thanks.
John

[John Maher]

Well, I got this to work mostly as desired. Turns out that even after running "xdg-settings set default-web-browser browser_vm.desktop" (and confirmed with "xdg-settings get default-web-browser"), I had to remove all .desktop files in the working VM (not the browser VM) related to Chrome and Firefox. That included files located in ~/.local/share/applications and in /usr/share/applications.

Unfortunately, I really want to use Firefox in the browser VM, but only Chrome will launch. Still working on addressing that.

John