Bug or Feature? DispVM inherits settings from calling VM

[Robert Mittendorf]

If I use /usr/bin/qvm-run to open an application in an disposible VM,
the dispVM inherits some setings from the calling VM

example: I use

/usr/bin/qvm-run --dispvm firefox

In work-VM. My work-VM is configured to allow intranet IPs only. The
starting dispVM is blue like the work VM, even though normal DispVMs are
red.

Also the firewall rules (intranet only) are inherited from the work VM.


mit freundlichem Gruß,

Robert Mittendorf

--
M. Sc. Informatik Robert Mittendorf

DigiTrace GmbH - Kompetenz in IT-Forensik
Geschäftsführer: Alexander Sigel, Martin Wundram
Registergericht Köln, HR B 72919
USt-IdNr: DE278529699

Zollstockgürtel 59, 50969 Köln
Telefon: 0221-6 77 86 95-2
Website: www.DigiTrace.de
E-Mail: in...@DigiTrace.de

Haben Sie schon den DigiTrace-Newsletter abonniert?
http://www.digitrace.de/de/service/newsletter

DigiTrace ist Partner der Allianz für Cyber-Sicherheit
sowie Mitglied im nrw.units Netzwerk für IT-Sicherheit:
https://www.allianz-fuer-cybersicherheit.de
http://www.nrw-units.de/netzwerk/

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-10-12 01:50, Robert Mittendorf wrote:
> If I use /usr/bin/qvm-run to open an application in an disposible VM, the dispVM inherits some setings from the calling VM
>
> example: I use
>
> /usr/bin/qvm-run --dispvm firefox
>
> In work-VM. My work-VM is configured to allow intranet IPs only. The starting dispVM is blue like the work VM, even though normal DispVMs are red.
>
> Also the firewall rules (intranet only) are inherited from the work VM.
>
>
> mit freundlichem Gruß,
>
> Robert Mittendorf
>

Yes, these are intentional DispVM design decisions.

However, there are also plans to allow DispVMs to inhert the NetVM of the calling VM without also inheriting its firewall rules:

https://github.com/QubesOS/qubes-issues/issues/1296

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX/rG6AAoJENtN07w5UDAwEbIP/1V6cb+BIbJwF1Mpw30bC5T6
ObOJozl40vJN+CZIA1PKEKJV2ELqPgWg+SO9xaawPPz4YvzRiBhi+oxhBUTekCpx
NRMpqWHAJU4Vr6KHM/H7K0XRN8UexFDYF9giyVgaboBupNs/k+bOpyeio6Ak1KVc
6vW1gL91ea84UxupNqZcDeDUn4fFvQ9H/ULLvzhbcyOHXh/LIH1JnFfpnLpnRICH
h5moGm+NX5Ssq8A+oO9uigpo7mpqvFstUVbTqL6htvdxPZ2RxlAL2Q8dk51nGmMN
N9SRJUDGqdB1a6A8UOWSS6SVy+6/V7mTwM2tZbKtr+J2XsFTqgu1SuuMEW4IOax0
Zg/7h3ritkixrxh2l8Ll4uREYlS9rCVnwjWGYJ1PmVMmg/0G37RTKpHnlsCPT/sT
9lD14UCYo2nuZGJYJpoc+d1UwICJpIoWw/84XC1V3Z0LaZ+UVDJ7a46s5I+EVWYL
2P9RK8HFlaAIQbWMfGMjc7Thi99SMg8KNNpS7ndOLzc7l/sQvjQ1ZbrCSPYQfF0t
+YlJYv4IkT3+bAKAuj1ra0ftiL7aCugOWMM+bcL2slGDTBEDkB3H8XEFGMVJYvlJ
XU5/cbWdIDi41sJgdql1fvMcp2jHAQ6W48Myq+5uA0DARfprQSHH+TNRkZbMDr7U
BYu3KN8wyiAdsvmgR0+p
=O5PZ
-----END PGP SIGNATURE-----

[raah...@gmail.com]

feature. I use to make menu shortcuts to launch programs in dispvms inheriting firewall rules. But xfce only lets you edit already existing rules, not create new ones :( editing a config file is a little too much effort for me lol.

[Robert Mittendorf]

Am 10/13/2016 um 04:50 AM schrieb raah...@gmail.com:
>
> feature. I use to make menu shortcuts to launch programs in dispvms inheriting firewall rules. But xfce only lets you edit already existing rules, not create new ones :( editing a config file is a little too much effort for me lol.
>

You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?!

How can this "feature" be disabled? I want to start a normal DispVM, not
a "special" DispVM.....

Use Case: Mail VM is only allowed to access Mail-Server. I want to start
a Browser in DispVM for urls in Mails.
This works fine, but those "special" DispVMs have the same limitations.
I want just a normal DispVM like the one started via Dom0. The only way
to achieve this afaik is to let the special DispVM connect to NetVM, so
no ProxyVM is used. But this means that the DispVM has access to the
intranet.....

[David Hobach]

On 10/13/2016 12:45 PM, Robert Mittendorf wrote:
> Am 10/13/2016 um 04:50 AM schrieb raah...@gmail.com:
>>
>> feature. I use to make menu shortcuts to launch programs in dispvms
>> inheriting firewall rules. But xfce only lets you edit already
>> existing rules, not create new ones :( editing a config file is a
>> little too much effort for me lol.
>>
> You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?!
>
> How can this "feature" be disabled? I want to start a normal DispVM, not
> a "special" DispVM.....

Of course it's a feature. You want to open those pesky attachments of
your mail VM in a dispVM, don't you? But do you want to grant that VM
internet access? At least I wouldn't want that and thus would expect
that those firewall rules are inherited.

> Use Case: Mail VM is only allowed to access Mail-Server. I want to start
> a Browser in DispVM for urls in Mails.
> This works fine, but those "special" DispVMs have the same limitations.
> I want just a normal DispVM like the one started via Dom0. The only way
> to achieve this afaik is to let the special DispVM connect to NetVM, so
> no ProxyVM is used. But this means that the DispVM has access to the
> intranet.....
>

Currently your easiest option is not to click on the links, but to
copy-paste them to an open dispVM. Small sacrifice for a major security
gain.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is precisely the use case I described in issue #1296, which I linked in my previous message:

https://github.com/QubesOS/qubes-issues/issues/1296

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX/9QlAAoJENtN07w5UDAweRkP/0uhxA8ARtTJuYuroi0znFNb
gXb/LRC0rCy9F1TdiwXAhj7kHMSx+HObeXCqTGFlvCYl6sJGkTW0GWulN2M6XtCj
KLHQ+vS6YpMTB4EYrDu2QBVlMuFoZoNuj+O/XVcup3aK1MUvpeJJwX6VzCc/X2Y4
NHYthK8PtbPZ8WHEdsdAYWBrKWw14ewtaQY9bIsx4SBjf/iq0sr/vGeWOR6Trok1
0SCYo0UBgWKKDPCUeRFUKPSrL/ZCPzeF5fC+F4oG+LZE5xHM5Vu8++U5D9lCuOoS
pfqfWI9zKib4WTjwv+tQth5G3khM+W9vfmLJfkwuO6bIGO2B59gKSwwh/DCcTH0q
jPUgGv7dn4Ypobh15YKxynvilYMNXBLoN5nst/3ZWh2tGMwsJ9Qicc7LRg5lUpWq
Gm+V27OEmwf40G3ejFKXr937Jc3j+GjiBAMN3hhTbfb9FkMjTS5HJqVl0rpTOX7V
p6YW+JfdtiRGEPhiCY/24ld0p//TIyL72Ry5mT4naSP2mJyViFt3cZr91Uvcr4/p
5BltNOzPvpGvlR+S1CM8Kn3LcV9GZb1uKdHBGRfAVA0Y6Ikh8t8N/i1h28e0gSdr
02Wf9tssdixLIJL5kNQDew36kwqcW79c28qJTsfv60EM+nYHFfhrPSoZyyzrT4ty
Jv8Ojecj2huxgn9KS0ln
=uR2N
-----END PGP SIGNATURE-----

[raah...@gmail.com]

couldn't you just use a normal dispvm then? meaning why even launch anything from within an appvm? Just run it from dom0, like the default firefox dispvm menu item.

[raah...@gmail.com]

only reason i'd launch a program in a dispvm from within an appvm, is to inherit its firewall rules.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-10-14 15:18, raah...@gmail.com wrote:
> On Friday, October 14, 2016 at 6:16:16 PM UTC-4, raah...@gmail.com wrote:
>> On Thursday, October 13, 2016 at 2:36:30 PM UTC-4, Andrew David Wong wrote:
> On 2016-10-13 03:45, Robert Mittendorf wrote:
>>>>> Am 10/13/2016 um 04:50 AM schrieb raah...@gmail.com:
>>>>>>
>>>>>> feature. I use to make menu shortcuts to launch programs in dispvms inheriting firewall rules. But xfce only lets you edit already existing rules, not create new ones :( editing a config file is a little too much effort for me lol.
>>>>>>
>>>>> You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?!
>>>>>
>>>>> How can this "feature" be disabled? I want to start a normal DispVM, not a "special" DispVM.....
>>>>>
>>>>> Use Case: Mail VM is only allowed to access Mail-Server. I want to start a Browser in DispVM for urls in Mails.
>>>>> This works fine, but those "special" DispVMs have the same limitations. I want just a normal DispVM like the one started via Dom0. The only way to achieve this afaik is to let the special DispVM connect to NetVM, so no ProxyVM is used. But this means that the DispVM has access to the intranet.....
>>>>>
>
> This is precisely the use case I described in issue #1296, which I linked in my previous message:
>
> https://github.com/QubesOS/qubes-issues/issues/1296
>
>>

>> couldn't you just use a normal dispvm then? meaning why even launch anything from within an appvm? Just run it from dom0, like the default firefox dispvm menu item.
>
> only reason i'd launch a program in a dispvm from within an appvm, is to inherit its firewall rules.
>

Starting a new DispVM from dom0 and setting its NetVM is a lot more labor-intensive than simply clicking a link in an email and having the rest work automatically.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYAZ06AAoJENtN07w5UDAwJJoQAIvVrJe8k7MWk2PxHc3sXvv/
C4MGgOLJ31WiZAfk1EAz/3MmVgZzG5nNII3ViDEXqGBppk7jxlF3p9UhpmMJNBju
xZB3z1MgVzSm5hXkHQ+enU/hv6RoO5iE+MdBSUnE9QGZiSf1Vg3xkCWzabGgjmuV
jGBXaRJXt1ioeBpvpke+NGwmtcd52/KJbGJLo9HRDZhBSz7us0T6e2Kh7Z9snDNe
mXTYpUvwriFbxnB4VEkfa52V4druYN3DWx39+nBsKZAzHSMpGfqAI7g0ZKdrLpHw
J8MQ4YxM1qaMZKOBQX2BOgTQs0V92255u5RiX1atVJmctYFZ4GQEdeJ/nln0I7VT
86+mhkemBhzHVxvZkyPalZLi6+5INyjR8noJZpqkIsUUV50HmX0ZjG4yYPv88yTa
EQvglEY+/wjed9mE+M9dB73E7DLFMJr858ime5AYtDai8Baotf1bIRW5XjsxNPdf
h5zDU1ciEpoTYsX5O4bx4Fj+nF7+RMH5g0wC/o0/9A/3ougqEQ+9/sn7CWWBnPgA
Ucv4c7sd9A3zU80PYy1RSZiW2MxdTkKNMD+rCL97JaeKgUxHWLE2M6wPQbkMRl9d
XmbVBZpsj97ifpasDRRmA/zIeDqZT+Fg7F6GhuIyRUV2ym0UT8VvqOznp3Znvaj6
9RV4PZn2lL6pywgVQfY2
=BVEY
-----END PGP SIGNATURE-----

[raah...@gmail.com]

oh yes absolutely, especially for email links for sure thats awesome. But I thought the OP was asking how *not to inherit firewall rules in general. So i was just suggesting why even bother opening it in specific appvms anyways then.

[raah...@gmail.com]

xfce is a little frustrating cause you need a 3rd party tool to easily create menu entries like in kde to launch diff programs with while inheriting firewall rules. but i'm leary to install one to dom0 so I just gave up and type it out. rather do that then edit the cfg file lol.

[Robert Mittendorf]

> Currently your easiest option is not to click on the links, but to
> copy-paste them to an open dispVM. Small sacrifice for a major
> security gain.
>

Well, the "easiest" option is to use a net-vm directly. What is the
security gain? Its a dispVM after all.

[David Hobach]

The data copied to that VM (i.e. the pdf file or whatever you opened)
must be considered leaked if the VM gets compromised via e.g. drive-by
exploits.
Agreed, it's limited to that data, but nevertheless an unexpected
potential impact. And depending on your data it can be critical.

From a usability point of view you'll also get annoyed if you cannot
print in dispVMs just because your firewall rules allowing connectivity
to your printer aren't inherited, but those to allowing connectivity to
the internet suddenly are in place.

Moreover your netVM is also inherited and firewall rules can have a
different meaning depending on your netvm (just imagine the same private
subnets being used for 2 different networks), i.e. it makes sense to
inherit firewall rules, if you do it for netVMs.

Btw inheriting netVMs makes a lot of sense if you imagine one Tor proxy
VM and one directly connected one. So a dispVM from a Tor connected VM
would spawn a direct internet connection in your case... Currently it
fortunately does not.

[Robert Mittendorf]

> The data copied to that VM (i.e. the pdf file or whatever you opened)
> must be considered leaked if the VM gets compromised via e.g. drive-by
> exploits.
> Agreed, it's limited to that data, but nevertheless an unexpected
> potential impact. And depending on your data it can be critical.

Well, that is why it is a distinct DispVM. If I open a legit PDF from my
mail client in a DispVM (say dispvm1) and I open a non-legit URL in a
DispVM, this will not be the same dispVM and thereby not leak the PDFs
data. If the PDF itself is malicious, I most likely will not care about
the leak. Only exception: A legit PDF gets infected and is then mailed
to me. Usually that would allow the attacker to leak the PDF from the
system it was send from in the first place.

> From a usability point of view you'll also get annoyed if you cannot
> print in dispVMs just because your firewall rules allowing
> connectivity to your printer aren't inherited, but those to allowing
> connectivity to the internet suddenly are in place.

agreed, basically.

>
> Btw inheriting netVMs makes a lot of sense if you imagine one Tor
> proxy VM and one directly connected one. So a dispVM from a Tor
> connected VM would spawn a direct internet connection in your case...
> Currently it fortunately does not.

agreed.

Well, I was actually suprised that there is more than 1 DispVM. Do the
child-DispVMs use the fedora-23-dvm template as well?

[raah...@gmail.com]

oh yes thats a good point. thats another reason I liked to create dispvm menu entries in the applications list, to also inherit that vm's window border color that they are launched from. To remind me what level trust it is.

[raah...@gmail.com]

or just to remind me what I opened it for lol.