What is the point of qubes.StartApp?
84 views
Skip to first unread message
Andrew David Wong
Jan 20, 2019, 6:03:16 PM1/20/19
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
What is the advantage of this?
$ qvm-run --dispvm=work --service qubes.StartApp+firefox
Over this?
$ qvm-run --dispvm=work firefox
The behavior looks the same to me. As far as I can tell, none of our
documentation mentioning qubes.StartApp explains this, and a search
didn't turn up any relevant ML threads.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxE/hYACgkQ203TvDlQ
MDDaKRAAxAiVwkpsRMwRcKVittZUBCY+4bNQ+xjMTHrsuCWkAac+QAMg+WQLlfMI
YbeFsaAq8PqHY/gIu0xoZqZozh1WANqs2GlcI0K+nmAH7yLXIgQIcfjaMHfgSJ/Y
QxmcM01ZqWA9FznUUXGJoG0+B5nc5UTyp4MzkWOByg3s9tnHHUjgFGTVL0REwwQR
gx9Y24fvdXF5Q27AeywMxtBbMDrmLdxbMgT5aeRI2i4mO2KOROrBHUWEpyfGhvMH
S7hOs3ZiqN+vj2uUKxpU5Gk9dSxJPS+l1LsBNNtFA8UnR7cYLJ4NlRuHz7HMaR/S
BWnfOdTRj6cFmrgD4ctdcYjYD1I7y3Ugtn2ndZ2Xez2zpj5w+ZsfgdSBs+0AIJgj
iKCrPCbh+LiiHkbLzjlhYFLjOJUuYvy3Y1Mr1d3F1YSulFsATXiGUWCIcndPyk+G
wHb8Bam6Yv3byaiT731HvfuIa09elghIUafBv/mk3Viur0Mt/uLbO1sNgu2DbgTX
y8Ccgfen/4+oTXpl9eMa5wyQkwHzafNcF8SI/Fe6hYU+6ESJAX5cOLEt7QCwpj2+
JFiqseFw6cr8eR3rl66k/THgNQPNxXw5RQohSupGGKA6FsBbi2zpdvuucqivZpfr
NSKCwtPobokFg2CWzrxayTxsgRZv43jgpBATNC0Mog7pBcXj6JA=
=NyDZ
-----END PGP SIGNATURE-----
Hash: SHA512
What is the advantage of this?
$ qvm-run --dispvm=work --service qubes.StartApp+firefox
Over this?
$ qvm-run --dispvm=work firefox
The behavior looks the same to me. As far as I can tell, none of our
documentation mentioning qubes.StartApp explains this, and a search
didn't turn up any relevant ML threads.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxE/hYACgkQ203TvDlQ
MDDaKRAAxAiVwkpsRMwRcKVittZUBCY+4bNQ+xjMTHrsuCWkAac+QAMg+WQLlfMI
YbeFsaAq8PqHY/gIu0xoZqZozh1WANqs2GlcI0K+nmAH7yLXIgQIcfjaMHfgSJ/Y
QxmcM01ZqWA9FznUUXGJoG0+B5nc5UTyp4MzkWOByg3s9tnHHUjgFGTVL0REwwQR
gx9Y24fvdXF5Q27AeywMxtBbMDrmLdxbMgT5aeRI2i4mO2KOROrBHUWEpyfGhvMH
S7hOs3ZiqN+vj2uUKxpU5Gk9dSxJPS+l1LsBNNtFA8UnR7cYLJ4NlRuHz7HMaR/S
BWnfOdTRj6cFmrgD4ctdcYjYD1I7y3Ugtn2ndZ2Xez2zpj5w+ZsfgdSBs+0AIJgj
iKCrPCbh+LiiHkbLzjlhYFLjOJUuYvy3Y1Mr1d3F1YSulFsATXiGUWCIcndPyk+G
wHb8Bam6Yv3byaiT731HvfuIa09elghIUafBv/mk3Viur0Mt/uLbO1sNgu2DbgTX
y8Ccgfen/4+oTXpl9eMa5wyQkwHzafNcF8SI/Fe6hYU+6ESJAX5cOLEt7QCwpj2+
JFiqseFw6cr8eR3rl66k/THgNQPNxXw5RQohSupGGKA6FsBbi2zpdvuucqivZpfr
NSKCwtPobokFg2CWzrxayTxsgRZv43jgpBATNC0Mog7pBcXj6JA=
=NyDZ
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Jan 20, 2019, 6:53:23 PM1/20/19
to Andrew David Wong, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Jan 20, 2019 at 05:03:05PM -0600, Andrew David Wong wrote:
> What is the advantage of this?
>
> $ qvm-run --dispvm=work --service qubes.StartApp+firefox
This one will look for "firefox.desktop" in standard locations in target
qube and launch application described by it.
> Over this?
>
> $ qvm-run --dispvm=work firefox
This one will run "firefox" command directly.
For many applications the actual name will be the same, but there are
exceptions - for example Nautilus have org.gnome.Nautilus.desktop.
The practical difference is that bare qvm-run use qubes.VMShell service
and allow you to run arbitrary command with arbitrary arguments - so,
basically full control over the target VM. The qubes.StartApp service
allow you to run only applications advertised in /usr/share/applications
(or other standard locations), without control over the arguments - so
giving access to qubes.StartApp service is much safer thing to do.
While there isn't much practical difference when you do that from dom0,
it matters a lot if you start applications from non-dom0 - like from
the upcoming GUI domain.
> The behavior looks the same to me. As far as I can tell, none of our
> documentation mentioning qubes.StartApp explains this, and a search
> didn't turn up any relevant ML threads.
There is a brief documentation here:
https://www.qubes-os.org/doc/managing-appvm-shortcuts/#behind-the-scenes
But indeed it could be expanded.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxFCe4ACgkQ24/THMrX
1yxWTgf+IUivAER7ONvnAUr8LmBdKx8+OLjkHWWfYMdK45qT3ubMgyah8KrXQxpk
IL4/qkdiZc6bq7XwCGKyEEU6FIViBJi8x/fBabeR18ePMoJoX2hfnARTWDD8EOSY
y2GaCp9iV5R1+Fr5FWFbHxBZb/K00me7jqxdTnQTuUFAX9Nsbp3mcsbB2qR20ZpJ
EJ1qUYKIW6Twn5YgCvjSR1khx97H82an8EBQddqbWQkiVUSmEMZV9/9BLugDeoZE
b0VinYjTj9wyoU3JZKVLrq7/8WxnPzkANz5BdOpNoMpIOmGW1dG1Y4KaMbnCUYBn
c6tiJOBNwpDegmr1MwkTl0M7JHmivg==
=mTcu
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, Jan 20, 2019 at 05:03:05PM -0600, Andrew David Wong wrote:
> What is the advantage of this?
>
> $ qvm-run --dispvm=work --service qubes.StartApp+firefox
qube and launch application described by it.
> Over this?
>
> $ qvm-run --dispvm=work firefox
For many applications the actual name will be the same, but there are
exceptions - for example Nautilus have org.gnome.Nautilus.desktop.
The practical difference is that bare qvm-run use qubes.VMShell service
and allow you to run arbitrary command with arbitrary arguments - so,
basically full control over the target VM. The qubes.StartApp service
allow you to run only applications advertised in /usr/share/applications
(or other standard locations), without control over the arguments - so
giving access to qubes.StartApp service is much safer thing to do.
While there isn't much practical difference when you do that from dom0,
it matters a lot if you start applications from non-dom0 - like from
the upcoming GUI domain.
> The behavior looks the same to me. As far as I can tell, none of our
> documentation mentioning qubes.StartApp explains this, and a search
> didn't turn up any relevant ML threads.
https://www.qubes-os.org/doc/managing-appvm-shortcuts/#behind-the-scenes
But indeed it could be expanded.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxFCe4ACgkQ24/THMrX
1yxWTgf+IUivAER7ONvnAUr8LmBdKx8+OLjkHWWfYMdK45qT3ubMgyah8KrXQxpk
IL4/qkdiZc6bq7XwCGKyEEU6FIViBJi8x/fBabeR18ePMoJoX2hfnARTWDD8EOSY
y2GaCp9iV5R1+Fr5FWFbHxBZb/K00me7jqxdTnQTuUFAX9Nsbp3mcsbB2qR20ZpJ
EJ1qUYKIW6Twn5YgCvjSR1khx97H82an8EBQddqbWQkiVUSmEMZV9/9BLugDeoZE
b0VinYjTj9wyoU3JZKVLrq7/8WxnPzkANz5BdOpNoMpIOmGW1dG1Y4KaMbnCUYBn
c6tiJOBNwpDegmr1MwkTl0M7JHmivg==
=mTcu
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
Jan 20, 2019, 10:52:23 PM1/20/19
to Marek Marczykowski-Górecki, Andrew David Wong, qubes...@googlegroups.com
On Sun, Jan 20, 2019 at 6:53 PM Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
> On Sun, Jan 20, 2019 at 05:03:05PM -0600, Andrew David Wong wrote:
> > What is the advantage of this?
> >
> > $ qvm-run --dispvm=work --service qubes.StartApp+firefox
>
> This one will look for "firefox.desktop" in standard locations in target
> qube and launch application described by it.
>
> > Over this?
> >
> > $ qvm-run --dispvm=work firefox
>
> This one will run "firefox" command directly.
>
> For many applications the actual name will be the same, but there are
> exceptions - for example Nautilus have org.gnome.Nautilus.desktop.
>
> The practical difference is that bare qvm-run use qubes.VMShell service
> and allow you to run arbitrary command with arbitrary arguments - so,
> basically full control over the target VM. The qubes.StartApp service
> allow you to run only applications advertised in /usr/share/applications
> (or other standard locations), without control over the arguments - so
> giving access to qubes.StartApp service is much safer thing to do.
> While there isn't much practical difference when you do that from dom0,
> it matters a lot if you start applications from non-dom0 - like from
> the upcoming GUI domain.
Also, requiring the use of qubes.StartApp+arg allows much stricter
<marm...@invisiblethingslab.com> wrote:
> On Sun, Jan 20, 2019 at 05:03:05PM -0600, Andrew David Wong wrote:
> > What is the advantage of this?
> >
> > $ qvm-run --dispvm=work --service qubes.StartApp+firefox
>
> This one will look for "firefox.desktop" in standard locations in target
> qube and launch application described by it.
>
> > Over this?
> >
> > $ qvm-run --dispvm=work firefox
>
> This one will run "firefox" command directly.
>
> For many applications the actual name will be the same, but there are
> exceptions - for example Nautilus have org.gnome.Nautilus.desktop.
>
> The practical difference is that bare qvm-run use qubes.VMShell service
> and allow you to run arbitrary command with arbitrary arguments - so,
> basically full control over the target VM. The qubes.StartApp service
> allow you to run only applications advertised in /usr/share/applications
> (or other standard locations), without control over the arguments - so
> giving access to qubes.StartApp service is much safer thing to do.
> While there isn't much practical difference when you do that from dom0,
> it matters a lot if you start applications from non-dom0 - like from
> the upcoming GUI domain.
filtering of the permissible grammar for Exec= lines of .desktop files
which are passed from untrusted guests to dom0. With qubes.StartApp,
we are able to filter using the same qrexec argument grammar we use
everywhere else, instead of needing to allow full binary paths,
possibly with arguments, possibly containing special characters which
may be interpreted in special ways by different parsers.
Failure here would be potentially catastrophic (command injection in
dom0 when attempting to start an application via a maliciously crafted
.desktop file).
Jean-Philippe Ouellet
Jan 21, 2019, 2:27:38 AM1/21/19
to Marek Marczykowski-Górecki, Andrew David Wong, qubes...@googlegroups.com
https://github.com/QubesOS/qubes-desktop-linux-common/blob/a7bba5a3901d142185702060ab64dbb33bf4bd9e/qubesappmenus/receive.py#L271-L279
Note that StartApp+arg is constructed in dom0 with stricter
constraints than Exec= was before (see legacy mode immediately above).
Andrew David Wong
Jan 21, 2019, 11:04:42 PM1/21/19
to Jean-Philippe Ouellet, Marek Marczykowski-Górecki, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Thank you both for the very informative explanations! I've documented
them here:
https://www.qubes-os.org/doc/qrexec3/#qubes-rpc-administration
(See the end of the section. Please feel free to suggest or submit any
edits as you see fit.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxGli8ACgkQ203TvDlQ
MDCjTw//V1JOYklROHZw0SdeprDUJMudHx5Wj/QGyzcu2zizWGH2g/IIi+kJkVUD
vGRLq8IKgB8W6dCpLG+IJSDh+Exihtk6937os6phD5e6/JWeRS72kn9pQCq0lMUU
iszBv1AN9/M3pp2b0JhxFuk2hnJtjbQwodHqJKU/DxrbcYvNVakdidsuhfqUU+cl
6hQ6TDDx9QQckmNY1D5up8I05f3BHFaJCHp1hshsRJG1cq3TmxC56R4swoCEJ+TA
Nf9oDFy7tvuTBufozkMso/TKErFwnpiHZw5Wh/TotSpkl1AEOQ+WTtUM+4fXkSgN
3rHcNILICisAscscmUcNXE+imo0ctfpNVADeaz6TV4bF1aQu6JOVznNLnKj/28lt
CJzNaM2mQhofJ8RdMU2tJdxoXtaXCSspjPybJIq6xYydo02HiGmvIEhT+hHA+ab0
xdrC46rHVu1Ob+MvPtkcVtk8AgXVrFHEz4ZQz4vZdZm5lopgAKSALAXINwK+bl/M
CxTWf/p8Mn6w3NoaNd1dbdmCju/i0rXkXvIm1dmTXVqkAh/lCcNnuBjx0A6CU2A0
DF7rgRQ0sQETRxXaaimJ6debYFut53cINtyr83S0Uto75PgP2wO2TN+/tHQtSS7i
6jj3QyDJGIk8Hxgfi1R7w5AhXIBeb5UU2U/wXPxa793GadctC2I=
=JDl6
-----END PGP SIGNATURE-----
Hash: SHA512
them here:
https://www.qubes-os.org/doc/qrexec3/#qubes-rpc-administration
(See the end of the section. Please feel free to suggest or submit any
edits as you see fit.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDCjTw//V1JOYklROHZw0SdeprDUJMudHx5Wj/QGyzcu2zizWGH2g/IIi+kJkVUD
vGRLq8IKgB8W6dCpLG+IJSDh+Exihtk6937os6phD5e6/JWeRS72kn9pQCq0lMUU
iszBv1AN9/M3pp2b0JhxFuk2hnJtjbQwodHqJKU/DxrbcYvNVakdidsuhfqUU+cl
6hQ6TDDx9QQckmNY1D5up8I05f3BHFaJCHp1hshsRJG1cq3TmxC56R4swoCEJ+TA
Nf9oDFy7tvuTBufozkMso/TKErFwnpiHZw5Wh/TotSpkl1AEOQ+WTtUM+4fXkSgN
3rHcNILICisAscscmUcNXE+imo0ctfpNVADeaz6TV4bF1aQu6JOVznNLnKj/28lt
CJzNaM2mQhofJ8RdMU2tJdxoXtaXCSspjPybJIq6xYydo02HiGmvIEhT+hHA+ab0
xdrC46rHVu1Ob+MvPtkcVtk8AgXVrFHEz4ZQz4vZdZm5lopgAKSALAXINwK+bl/M
CxTWf/p8Mn6w3NoaNd1dbdmCju/i0rXkXvIm1dmTXVqkAh/lCcNnuBjx0A6CU2A0
DF7rgRQ0sQETRxXaaimJ6debYFut53cINtyr83S0Uto75PgP2wO2TN+/tHQtSS7i
6jj3QyDJGIk8Hxgfi1R7w5AhXIBeb5UU2U/wXPxa793GadctC2I=
=JDl6
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages