On 05/10/2016 03:50 PM, Henry de Valence wrote:
> On Thu, May 05, 2016 at 03:17:51AM +0000, Patrick Schleizer wrote:
>> Their best use case is geeks. People who think they can be
>> even more secure by using minimal templates.
>
> In fact there are concrete security benefits to using miminal templates. Here
> is one example: since Qubes provides no isolation mechanism other than Xen
> domains, the only safe way to open an untrusted PDF is to use a DispVM.
> Otherwise, a PDF exploit can take over the entire domain.
>
> As far as I know, the only way to prevent accidentally opening an untrusted PDF
> (by, e.g., left-clicking instead of right-clicking, or hitting the wrong key in
> emacs which accidentally opens a file link, or ... any of the other 9 million
> ways to launch software on a Linux desktop) is to have no installed software in
> the template that can open PDFs. Similar considerations apply to all kinds of
> other software, e.g., media players, etc.
>
> Moreover, not using minimal templates has performance costs: with the PDF
> example, when not using a minimal (DVM) template, each PDF document's DispVM is
> running its own abrt-applet, nm-applet, ssh-agent, gnome-keyring-daemon,
> gnome-settings-daemon, systemd-journal, etc.
I don't follow your reasoning.
- dispVM can't be based on a minimal template if you expect to be able
to open <quote>all kind of software, eg. media players, etc.</quote>.
Try to install a media player, a pdf reader, libreoffice, ... in a
minimal template to see the dependencies that will be pulled. It won't
be minimal anymore. It wouldn't also be convenient to have a specific
template for each application - eg. a dispPDFVM, a dispMediaVM, a
dispFooVM, ..., so eventually dispVM is going to be quite the same as
the "standard" template.
- the VM you call the disposable VM from will rarely be based on a
minimal template either. Otherwise, how are files supposed to be on that
VM, except without running qvm-copy-vm ? I mean, you'll need a web
browser from which you download stuff, a mail client, ...
The only case I can think of where you would open file from a "minimal"
VM is when you have a non-networked VM for a dedicated use (eg. "vault")
where you copy files with qvm-copy-vm and where you really don't want to
open a pdf/docx/... by mistake. But then you could use a standard
template and simply set $PATH to a folder where you symlink the binaries
you deem safe, assuming you're working in a terminal.
But you mention "right click", which implies using a file application,
which means you're probably already running a few "unsafe" processes
like file preview/thumbnail. Also, having emacs in a minimal template is
not exactly my idea of "minimal", so who gets to decide what would be
installed in the minimal template ?
I guess most users think by habit of minimal templates as a way to
minimize resources (RAM/CPU/disk space). As mentioned in a previous
post, since disk space is not an issue in Qubes, one can probably reach
a similar minimal RAM/CPU footprint by configuring a systemd state
without the stuff you mention (abrt-applet, nm-applet, ...).
>
> So, I think that there are concrete use-cases for minimal templates to provide
> both security and performance benefits.
The minimal template you describe in your PDF example is not minimal -
it has a PDF viewer. User XYZ may not need a PDF viewer in their minimal
template, but an image viewer. And user ABC may not need anything but an
office suite. Etc.
So either the "minimal" template is minimal like Fedora/RH used to have
as an option at install time, or it's "standard" because users have
different expectations and need different programs.
I'm genuinely interested - do you have a concrete use-case with a "real"
minimal template with improved security and performance over a standard
template running in an alternate "minimal" systemd state and with $PATH
set to a folder with symlinked/whitelisted binaries ?
(BTW, this whole discussion is moot if providing minimal templates is
not a burden for Qubes devs, but I remember seeing some issues specific
to those, so it's definitely non-zero).
>
> Cheers,
> Henry de Valence
>
>
>
Cheers,
ivan