Moving to qubes-devel, please respond there.
On 05/31/14 01:56, Axon wrote:
> Joonas Lehtonen:
>>> >> Problem: Since the DispVM has inherited the firewall rules of
>>> >> EmailVM, the DispVM cannot resolve URLs, thereby defeating User's
>>> >> intention.
>> >
>> > Well it depends :) If I - the user - setup a firewall rule that allows
>> > emailVM only connections to $mailserver, then it would be against my
>> > intention if emailVM could reach arbitrary http server on the internet
>> > via a dispvm.
>> >
> Not necessarily. I (the user) may not want EmailVM connecting to
> anything except my mail server (e.g., because I want to prevent malware
> from infecting EmailVM). Nonetheless, I may want to be able to open all
> links and attachments received in the emails in EmailVM. Since opening
> such links and attachments in EmailVM itself greatly increases the risk
> of infection, I may wish all such links and attachments to be opened in
> DispVM(s).
/.../
Etc, etc.
I think we will all agree that "one DispVM is not enough for everybody"
and that we really need more flexibility...
If we think about why people might want to create a DispVM there are two
primary reasons I think:
1) Because it always comes up clean (no persistent home dir, more
technically no /rw mounted).
2) Because it starts up quickly (which is possible because the VM is
restored from the previously saved "savefile" which is kept in /dev/shm,
which means we don't need to boot a Linux OS, but only restore it from
"suspend", kind of).
There is no reason why we should not be able to support #1 for regular
AppVMs, I think (in that case their "regularity" would mean: VMs which
user can configure by choosing their template, netvm, firewall, etc).
This could be settable via qvm-prefs, so that we could do e.g.:
qvm-prefs anonvm -s disposable true
qvm-prefs anonvm -s netvm torvm
Some other "DispVM" could be prepared for as a convenient document viewer:
qvm-prefs docviewer -s template fedora-20-office
qvm-prefs docviewer -s disposable true
qvm-prefs docviewer -s netvm none
So, whenever Qubes is to start an AppVM which has "disposable" property
set, it will: 1) not mount the /rw for it, and 2) give it a name:
${basename}-{$uid}
We still might have a default dispvm in the system, of course -- this
would be based on the default template and using default netvm and
default f/w settings.
The policies could then be defined like this:
work docviewer allow
anonvm $anyvm deny
The reason #2 given above (quick start from savefile) is somehow
orthogonal to the property discussed in #1 -- I think we can use it even
for normal AppVMs, just make sure we generate the savefile without /rw
and then mount it after the VM wakes up after restore.
In some other scenarios, we might not want to, or not be able to, use
savefile restoration even for the VMs with "disposable" flag (e.g.
Windows AppVMs).
The above change should allow for more flexible and powerful
configurations, satisfying various users who often have varying
expectations as witnessed in the original thread.
I wouldn't even be entirely against introduction of the "disposable"
flag before R2, if that is really so simple as I think :) Marek, what's
your take on this?
joanna.