-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Dec 24, 2019 at 09:47:54AM +0000, 'heombeeh' via qubes-devel wrote:
> Hi all,
> In the "Attaching a File" [1] section of the docs we are directed to use losetup to create a loop device for a file we want to attach to a VM. Before release 4.0 I would use the `--attach-file` flag to accomplish this, but this feature got removed.
>
> My question concerns the relation between the security of the old method vs the new method.
In practice this documentation isn't any different. --attach-file did
exactly that.
> Suppose that I have a ext4 filesystem in a file called "myfs.img" on dom0. I was under the impression that if I used qvm-block attach with `--attach-file` to connect this filesystem to an appvm, then dom0 would *not* get exposed to any internal aspects of "myfs.img". By this I mean dom0 would *not* parse/process any part of the filesystem header, so that it would not be vulnerable to malicious modifications of the data of "myfs.img" by the appvm.
I'd say it would be better to isolate as mach things as possible in VMs.
Storing myfs.img too. Handling potentially malicious data is tricky and
should be done carefully.
> Now if my understanding of the security of the old method is correct, then it seems to me there is a problem with the new method. As per the directions on the docs page, when I create the loop device for my "myfs.img" file, I can see evidence that the OS has parsed some portion of the ext4 filesystem metadata within "myfs.img". For example, if I run `lsblk -f`, the output shows that the loop device points to an ext4 filesystem, and it also prints the filesystem UUID. This is in contrast to the block devices of the qubes pool that contains VM blocks, where `lsblk -f` does *not* detect their filesystem types/UUIDs.
For this specific reason, we exclude loop devices based on VM images
(based on name/location) from udev parsing.
> If I am correct that the new loop device method causes dom0 to become exposed, what is the correct way to attach a file in dom0 to a VM, so that dom0 is not exposed to an attack?
Yes and no. It was always recommended to not store user (especially
untrusted) data in dom0 manually. Documentation specifically handle the
case of "source VM", not "dom0".
> Also, what is the method that qubes uses to protect dom0 from the filesystems contained in VM blocks in the qubes pool? Is it the udev rules that are contained in `/etc/udev/rules.d`?
Yes, those rules.
> Note: I tried adding a udev rule copied from the default rules to prevent the OS from processing the filesystem data of the loop device. This worked, however it also somehow prevented qvm-block from seeing the loop device, so I was unable to attach it to my VM.
Yes, devices excluded from udev also are excluded from qvm-block. But we
have documented method to force showing them:
https://www.qubes-os.org/doc/mount-lvm-image/
It works also for loop devices - simply use "loopX" instead of "dm-X"
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4B8PAACgkQ24/THMrX
1yyb2wf/R7sL4i4TzFCsOUOJq1L2f3dF4uLFzKLK3fDbDWlpCs5gfi3yJ9vFDLq0
WjSV83EsythIrpU9GoaC8CqsC8CpMvY3k/cawY4jR7aRz+W4mICC+Afcx0vJnu+q
OZlCb7YBZlJnsXsS6dleGiDcpcq8MVo0EUgnrWcIqkUA5iGjhT0lFHtRveKNmkx/
3YrFUhA4NZzKOJKVXqaQijB/9dHCZpC+9yo5oD0EGnNwVaho8GnQaFBsfyJbsV08
uewVRbYWLVuq8va8ZngKEzU8pm3EyKovxH/WODNVDptY0OSo6UoZUNG81/K1iNeo
Lfm+2m21CWuXz5d79f2akvCMU3AYSg==
=v63Z
-----END PGP SIGNATURE-----