DomU modifying its own qvm-features?
6 views
Skip to first unread message
qubist
Feb 25, 2026, 3:31:18 AM (yesterday) Feb 25
to qubes...@googlegroups.com
Hi,
Currently, it is possible to set features using qvm-features in dom0.
I am looking for a way to do this (in bash):
- a domU requests to set/modify its own feature
- a standard confirmation dialog "Do you want to allow?" should show up
- the user must confirm or reject explicitly
How can I do this?
Currently, it is possible to set features using qvm-features in dom0.
I am looking for a way to do this (in bash):
- a domU requests to set/modify its own feature
- a standard confirmation dialog "Do you want to allow?" should show up
- the user must confirm or reject explicitly
How can I do this?
Marek Marczykowski-Górecki
Feb 25, 2026, 5:26:20 AM (23 hours ago) Feb 25
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I don't think user interaction is really a good idea here, individual
entries have different functions and sometimes quote complicated
interactions with other settings - IMO too easy to miss when user
evaluates the prompt.
But, there is an API when a qube can request some features, and dom0 can
then agree to set them after some verification. See
https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-features.html
This is for example how all the `supported-service.*` features are set
on templates, or how Whonix templates advertise they are Whonix, and get
appropriate settings ("whonix-gw"/"whonix-ws" feature, netvm set, tags, etc).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmmezkUACgkQ24/THMrX
1yyt9wf+PwgSJgIFc8617SIycTysA97WGXCvGfe84wZoirWOz2YDQZGcwnkt4Odj
d33JbBaFd2HHrZnrI7P5JGk7GrQPQ7XuDythKRYAzaEO6uaS7Iqj6BMC93+IwK3U
bxLZ0U2I/+l2xZS7OR2jTBEnSGa8p2jlHqcb2b++T6aPV8oV/ldupqBYW4UlDbNm
UUv62jvoPW3ls/ZiQiTf5l4YL4htiHxsABFbjUOCqwYjQNcu6J8vIGE34x+KH98S
+87V8tKH3kEeARvvvg8xc0VADfXUP8w7QRvIPZpQtgsvG8g+DRD6WAxhMLiKMRnb
2fCLRwk0kMl3FmqZvZV4c8yNK8Ko0g==
=fowC
-----END PGP SIGNATURE-----
Hash: SHA256
entries have different functions and sometimes quote complicated
interactions with other settings - IMO too easy to miss when user
evaluates the prompt.
But, there is an API when a qube can request some features, and dom0 can
then agree to set them after some verification. See
https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-features.html
This is for example how all the `supported-service.*` features are set
on templates, or how Whonix templates advertise they are Whonix, and get
appropriate settings ("whonix-gw"/"whonix-ws" feature, netvm set, tags, etc).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmmezkUACgkQ24/THMrX
1yyt9wf+PwgSJgIFc8617SIycTysA97WGXCvGfe84wZoirWOz2YDQZGcwnkt4Odj
d33JbBaFd2HHrZnrI7P5JGk7GrQPQ7XuDythKRYAzaEO6uaS7Iqj6BMC93+IwK3U
bxLZ0U2I/+l2xZS7OR2jTBEnSGa8p2jlHqcb2b++T6aPV8oV/ldupqBYW4UlDbNm
UUv62jvoPW3ls/ZiQiTf5l4YL4htiHxsABFbjUOCqwYjQNcu6J8vIGE34x+KH98S
+87V8tKH3kEeARvvvg8xc0VADfXUP8w7QRvIPZpQtgsvG8g+DRD6WAxhMLiKMRnb
2fCLRwk0kMl3FmqZvZV4c8yNK8Ko0g==
=fowC
-----END PGP SIGNATURE-----
qubist
Feb 25, 2026, 8:24:10 AM (20 hours ago) Feb 25
to qubes...@googlegroups.com
Thanks, Marek. I will look more carefully at the link.
My XY goal is to be able to store securely somewhere a list all
_manually_ installed packages in a template (Debian for the moment), so
that a systemd unit (mentioned in another thread) can access that list
in a oneshot execution at boot. I know that list can be parsed from APT
logs but those can be deleted, so not really safe storage.
Could you suggest a better approach?
My XY goal is to be able to store securely somewhere a list all
_manually_ installed packages in a template (Debian for the moment), so
that a systemd unit (mentioned in another thread) can access that list
in a oneshot execution at boot. I know that list can be parsed from APT
logs but those can be deleted, so not really safe storage.
Could you suggest a better approach?
Marek Marczykowski-Górecki
Feb 25, 2026, 9:11:12 AM (19 hours ago) Feb 25
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
does list also packages that were installed explicitly installed during
template build, but generally it's a Debian way of listing what was
installed on user request. For example in one of my templates (with
several additions):
user@template:~$ apt-mark showmanual|wc -l
255
user@template:~$ dpkg -l|wc -l
2142
Anyway, it sounds like the thing you need doesn't really need to be
transferred to dom0. Maybe just store it in a file (either on root
volume or private volume, depending on where you want it to be visible)?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1yxZ3gf/etOF/jxPqOR++HpbwsFImh6AflZDR1Kkp23ooMTCQI1LCqq9stD9VwJp
quwaWcZrQogLWqiVcN4WMBqF89oCUx/hukw5h8inQtU7/x+8HEjqN6osR7lKpt1/
kc7aZkqTH4GmlK4mih+RqeWzeMAgUYwGBLV1ryFDH3mKORiVer6WRRb6ESFxWoyk
SAQMCSRT/evL4w+VxqMoQbIOU/y+zK3YwR2VPvuW336QfQg6MzxBm/SsghijYQoM
JszL9OciutiKPEaRcMSwErXu3T0l7JEVfdd8ASfNUe3M1KDksjVc7qejNoHsApcK
t4wvXcBqiKBosUI6/gpBtZPS+iOkRw==
=hkca
-----END PGP SIGNATURE-----
qubist
Feb 25, 2026, 9:57:36 AM (18 hours ago) Feb 25
to qubes...@googlegroups.com
On Wed, 25 Feb 2026 15:11:04 +0100 Marek Marczykowski-Górecki wrote:
> Anyway, it sounds like the thing you need doesn't really need to be
> transferred to dom0. Maybe just store it in a file (either on root
> volume or private volume, depending on where you want it to be visible)?
My thoughts too. Thanks!
> Anyway, it sounds like the thing you need doesn't really need to be
> transferred to dom0. Maybe just store it in a file (either on root
> volume or private volume, depending on where you want it to be visible)?
Reply all
Reply to author
Forward
0 new messages