Special template to isolate less trusted software?
80 views
Skip to first unread message
Ryan Tate
Sep 2, 2020, 7:44:12 PM9/2/20
to qubes-users
I've started making special templateVMs where I install less
trusted software, typically closed source binaries or code
distributed directly from a vendor.
I am curious if others do this and if people think it adds much
security wise.
For example, in addition to vanilla fedora-32, where I will
install any number of packages from the standard repos, I have -
fedora-32-zoom (the proprietary videoconferencing software)
fedora-32-slack (the group chat app, installed from their own rpm)
fedora-32-print (had to run a Brother install tool to get printer
working, use it from my dvm-print wich is firewalled only to my
local printer ips)
fedora-32-media (has some proprietary media hnadling software)
I just don't like the idea of putting untrusted code in a
templateVM used by sensitive VMs. On the other hand, perhaps I
worry too much, in theory at least I do control when any given app
is run? The Brother install was a bash script run via sudo (!!)
that could have done anything but the others typically go in as
rpm files via dnf, so presumably (?) they can't just install
untrusted services that get auto launched.
Obviously this makes updates take longer, so it's got some cost.
Is this a wise approach? Or no? Thanks for any thoughts....
Ryan
trusted software, typically closed source binaries or code
distributed directly from a vendor.
I am curious if others do this and if people think it adds much
security wise.
For example, in addition to vanilla fedora-32, where I will
install any number of packages from the standard repos, I have -
fedora-32-zoom (the proprietary videoconferencing software)
fedora-32-slack (the group chat app, installed from their own rpm)
fedora-32-print (had to run a Brother install tool to get printer
working, use it from my dvm-print wich is firewalled only to my
local printer ips)
fedora-32-media (has some proprietary media hnadling software)
I just don't like the idea of putting untrusted code in a
templateVM used by sensitive VMs. On the other hand, perhaps I
worry too much, in theory at least I do control when any given app
is run? The Brother install was a bash script run via sudo (!!)
that could have done anything but the others typically go in as
rpm files via dnf, so presumably (?) they can't just install
untrusted services that get auto launched.
Obviously this makes updates take longer, so it's got some cost.
Is this a wise approach? Or no? Thanks for any thoughts....
Ryan
airele...@tutanota.com
Sep 2, 2020, 11:39:18 PM9/2/20
to Qubes Users
> I just don't like the idea of putting untrusted code in a templateVM used by sensitive VMs.
>
This minimizes the number of templates I have to keep up-to-date.
> fedora-32-zoom (the proprietary videoconferencing software)
>
> fedora-32-slack (the group chat app, installed from their own rpm)
>
> fedora-32-print (had to run a Brother install tool to get printer working, use it from my dvm-print wich is firewalled only to my local printer ips)
>
> fedora-32-media (has some proprietary media hnadling software)
>
Chris Laprise
Sep 3, 2020, 2:01:47 AM9/3/20
to airele...@tutanota.com, Qubes Users
On 9/2/20 11:39 PM, airelemental via qubes-users wrote:
>
>
>> I just don't like the idea of putting untrusted code in a templateVM used by sensitive VMs.
>>
> Me neither! But I avoid multiplying templates by installing apps directly into appvms.
> This minimizes the number of templates I have to keep up-to-date.
FYI, that approach is risky. The code sitting in /rw or /home becomes a
>
>
>> I just don't like the idea of putting untrusted code in a templateVM used by sensitive VMs.
>>
> Me neither! But I avoid multiplying templates by installing apps directly into appvms.
> This minimizes the number of templates I have to keep up-to-date.
way for malware to persist between VM restarts.
> The general strategy with installing packages inside appvms (at least those based on debian) is to make the package cache into a bind-dir and then reinstall package from cache every appvm startup.
>
(see my github below) and stash the packages in the
/etc/defaults/vms/<vmname> dir... the vm-boot-protect service will run
just before /rw is mounted and see that config files matching the
current VM name exist. Its a good way to specialize appVMs without
creating new templates.
Should also mention that snaps and flatpaks may be a better fit for
adding apps at boot-time, since there is a chance you can do it quicker
using little more than 'mv'.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Mike Keehan
Sep 3, 2020, 6:27:30 AM9/3/20
to qubes...@googlegroups.com
I do very similar things. I have a debian-media and a couple of other
specialised templates. Also, I have a Skype standalone VM as I didn't
want a whole template just for Skype.
I had to give up on my zoom standalone VM because my usb camera was
very flakey when attached via sys-usb. Works OK with skype, but
not zoom!?!
Mike
Dan Krol
Sep 6, 2020, 12:58:27 PM9/6/20
to Mike Keehan, qubes-users
My (perhaps naive) approach is to just use flatpak local install in the AppVM. I don't have to mess with bind-dirs. I have a couple different AppVMs where I have such proprietary software away from anything I want to keep safe/private. I'm curious why people are talking about reinstalling on startup, or the risks of keeping installed software in /rw etc. We're already treating these VMs as low trust anyway right?
Dan Krol
Sep 6, 2020, 12:59:24 PM9/6/20
to qubes-users
(By "local install" I mean per-user install)
hut7no
Sep 6, 2020, 1:34:12 PM9/6/20
to qubes-users
I do this, but I use a squid proxy setup from rustybird to cache updates.
Starting up and shutting down VMs still takes the same amount of time though.
Starting up and shutting down VMs still takes the same amount of time though.
Stumpy
Oct 16, 2020, 8:37:14 AM10/16/20
to Chris Laprise, Qubes Users
Chris,
Since i think the package was forked from your work I thought I would
ask if you knew if the package included a kill switch? I noticed on your
qubes github page it mentioned "fail close" which is the same thing? If
yes, then i am guessing its safe to assume that the forked qubes package
also includes a fail close/killswitch?
Thank you very much
Since i think the package was forked from your work I thought I would
ask if you knew if the package included a kill switch? I noticed on your
qubes github page it mentioned "fail close" which is the same thing? If
yes, then i am guessing its safe to assume that the forked qubes package
also includes a fail close/killswitch?
Thank you very much
Reply all
Reply to author
Forward
0 new messages