Is it possible to run browser and other "chatty" applications as dedicated users in appvm?

60 views
Skip to first unread message

Jane Jok

unread,
Jan 30, 2017, 2:21:50 PM1/30/17
to qubes-users
Hello!

I'd like to ask if it is possible to run certain applications (notably, browser) as dedicated users in appvm ?

I know that Qubes security model doesn't rely on users system for security, but combined with iptables, this could prevent traffic leaks when running certain "wonky" VPN configs (for instance, ipsec based VPNs where a tun device is absent) by straight up disallowing a certain user from communicating over anything other than the VPN link.

The model here is not malware taking over the AppVM and using it to maliciously deanonymize the user (protecting against that would require a separate ipsec VM and frankly I already have way more VMs running than healthy) but rather fat fingers and forgetfulness causing a leak (not checking that Strongswan has brought tunnel up properly, etc)

are there any special considerations for doing "browser running as separate user" in Qubes AppVM or can I straight up follow this https://wiki.archlinux.org/index.php/skype#Use_Skype_with_special_user and "be good" ?

Garrett Robinson

unread,
Jan 30, 2017, 2:25:48 PM1/30/17
to qubes...@googlegroups.com
On 01/30/2017 11:21 AM, Jane Jok wrote:

> I know that Qubes security model doesn't rely on users system for security, but combined with iptables, this could prevent traffic leaks when running certain "wonky" VPN configs (for instance, ipsec based VPNs where a tun device is absent) by straight up disallowing a certain user from communicating over anything other than the VPN link.
Hm, this sound like you're running a VPN in your AppVM. Are you? If so,
a better solution (that can easily achieve your goal of preventing
leaks, albeit for an entire VM instead of a specific user of a VM) is to
use a ProxyVM, as documented here: https://www.qubes-os.org/doc/vpn/.

Jane Jok

unread,
Jan 30, 2017, 2:36:37 PM1/30/17
to qubes-users

-
I already have a bunch of proxyvms running different VPNs for... different reasons.

Unless I get a box with more ram or someone much smarter than me does one of those super-fancy <100MB RAM unikernel VM things, but for ipsec tunnels, this is the best option.

Besides, it's not a "high risk" VM or anything like that.

Unman

unread,
Jan 31, 2017, 6:55:59 PM1/31/17
to Jane Jok, qubes-users
Yes, you can do this, exactly as you envisage, and it's relatively
straightforward. Standard caveats apply, and you'll need to get
permissions right and grant access to the X server, but otherwise there's
nothing Qubes specific here.

Reply all
Reply to author
Forward
0 new messages