-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-08-19 05:11, johnyju...@sigaint.org wrote: > When I try to run qvm-run from within an AppVM, I get "Request refused." > > Is this by design, for security reasons? If so, I guess that's perfectly > reasonable. I just don't see that fact documented anywhere. >
Yes, but it's completely user-configurable. You can read all about this system here: https://www.qubes-os.org/doc/qrexec3/ Pay special attention to the section titled "Qubes RPC administration." As that section explains, there's a file where you can enable using qvm-run from within an AppVM. That file is: /etc/qubes-rpc/policy/qubes.VMShell However, before doing this, there is a very serious warning that you should heed: https://groups.google.com/d/msg/qubes-users/xnAByaL_bjI/3PjYdiTDW-0J > (The demonstration of one of the Xen exploits executes a qvm-run of xcalc > in dom0 from an compromised AppVM, which kind of implies the fact that > such behaviour is normally restricted between AppVM's. If this is indeed > the case, it might be useful if certain commands could be configurably > whitelisted, from a config file in dom0, to be qvm-run between specific > VM's.) > Yes. The action is prohibited by default because it can be so dangerous. However, as explained above, advanced users can choose to selectively allow it for certain VMs at their own discretion. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXt1aDAAoJENtN07w5UDAwrS4QAIhHMbWIIY6etJA+ThQ8YhZF vjwftWCsnRI4B1OeJ+ECNCE9PeMoaIa65HzdDm/X9Vq2yvX1uk4Z3PjFIX4Y/lAk yhIR6LnStgGHFZJp3uHWXlnT9eXeFpu93MRID1o2enRBrhQAA9+WmkTHyUyCtiu1 z96g4B3xE5faPfOBEhkg3xex4anxt2a5RY8tGo/99hwUHQ5U2stiRkBRmbAm3TUL PjplajBoNoe8yGS/7m1gCdC7BA3XiSjw2eCjsT3Zshc70tEEd7dFFwBKmPVVURCJ dTIbfVKk4yCMsM3Vw/V4CZLzTnBPzpwPSmk1ZymJRTedgIBUdQLYpRDb3RLS1vmZ r44cpZk3Hdkf6ZimFcSk13HYE1LZxvCaDolD/MPeB+EKLzkiNIhlPIkJzDCpCwIy rOgPuShcF+xf73HR3ZGelLcPl7jVFxphsTu8OC7NG/9NF8X8i7U2ZpzLTW7lPTr4 vISlH7u5woLQ3O4OL10ei0bgDSGnA3osF5LwcU9zc9ZwciHROLd4s9wDrJCIAK9Q kMaPeasaFv6osRN/XlumxYC7gPC5N86g6lX9ylFXnXTW6yTViylZN2TtcqRdM6VI 0p7C7Rxi+99Sva/9M2L1L2F+V+wwLF5LGtN7KTR67LIihxlYFLDXRMH2BRebeS47 ruW5iK6KFCvqsGGMcNF9 =mEsp -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36adade2-1c19-2089-bca4-dcef16420fd1%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
