date:20170210

On Friday, February 10, 2017 at 3:02:23 AM UTC-8, john.david.r.smith wrote:
> On 10/02/17 11:53, '0xDEADBEEF00' via qubes-users wrote:
...
> > This also serves as a decoy, if I'm forced to boot my laptop when passing 
> > borders or so.
> >
> > Best,
> >
> > 0xdeadbeef
> 
> dual booting opens a whole new attack surface.
> is there a way to deal with this?
> the other os may not be able to read/modify qubes due to encryption, but it 
> can write something malicious on the disk (e.g. some loader running before 
> qubes)

thats what AEM is for, but then, on most laptops, you lose iommu protection. 
the lemur7 from system76 has a pci bridged sd card reader, but you cant boot 
from it!
if 0xdeadbeef is running on the dummy partition most of the time, this probably 
is not a problem, unless it runs into a badusb that can compromise bios or 
firmware.

some laptops can have multiple internal drives, but since sometime after 2010, 
they stopped letting you disable devices in bios. havent found any modern ones 
that let you do this.

maybe something can be done with coreboot if bootguard is disabled. but then 
you dont have bootguard protecting your bios. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc2fc2ca-145b-4970-8239-9791a24afd1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: traveling - best practice

2017-02-10 Thread Jake

On 02/10/2017 05:02 AM, john.david.r.smith wrote:

On 10/02/17 11:53, '0xDEADBEEF00' via qubes-users wrote:

Interesting topic...

I would like to here more about how people handle this.

On my side, I'would never work on sensitive information in such a
situation.
To make just some surfing in public place, my laptop is installed
with a standard w10 that I use only to check a generic mailbox with
on sensitive information, do some nonsensitive work and surf. By the
way, the boot sequence of my laptop is set to boot this partition by
default with no menu or prompt of any kind. If I want to boot into
qubes, I have to do it manually by interupting the boot sequence.
This also serves as a decoy, if I'm forced to boot my laptop when
passing borders or so.

Best,

0xdeadbeef

dual booting opens a whole new attack surface.
is there a way to deal with this?
the other os may not be able to read/modify qubes due to encryption,
but it can write something malicious on the disk (e.g. some loader
running before qubes)

while i can't deny the utility of a decoy, dual booting does indeed open
a new attack surface, e.g. win10 gremlin rewrites the bootloader on your
non-win10 partitions in a way that caches your disk passphrase somewhere
win10 can access it next time it boots.

the best policy with windows is to never use it under any circumstances,
provided you can manage it.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/621ac601-b135-33f2-8e18-c455b9723e5f%40companyzero.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Ad-blocking ProxyVM?

2017-02-10 Thread mb

Is there any particular reason you are setting up another app VM for this? Why 
not run it on the net o firewall VM?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43ae55b6-2ecf-475b-afa8-f739a45a40ce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] using a custom salt module in top files

2017-02-10 Thread john.david.r.smith


hi.
i wrote some custom salt module and use it for rendering in my top-file.
everything works great as long as i am only in dom0.
as soon as my stuff is run in domU (or rather its management-vm) i get errors:

when rendering:
/var/tmp/.root_62a99a_salt/running_data/var/cache/salt/minion/files/base/top.jinja
i get an error in line 77:
77: {%- load_yaml as single_top -%}
78: {% include top %}
79: {%- endload -%}

this is the place where my top file is included.
after including the file, rendering it as yaml fails.

after adding some outputs to jinja i was able to see my rendered top file.
the line it complains about is:
{'retcode': 0, '_error': 'Failed to return clean data', 'stderr': "'my.function' is 
not available.", 'stdout': ''}

the original call is:
{{ salt['my.function'](yaml=yaml, grains=grains) }}

the error suggests:
when my top file is included in top.jinja, no custom salt modules are used.
this seems to be a bug.
how can i fix this?
i could add some wrapper around it and do rendering for domu using jinja, but 
this is kind of cumbersome.
this is also only possible since my function only does very little in domu.
furthermore this would prevent me from doing more complex stuff in domu in the 
future (currently it is not planned, but maybe i want to do such stuff in the 
future).

so i am interested in a way to fix the rendering (so it correctly uses the 
custom module).

-john

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/657da085-57eb-e816-13d5-fea8e13c8050%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Updating packages with salt does not refresh the repositories

2017-02-10 Thread Jean-Philippe Ouellet

On Thu, Feb 9, 2017 at 6:46 PM,   wrote:
> I have an update.sls with the following content:
>
> updates:
>   pkg.uptodate:
> - refres: True

If that's literally a copy & paste... because you're missing the h in refresh?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CSgacYoF2EyZJcNvOEDdG5f7FLYn6N9%2B2voxvEK651bA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: What? Can I access a windows USB drive?

2017-02-10 Thread raahelps

Yes go to sys-usb in the start menu and select files.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ec361a0-1722-4de7-bbe5-06275f76e1d1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Ad-blocking ProxyVM?

2017-02-10 Thread raahelps

I never heard of that program looks interesting.  I still use iblocklist.com 
lists with peerguardian on debian 8.  But I run it right in the vm.  maybe a 
better idea if you have the resources to run it in a proxy.  The vm is 
protected from the app the and app protected from other apps I guess.  sys-net 
is regarded as untrusted anyways.  but why make it even less so maybe.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61515aea-16cf-48a6-a37c-0d2480722e97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes 3.2: Realtek ethernet not detected by sys-net, please help.

2017-02-10 Thread surf . nx

Tried all the following over the last 4 days. Please help if possible.

rpm -q linux-firmware :
linux-firmware-20161205-69.git91ddce49.fc24.noarch

Failed with DMA setting at:
qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=16384"


dom0 dmesg:

02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 
PCI Express Gigabit Ethernet Controller (rev ff)

dom0 lspci -k:

02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 
PCI Express Gigabit Ethernet Controller (rev ff)
Kernel driver in use: pciback
Kernel modules: r8169

dom0 lspci -nn:

02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. 
RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev ff)

sys-net dmesg:

pci :00:00.0 [10ec:8168] type 7f class 0xff
pci :00:00.0 unknown header type 7f, ignoring device

sudo dmesg | grep pci

pciback :02:00.0: timed out waiting for pending transaction; performing 
function level reset anyway

ExecStartPre as per the following also failed:

[Unit]
Description=Netvm Fixup
Before=qubes_netvm.service

[Service]
ExecStart=/bin/sh -c 'echo :20:00.0 > 
/sys/bus/pci/drivers/pciback/permissive'

Type=onshot
RemainAlertExit=yes

[Install]
WantedBy=multi-user.target

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1c37780e-170f-4744-b36b-236f9f89cf64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ubuntu template

2017-02-10 Thread damien . waber

Le jeudi 9 février 2017 12:41:42 UTC+1, Unman a écrit :
> On Thu, Feb 09, 2017 at 02:37:36AM -0800, wrote:
> > Hi,
> > 
> > I am new into qubes (few months) and find it great. But I need a distro 
> > with newer packages (debian jessie was fine until I ran in issues with 
> > encfs compatibility).
> > 
> > So I wanted to build an ubuntu template but I did not found clear 
> > instructions.
> > 
> > using https://github.com/QubesOS/qubes-builder and the setup script, I do 
> > not get ubuntu to choose in the menu.
> > 
> > On this forum, there is few posts about it but using privaze repo.
> > 
> > I really need help on this :-)
> > 
> > Best regards,
> > 
> > Damien
> > 
> 
> Hi Damien,
> 
> The Ubuntu builds are referenced in setup as Trusty and Xenial.
> 
> I've just put in a series of Pull Requests that should allow
> straightforward builds of both.
> Wait a little while for them to be merged. 
> 
> It should then be a matter of:
> git clone  https://github.com/QubesOS/qubes-builder
> cd qubes-builder
> ./setup
> make qubes-vm
> make template
> 
> Copy generated Template to dom0 and install - there's a handy script
> provided to do this for you.
> 
> I'll let you know when the PRs are merged. Focus at the moment is on
> the GSOC applications.
> 
> unman

Hi, thank you !

Is there a way I may support you? maybe I can test it?


Best regards,

Damien

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0e574d2-1700-44c4-aa51-2f221a218d5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Updating packages with salt does not refresh the repositories

2017-02-10 Thread qubes




On 10.02.2017 17:04, Jean-Philippe Ouellet wrote:

On Thu, Feb 9, 2017 at 6:46 PM,   wrote:

I have an update.sls with the following content:

updates:
  pkg.uptodate:
- refres: True


If that's literally a copy & paste... because you're missing the h in 
refresh?


Thx for the reply. It is no copy and paste because it is in dom0. I use 
the correct writing "- refresh: True".


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6c544e18d7af73c285cfe2ad46215fee%40posteo.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Sony Vaio 11 Pro i7 - SVP11216PXB

2017-02-10 Thread Robert Horvath



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170210204107.GB21243%40nyar.eu.
For more options, visit https://groups.google.com/d/optout.
---
layout:
  'hcl'
type:
  'notebook'
hvm:
  'yes'
iommu:
  'no'
slat:
  'yes'
tpm:
  ''
brand: |
  Sony Corporation
model: |
  SVP11216PXB
bios: |
  R1044V7
cpu: |
  Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation Haswell-ULT DRAM Controller [8086:0a04] (rev 09)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation Haswell-ULT Integrated Graphics Controller [8086:0a16] (rev 
09) (prog-if 00 [VGA controller])
gpu-short: |
  FIXME
network: |
  Intel Corporation Wireless 7260 (rev 6b)
memory: |
  8098
scsi: |
  SAMSUNG MZNTD256 Rev: 300Q
  Ultra FitRev: 1.00

versions:

- works:
'yes'
  qubes: |
R3.2
  xen: |
4.6.1
  kernel: |
4.4.14-11
  remark: |
'After installing apply instructions in "Boot device not recognized after 
installing" at https://www.qubes-os.org/doc/uefi-troubleshooting The card was 
not recognized only if I plugged in through a USB HUB.'
  credit: |
FIXAUTHOR
  link: |
FIXLINK

---

Re: [qubes-users] ubuntu template

2017-02-10 Thread Nick Darren



On 02/10/2017 09:46 AM, trul...@gmail.com wrote:
> четверг, 9 февраля 2017 г., 14:41:42 UTC+3 пользователь Unman написал:
>> On Thu, Feb 09, 2017 at 02:37:36AM -0800, damien.wa...@gmail.com wrote:
>>> Hi,
>>>
>>> I am new into qubes (few months) and find it great. But I need a distro 
>>> with newer packages (debian jessie was fine until I ran in issues with 
>>> encfs compatibility).
>>>
>>> So I wanted to build an ubuntu template but I did not found clear 
>>> instructions.
>>>
>>> using https://github.com/QubesOS/qubes-builder and the setup script, I do 
>>> not get ubuntu to choose in the menu.
>>>
>>> On this forum, there is few posts about it but using privaze repo.
>>>
>>> I really need help on this :-)
>>>
>>> Best regards,
>>>
>>> Damien
>>>
>> Hi Damien,
>>
>> The Ubuntu builds are referenced in setup as Trusty and Xenial.
>>
>> I've just put in a series of Pull Requests that should allow
>> straightforward builds of both.
>> Wait a little while for them to be merged. 
>>
>> It should then be a matter of:
>> git clone  https://github.com/QubesOS/qubes-builder
>> cd qubes-builder
>> ./setup
>> make qubes-vm
>> make template
>>
>> Copy generated Template to dom0 and install - there's a handy script
>> provided to do this for you.
>>
>> I'll let you know when the PRs are merged. Focus at the moment is on
>> the GSOC applications.
>>
>> unman
> Unman can you make a template rpm Ubuntu and put it on
>
> https://ftp.qubes-os.org/repo/yum/r3.2/templates-community/rpm/ ?:)
>
> Trying qubes-builder with trusty, xenial, xenial-desktop and no success. 
> Everytime troubles with MAKE. 
>
> qvm clone fedora-23 ubuntu
> grow to 25 GB, allow network
> yum install git createrepo rpm-build rpm-sign make python-sh rpmdevtools 
> rpm-sign dialog
> git clone  https://github.com/QubesOS/qubes-builder
> cd qubes-builder
> ./setup 
>
> Choosing fedora23 and mgmt-salt, then Ubuntu Xenial. 
>
> make get-sources
> make install-deps
>
> And finally make qubes-vm can't build template
>
> "Building packages not supported by any configured plugins"
>
> It means that need to use debian-8 template for builder?
>
Hi,

You need debian-builder instead of fedora in the first step of `setup`,
because ubuntu is based on debian. This is mandatory to build any
debian-based operating system.

To skip unnecessary setup to use only for making ubuntu template, first 
edit the ‘qubes-os-r3.2.conf’ (if you use r3.2 in this case) which is
found in /home/user/qubes-builder/example-configs. Use the text editor
of your choice.

Go to the first line containing ‘DISTS_VM ?= fc23’  Remove ‘fc23’ or
whatever is listed there leaving only ‘DISTS_VM ?=’. Then save the file
and close the text editor.

Run the 'setup' script located in ‘/home/user/qubes-builder/’ Make sure
you are in directory ‘qubes-builder’.

$ cd /home/user/qubes-builder/
$ ./setup

Deselect 'builder-fedora'
Select 'builder-debian'

On 'Template Distribution Selection':
Select xenial+desktop

Proceed others as per instructions.


To check build-logs in progress later you can use `tail -f` command in
between the *.log locations.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/768a27ed-a609-f187-0485-a239bddfba11%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

[qubes-users] Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)

On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy  wrote:
> On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg Artemiev wrote:
>> I've heared that new intel mother boards  will have (or already have)
>> ability to access jtag interface via USB.
> yes, skylake and kabylake processors. heres the ccc talk on it.
> https://www.youtube.com/watch?v=2JCUrG7ERIE
thanks! Started listening - got basics, 'll continue later. Very intersting . :)

>> Does this mean that USB qube is now useless as a security border on
>> such a mother board?
> only if the manufacturer has it enabled. the only vendor who got back to me 
> (and knew what i was talking about) when i asked was system76 to confirm that 
> it is disabled on their lemur series.
> puri.sm was aware, but doesnt have any hardware out using those chips.
So finally it is a question of trusting the vendor (and their public
relations personnel who may think that those capabilities are not
really disabled.

Shouldn't these CPUs and motherboards be specially noted as dangerous
in qubes HCL?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OeakZiD2ogZiH7Y3%2B7A2nqFM7yyKChaghFgHL6ejSQ4A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ubuntu template

On Fri, Feb 10, 2017 at 01:46:02AM -0800, trul...@gmail.com wrote:
> четверг, 9 февраля 2017 г., 14:41:42 UTC+3 пользователь Unman написал:
> > On Thu, Feb 09, 2017 at 02:37:36AM -0800, damien.wa...@gmail.com wrote:
> > > Hi,
> > > 
> > > I am new into qubes (few months) and find it great. But I need a distro 
> > > with newer packages (debian jessie was fine until I ran in issues with 
> > > encfs compatibility).
> > > 
> > > So I wanted to build an ubuntu template but I did not found clear 
> > > instructions.
> > > 
> > > using https://github.com/QubesOS/qubes-builder and the setup script, I do 
> > > not get ubuntu to choose in the menu.
> > > 
> > > On this forum, there is few posts about it but using privaze repo.
> > > 
> > > I really need help on this :-)
> > > 
> > > Best regards,
> > > 
> > > Damien
> > > 
> > 
> > Hi Damien,
> > 
> > The Ubuntu builds are referenced in setup as Trusty and Xenial.
> > 
> > I've just put in a series of Pull Requests that should allow
> > straightforward builds of both.
> > Wait a little while for them to be merged. 
> > 
> > It should then be a matter of:
> > git clone  https://github.com/QubesOS/qubes-builder
> > cd qubes-builder
> > ./setup
> > make qubes-vm
> > make template
> > 
> > Copy generated Template to dom0 and install - there's a handy script
> > provided to do this for you.
> > 
> > I'll let you know when the PRs are merged. Focus at the moment is on
> > the GSOC applications.
> > 
> > unman
> 
> Unman can you make a template rpm Ubuntu and put it on
> 
> https://ftp.qubes-os.org/repo/yum/r3.2/templates-community/rpm/ ?:)
> 
> Trying qubes-builder with trusty, xenial, xenial-desktop and no success. 
> Everytime troubles with MAKE. 
> 
> qvm clone fedora-23 ubuntu
> grow to 25 GB, allow network
> yum install git createrepo rpm-build rpm-sign make python-sh rpmdevtools 
> rpm-sign dialog
> git clone  https://github.com/QubesOS/qubes-builder
> cd qubes-builder
> ./setup 
> 
> Choosing fedora23 and mgmt-salt, then Ubuntu Xenial. 
> 
> make get-sources
> make install-deps
> 
> And finally make qubes-vm can't build template
> 
> "Building packages not supported by any configured plugins"
> 
> It means that need to use debian-8 template for builder?
> 

If you read my email I specifically say that there are PRs to fix these
issues, and I will let you know when they are merged.
They aren't merged yet.

As for a pre-built template, as John points out, and as explained on
the relevant page in the docs, we can't do this because of Canonical's
policies.
This may change but for the moment, building your own template is the
only solution.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170210231112.GB9080%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ubuntu template

On Fri, Feb 10, 2017 at 10:04:54AM -0800, damien.wa...@gmail.com wrote:
> Le jeudi 9 février 2017 12:41:42 UTC+1, Unman a écrit :
> > On Thu, Feb 09, 2017 at 02:37:36AM -0800, wrote:
> > > Hi,
> > > 
> > > I am new into qubes (few months) and find it great. But I need a distro 
> > > with newer packages (debian jessie was fine until I ran in issues with 
> > > encfs compatibility).
> > > 
> > > So I wanted to build an ubuntu template but I did not found clear 
> > > instructions.
> > > 
> > > using https://github.com/QubesOS/qubes-builder and the setup script, I do 
> > > not get ubuntu to choose in the menu.
> > > 
> > > On this forum, there is few posts about it but using privaze repo.
> > > 
> > > I really need help on this :-)
> > > 
> > > Best regards,
> > > 
> > > Damien
> > > 
> > 
> > Hi Damien,
> > 
> > The Ubuntu builds are referenced in setup as Trusty and Xenial.
> > 
> > I've just put in a series of Pull Requests that should allow
> > straightforward builds of both.
> > Wait a little while for them to be merged. 
> > 
> > It should then be a matter of:
> > git clone  https://github.com/QubesOS/qubes-builder
> > cd qubes-builder
> > ./setup
> > make qubes-vm
> > make template
> > 
> > Copy generated Template to dom0 and install - there's a handy script
> > provided to do this for you.
> > 
> > I'll let you know when the PRs are merged. Focus at the moment is on
> > the GSOC applications.
> > 
> > unman
> 
> Hi, thank you !
> 
> Is there a way I may support you? maybe I can test it?
> 
> 
> Best regards,
> 
> Damien
> 

As soon as the PRs are merged I'll post to the list, and you can try it
then. (Or you could merge them yourself of course, and try the build.)
Testing and feedback would be much appreciated.

I've been using Xenial for a while and it seems fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170210231518.GC9080%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Ad-blocking ProxyVM?

On Fri, Feb 10, 2017 at 04:10:06AM -0800, Joe Ruether wrote:
> On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote:
> > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote:
> > > Hello!
> > > 
> > > I am trying to set up a proxy vm that will redirect DNS requests to a 
> > > local DNS server, for the purposes of adblocking.
> > > 
> > > Here is the setup:
> > > 
> > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> 
> > > appvm_with_firefox
> > > 
> > > I have created a proxyvm based on a debian-8 template, and have installed 
> > > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a 
> > > DNS server (dnsmasq) and rejecting any dns queries to domains that serve 
> > > ads.
> > > 
> > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 
> > > and open firefox (in the proxyvm), I can verify that the adblocker is 
> > > working correctly.
> > > 
> > > The issue I am having is when I used the proxyvm as the netvm for another 
> > > appvm. Without any other changes, my appvm's firefox has internet access, 
> > > but the adblocker has no effect. Of course, some additional setup is 
> > > needed, but I'm not exactly sure how to do that.
> > > 
> > > I'm not very good with iptables, and every attempt I have made to 
> > > redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both the 
> > > proxyvm and the appvm to lose the ability to browse). Here are the 
> > > commands I ran (in the proxyvm):
> > > 
> > > #!/bin/bash
> > > DNS=127.0.0.1
> > > NS1=10.137.4.1
> > > NS2=10.137.4.254
> > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS
> > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS
> > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS
> > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS
> > > 
> > > ---
> > > 
> > > I pieced this together from what I could find from the VPN documentation 
> > > on the qubes website as well as the contents of 
> > > /usr/lib/qubes/qubes-setup-dnat-to-ns
> > > 
> > > Running the qubes-setup-dnat-to-dns script by itself after changing 
> > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact.
> > > 
> > > So! My question is, am I going about this correctly? I think I need to 
> > > modify the iptables in the proxyvm to redirect any incoming (from the 
> > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the 
> > > internet, from the proxyvm) DNS queries to get out. Along with this, I 
> > > think I need to ensure that there are rules that allow all other traffic 
> > > to pass through unhindered.
> > > 
> > > Or is there a different, qubes-specific way of handling DNS that I should 
> > > be using? After inspecting the sys-firewall ipconfig and iptables, it is 
> > > clear that something behind-the-scenes is happening where an additional 
> > > NIC is created for each attached appvm, and the iptables are being 
> > > populated automatically somehow. I'm not sure how the proxyvm is supposed 
> > > to get the addresses of the appvm and sys-firewall (my script above had 
> > > addresses hardcoded).
> > > 
> > > Thank you for any help! If I get all this working, I'm planning on making 
> > > a Salt file that can create the adblocking proxyvm.
> > > 
> > 
> > I don't see any reason why this shouldn't work.
> > I wouldn't be so specific in the nat rules but that's your call. Just
> > protocol and post would suffice.
> > 
> > One obvious point is that you are ADDING those rules to the end of the
> > PR-QBS chain without flushing it first. If you already have redirect
> > rules there they will trigger first.
> > What does your nat table look like after you run that script?
> > 
> > Another point may be that you don't have an incoming rule in the INPUT
> > chain allowing inbound traffic to the DNS ports. Unless you've changed
> > this the default rule will block inbound traffic from any vif interface.
> > So you need to ensure you are allowing that traffic with an:
> > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW
> > 
> > Finally, you need to consider the effects of the qubes-firewall and
> > qubes-netwatcher services.
> > If you want to retain these you can use
> > /rw/config/qubes-firewall-user-script to override the automatic Qubes
> > configuration and insert your own iptables rules.
> > You can also use rc.local to set initial iptables rules.
> > Remember to make those files executable if you want to use them.
> > 
> > Most of this is in the docs, although not easy to find.
> > 
> > Hope this helps
> > 
> > unman
> 
> Thank you for your help, I have more information about my configuration 
> below. I am confident that I have an iptables issue, but I can't seem to 
> figure out which rules need to be added.
> 
> ifconfig:
> 
> eth0  Link encap:Ethernet  HWaddr 00:16:3e:5e:6c:01  
>   inet addr:10.137.2.3  Bcast:10.255.255.255  Mask:255.255.255.255
>

[qubes-users] Re: [qubes-devel] Re: Devilspie2 integration

On Tue, Feb 7, 2017 at 1:41 PM, Andrew David Wong  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> [Please keep the list CCed.]
 why do we use operating systems at all? Because them provide
 some set of default pretty functionality/environment from the
 box. Why each time I power down my PC and power it up back I
 have to waste time on placing windows between desktops? Why the
 hell I can't power on and smoke then get back and see
 everything same way organised as I had on my last power up?
>>> Well, you can install Devilspie2 (or equivalent) in dom0 and
>>> automate your setup. (Remember, the foregoing discussion is about
>>>  whether it should be installed *by default*.)
>> Yep. KDE by default has this from the box. Xfce has nothing for
>> this. That's why "by default"
> Hm, then perhaps it's really Xfce who should integrate this upstream?
It would be nice.

Who will ask them for an integration? I guess unless enough people will do - no
one will decide to implement.

> It seems like it would be suboptimal for the Qubes Project to try to
> maintain a fork of Xfce that goes beyond Qubes-specific functions.
you haven't to fork and maintain Xfce entirely. All you need - an option for
restriction in qubes configuration for a VM and a script that will autogenerate
configuration of restrictions offered by a tool you choose.

1st step is done: you adding a tool allowing such a restriction (the
tool is already selected for a future Qubes, AFAIK)
now the second step: allow users easily automate restrictions based on
that tool via qubes configuration interface.

 The only thing I would like is having choice on restore as it
 was and run new session. People at firefox made good work and
 algorithm is well known, why not to apply this to Qubes: On
 start show what is going to be started, if user chooses
 "restore last state"  - exactly that set left at session
 abort/power off is shown, if user is in doubt - new tab is
 always available. if user doesn't want to start same or partial
 set - give him/her clean new session. What a problem to do same
 way w/ desktop placement and VM autorun? People spend a lot of
 time starting same things on next power up. Firefox behaviour
 in case when  firefox configured "restore previouse state" and
 was killed/aborted is best behaviour I've seen on restoring
 workspace.
>>> This sounds like it would indeed be a nice feature. Care to
>>> contribute a patch?
>> Not. :( A lot of questions appear to understand where to make
>> changes at 1st. Unsure that I'll be able to make such a patches.
>
 Locking application to some desktop set is a very good feature
  and, afair and adding this functionality via some utility in
 Dom0 default package set is work in progress for current qubes.
 Just choose one app we're okay with, hug it with qubes vm
 manager and users will love ability to use it. :) I don't vote
 for this one utility - I vote for similar functionality
 available to user _by_default_ .
>>> Why _by default_? As I explained above, we need to take a
>>> disciplined approach in deciding which features get included by
>>> default. If we include by default everything that everyone wants,
>>>  Qubes will suffer from the consequent software bloat and feature
>>>  creep.
>> That is not what every one want but this is what _everyone_
>> usually wastes time on - when powered down and powered up to
>> continue .
>>
>>> We must resist the temptation to push for the default inclusion
>>> of features simply because *we* like them. There has to be a
>>> stronger reason than that. We have to ask ourselves the hard
>>> questions: Why do you want it to be the default? To save you from
>>> having to configure it yourself? Because you think other people
>>> should share your personal preferences?
>> Isn't the reason "every one wastes time that way" above is not
>> enough to add in whish list "make life better for every one" by
>> enabling option to restore last state of running VMs this way"?
>>
>
> It sounds like you're conflating a few different ideas here:

> including Devilspie2 by default,
you should include by default at least one of tools allowing such a
restriction - choose within Qubes team.
I've no idea which is better automated from outside w/o requirements
for user interaction.

> locking apps to virtual desktops,
Yep.

> and saving state.
Yep.

> I think the case for the last one is probably stronger than the first
> two (given what has been said so far), but maybe this is a question
> for the UX experts.
Yep, every one is wasting time restoring state, not every one needs
desktop-bound appllications.

>>> Also, why is it so important to restrict certain domains to
>>> certain virtual desktops?
>> All these restrictions are about:
>>
>> 0. Save time - all appears same place (mean desktop set) - no
>> annoying window reorder . 1. Easier to group desktops and
>> activities b

Re: [qubes-users] I have a bank vm, how do you restrict

On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise  wrote:
> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
>>
>> On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
>>  wrote:

 I have a bank vm, how do you restrict the browser from being able to go
 else
 where? Do you add the iprules in the vm or do you create a proxyvm and
 add
 the iprules there?

 I've tried both, and created an email vm with iprules "deny everything
 except"

 But then neither vm(s) will connect.

 Is there a proper way to do this?

 Or will I have to do the tinyproxy thing I've read elsewhere ?
>>>
>>> I've tried both solution some time ago and definitly the tinyproxy
>>> solution
>>> works much better and can handle nicely dns round robin or servers behind
>>> load balancers. By the way this solution offer an other nice possibility,
>>> you can use regular expressions and for example allow .*\.mycompany\.com$
>>> on
>>> the conter-part, you will have to trust the dns resolution.
>>
>> Look also for modules like 'request policy' and 'no script'  or
>> 'policeman' that implements nice GUI allowing both types in a single
>> place.
>>
>> Request policy + 'ask for reload permission' should be enough to
>> control in a single VM for a few banks in single place.
>> Not that secure as proxying and denying in some other VM, but easy +
>> GUI controls + require some configuration work at start.
>>
>
> Good recommendations. I'll add one to that list: HttpsEverywhere.
>
> It will keep you from accidentally accessing pages in unencrypted form. You
> can also set it to allow only https (although some banks may use a mix of
> https and http).
>
look also for uMatrix, Privacy Badger, force cache loading,  For
banking use of policeman and https everywhere should be enough. Though
other firefox modules are also good.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OeKXvXC%2BJpJopqhMGX4YobP5yJj0-KLzHgXLkis0jhVQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

On Sat, Feb 11, 2017 at 2:35 AM, Oleg Artemiev  wrote:
> On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise  wrote:
>> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
> I have a bank vm, how do you restrict the browser from being able to go
> else
> where? Do you add the iprules in the vm or do you create a proxyvm and
> add
> the iprules there?
 I've tried both solution some time ago and definitly the tinyproxy
 solution
 works much better and can handle nicely dns round robin or servers behind
 load balancers. By the way this solution offer an other nice possibility,
 you can use regular expressions and for example allow .*\.mycompany\.com$
 on
 the conter-part, you will have to trust the dns resolution.
>>>
>>> Look also for modules like 'request policy' and 'no script'  or
>>> 'policeman' that implements nice GUI allowing both types in a single
>>> place.
>>> Request policy + 'ask for reload permission' should be enough to
>>> control in a single VM for a few banks in single place.
>>> Not that secure as proxying and denying in some other VM, but easy +
>>> GUI controls + require some configuration work at start.
>> Good recommendations. I'll add one to that list: HttpsEverywhere.
>> It will keep you from accidentally accessing pages in unencrypted form. You
>> can also set it to allow only https (although some banks may use a mix of
>> https and http).
> look also for uMatrix, Privacy Badger, force cache loading,  For
> banking use of policeman and https everywhere should be enough. Though
> other firefox modules are also good.
forgot to mention uBlock Origin .


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Mo6oPKD0i7feBm5qpEW_MNYHAZ%2BesTADLG%2BqthXN%3DXsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-run fails silently with chromium

On Fri, Feb 10, 2017 at 03:28:53AM -0800, m...@lamarciana.com wrote:
> > The issue you raise there arises because the xterm is not a login shell
> > so will not use .profile.
> > It is interactive so (using bash) will use .bashrc
> > 
> > On the immediate question here you can always set the path explicitly:
> > qvm-run -p qube "export PATH=$PATH: && foo"
> 
> Hey Unman. The issue is that neither `~/.bashrc` nor `/etc/bash.bashrc` from 
> my VM are used when I do `qvm-run` from dom0. Your workaround works but I 
> think it is quite cumbersome. I wonder if there is any way to change the VM 
> PATH seen from dom0 for every command.
> 
> Thanks
> 

Yes, I know - that's why I said "using bash".
You are using zsh, so you said, so you need to put the path in ~/.zprofile

For example, with simple script 'logit' in home/user/newpath:

qvm-run -a -p qube logit
fails with "logit: not found"

append path=('home/user/newpath' $path) to ~/.zprofile
Then qvm-run succeeds

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170211004810.GA9930%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] efi_memmap problem powering off.. coldhak paxtest fail

2017-02-10 Thread cesecurenj

Hello, i have qubes 3.2 installed with 4.4.38-11 kernel. Install went fine. In 
the beginning powering off went good but now i get stuck at a screen that says

efi: EFI_MEMMAP is not enabled

esrt: ESRT header is not in the memory map

.. i also installed coldhaks grsec script for debian template. after a paxtest 
blackhat i get vulerabilities in memory , mprotect ect..  i thought this might 
be related to efi.

I have a lenovo x260 i7 processor. Some help will be much appreciated i dont 
want to keep powering off the wrong way. Thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25b5d6d1-9ab4-44d9-8131-4897808d1fa9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Nested virtualization

2017-02-10 Thread adonis28850

Hi guys,

Is it possible to install let's say Virtual Box inside a Qube? I've done some 
reading and all people seem to say is that it should be possible, but nothing 
conclusive.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/913bddaf-8847-428d-bed4-856844768c6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes doesn't support LXC unprivileged containers?

2017-02-10 Thread nicholas roveda

Why it's not possible to set 'kernel.unprivileged_userns_clone' 
(/proc/sys/kernel/unprivileged_userns_clone) to use LXC unprivileged 
containers? 

Qubes Kernel doesn't support it yet or is it possible to recompile the Kenel to 
add support to this? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/742e4676-77c6-4ee6-9b61-cb0783811569%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Nested virtualization

2017-02-10 Thread nicholas roveda

Yeah, currently I'm using LXC Containers inside AppVMs.

What do you need exactly?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa7a4a1c-0a99-4783-a94d-af04c645e698%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Nested virtualization

2017-02-10 Thread justin . h . holguin

On Friday, February 10, 2017 at 5:40:36 PM UTC-8, adoni...@gmail.com wrote:
> Hi guys,
> 
> Is it possible to install let's say Virtual Box inside a Qube? I've done some 
> reading and all people seem to say is that it should be possible, but nothing 
> conclusive.

VirtualBox definitely did not work for me, but I only tried it once and mostly 
out of curiosity. I can't remember the error... something about being unable to 
load a kernel module maybe?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b1a6f506-5eb3-47ad-98e9-5f7297d78f15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)

On Friday, February 10, 2017 at 2:56:15 PM UTC-8, Oleg Artemiev wrote:
> On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy  wrote:
> > On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg Artemiev wrote:

> >> Does this mean that USB qube is now useless as a security border on
> >> such a mother board?
> > only if the manufacturer has it enabled. the only vendor who got back to me 
> > (and knew what i was talking about) when i asked was system76 to confirm 
> > that it is disabled on their lemur series.
> > puri.sm was aware, but doesnt have any hardware out using those chips.
> So finally it is a question of trusting the vendor (and their public
> relations personnel who may think that those capabilities are not
> really disabled.

yes, or a cheap data cable if you already have the hardware. unfortunately,
its easy for a vendor to say they're good and then say "oops" if they're not,
and called out on it. we need better competition in security conscious hardware.

> Shouldn't these CPUs and motherboards be specially noted as dangerous
> in qubes HCL?

agreed, but i think its up to Andrew David Wong

(i hope that triggers a mention notice so he sees this)

> -- 
> Bye.Olli.
> gpg --search-keys grey_olli , use key w/ fingerprint below:
> Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
> Blog keys (the blog is mostly in Russian): 
> http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/49b07bad-1fb0-46d5-bdb3-19e639662436%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Nested virtualization

On Friday, February 10, 2017 at 5:40:36 PM UTC-8, adoni...@gmail.com wrote:
> Hi guys,
> 
> Is it possible to install let's say Virtual Box inside a Qube? I've done some 
> reading and all people seem to say is that it should be possible, but nothing 
> conclusive.

this should be a faq somewhere, it keeps getting brought up.

xen supports nested virtualization, see here: 
https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen

but, this is disabled in qubes because of the large attack surface it 
introduces. containers, like docker and lxc, are possible, as is emulation like 
running qemu without kvm extensions or virtualbox with 32bit guests with 
acceleration turned off. 

you could make your own qubes build with it on. look for marmarek in 
qubes-devel for threads on that. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c62e6814-7a52-4d66-9f5b-c5fbd6fe467d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Nested virtualization

2017-02-10 Thread adonis28850

Hi guys, thanks for the responses, I will have a look at it.

What I need in this case in particular requires VBox, it is Genymotion, an 
Android emulator.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/127a63ae-9649-4816-89db-4c8be54a8e81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] Re: Devilspie2 integration

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-10 15:32, Oleg Artemiev wrote:
> On Tue, Feb 7, 2017 at 1:41 PM, Andrew David Wong
>  wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
>> 
>> [Please keep the list CCed.]
> why do we use operating systems at all? Because them
> provide some set of default pretty
> functionality/environment from the box. Why each time I
> power down my PC and power it up back I have to waste time
> on placing windows between desktops? Why the hell I can't
> power on and smoke then get back and see everything same
> way organised as I had on my last power up?
 Well, you can install Devilspie2 (or equivalent) in dom0 and 
 automate your setup. (Remember, the foregoing discussion is
 about whether it should be installed *by default*.)
>>> Yep. KDE by default has this from the box. Xfce has nothing
>>> for this. That's why "by default"
>> Hm, then perhaps it's really Xfce who should integrate this
>> upstream?
> It would be nice.
> 
> Who will ask them for an integration? I guess unless enough people
> will do - no one will decide to implement.
> 

Users who care enough to ask. :)

>> It seems like it would be suboptimal for the Qubes Project to try
>> to maintain a fork of Xfce that goes beyond Qubes-specific
>> functions.
> you haven't to fork and maintain Xfce entirely. All you need - an
> option for restriction in qubes configuration for a VM and a script
> that will autogenerate configuration of restrictions offered by a
> tool you choose.
> 
> 1st step is done: you adding a tool allowing such a restriction
> (the tool is already selected for a future Qubes, AFAIK)

See:

https://groups.google.com/d/topic/qubes-users/jtjyq8N6bY0/discussion

According to that thread, wmctrl (which is supposed to be like
Devilspie2) is already installed by default, and xdotool, which is
different, will be pre-installed in a future version.

> now the second step: allow users easily automate restrictions based
> on that tool via qubes configuration interface.
> 

But this is still a nontrivial amount of work, and it's yet another
thing that the Qubes team would have to maintain. Help from the
community would probably be required.

> The only thing I would like is having choice on restore as
> it was and run new session. People at firefox made good
> work and algorithm is well known, why not to apply this to
> Qubes: On start show what is going to be started, if user
> chooses "restore last state"  - exactly that set left at
> session abort/power off is shown, if user is in doubt - new
> tab is always available. if user doesn't want to start same
> or partial set - give him/her clean new session. What a
> problem to do same way w/ desktop placement and VM autorun?
> People spend a lot of time starting same things on next
> power up. Firefox behaviour in case when  firefox
> configured "restore previouse state" and was killed/aborted
> is best behaviour I've seen on restoring workspace.
 This sounds like it would indeed be a nice feature. Care to 
 contribute a patch?
>>> Not. :( A lot of questions appear to understand where to make 
>>> changes at 1st. Unsure that I'll be able to make such a
>>> patches.
>> 
> Locking application to some desktop set is a very good
> feature and, afair and adding this functionality via some
> utility in Dom0 default package set is work in progress for
> current qubes. Just choose one app we're okay with, hug it
> with qubes vm manager and users will love ability to use
> it. :) I don't vote for this one utility - I vote for
> similar functionality available to user _by_default_ .
 Why _by default_? As I explained above, we need to take a 
 disciplined approach in deciding which features get included
 by default. If we include by default everything that everyone
 wants, Qubes will suffer from the consequent software bloat
 and feature creep.
>>> That is not what every one want but this is what _everyone_ 
>>> usually wastes time on - when powered down and powered up to 
>>> continue .
>>> 
 We must resist the temptation to push for the default
 inclusion of features simply because *we* like them. There
 has to be a stronger reason than that. We have to ask
 ourselves the hard questions: Why do you want it to be the
 default? To save you from having to configure it yourself?
 Because you think other people should share your personal
 preferences?
>>> Isn't the reason "every one wastes time that way" above is not 
>>> enough to add in whish list "make life better for every one"
>>> by enabling option to restore last state of running VMs this
>>> way"?
>>> 
>> 
>> It sounds like you're conflating a few different ideas here:
> 
>> including Devilspie2 by default,
> you should include by default at least one of tools allowing such
> a restriction - choose within Qubes team. I'

Re: [qubes-users] Mount point /proc/xen in appVM prevents flatpak packages from starting (Issue #2540 impact wider than reported)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-10 03:23, Alex wrote:
> Hi all,
> I've been trying to use MonoDevelop 6, now distributed as a flatpak
> package instead of the usual RPM (fedora 25).
> 
> I've had some problems in trying to run it, mainly because of an obscure
> error message "Can't mount proc on /newroot/proc: Operation not permitted".
> 
> Further debugging had me starting flatpak with "-v" (verbose) option,
> where I discovered that flatpak is just a wrapper around bubblewrap (no
> pun intended).
> 
> Investigating bubblewrap led me to
> https://github.com/projectatomic/bubblewrap/issues/134 where a Qubes
> user laments a non-working sandboxed tor browser.
> 
> There Marek casually mentions /proc/xen being the cause of this
> situation, and actually unmounting it allows MonoDevelop to start.
> 
> Since this issue is already tracked for TOR browser here
> https://github.com/QubesOS/qubes-issues/issues/2540 I'm not suggesting
> to open another issue; instead, I commented on the issue reporting that
> the impact is wider than TOR browser and I'm writing to the mailing list
> to let other puzzled flatpak-distributed-software-users know.
> 

Thanks, Alex! :)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYnrgwAAoJENtN07w5UDAwfV0QAJ1SQy/xvFRw5NoBsRRJLCKd
E6vrFrFLkj6mdhvDlEumFU6NwN4ol2l9avQchSCRuzaU7an6gpMn6/Z8z664bbU4
1kLTCEpzinbZzEegV+c66V+sSm42H/xPacrE7hn5vBlUTnAcYlZaf1bKQN8TKyPz
NO42EFJ/W9CfEKrIJDi3/B4CbMnGiXG3EcWaOGJZr/vK9SmgUWrRC21s1MRLhA6L
XeBrehVk53ZSPJrj+7zmphrgHuBJ8RniWWOdRicoTAlzr4Y/eReXNAIzBr/nz0DH
JmxQdE6BFv/inAAfmqMTzur8OXrd8he+K+FZ7O1SxYpHMqjPrSQbsuE47lxwY9nM
N1NSehoajQ6WIXcbvpXc4nDRc7nkUFpaEh/Xe5PuXqc3QDyDDTpSQ0e98hOYWdqr
C4s+nw8GRyx8XBHJgDC+tT6MsOALJPWxJxEXdgNmq4yAX6L3DhhDsvgNuPB6ta4v
1PNKPd0PklHds3dRQG1RbAFxsIe+c+XfrDTc8ptEomIhzIH/w+bAJ5glV0Z3NDnn
K3GCJkC7PCjXIlcOw/3ENgnNh7f8qUbyaRU1FwQ1OraeJRxHhX1BM+vkt9BxEkFc
f+8JQQ7zEGlkJo1bubq8+/d6HW27QATX6y8H50ws9AYjt34vEslSzm+M5SpACfIr
QjkaNHGPh2zIQh8gXiwD
=Dm1U
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d02bdf99-3d89-1753-eba6-faf41d141fc7%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-10 19:07, pixel fairy wrote:
> On Friday, February 10, 2017 at 2:56:15 PM UTC-8, Oleg Artemiev
> wrote:
>> On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy
>>  wrote:
>>> On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg
>>> Artemiev wrote:
> 
 Does this mean that USB qube is now useless as a security
 border on such a mother board?
>>> only if the manufacturer has it enabled. the only vendor who
>>> got back to me (and knew what i was talking about) when i asked
>>> was system76 to confirm that it is disabled on their lemur
>>> series. puri.sm was aware, but doesnt have any hardware out
>>> using those chips.
>> So finally it is a question of trusting the vendor (and their
>> public relations personnel who may think that those capabilities
>> are not really disabled.
> 
> yes, or a cheap data cable if you already have the hardware.
> unfortunately, its easy for a vendor to say they're good and then
> say "oops" if they're not, and called out on it. we need better
> competition in security conscious hardware.
> 
>> Shouldn't these CPUs and motherboards be specially noted as
>> dangerous in qubes HCL?
> 
> agreed, but i think its up to Andrew David Wong
> 
> (i hope that triggers a mention notice so he sees this)
> 

Didn't trigger a mention, but I saw it. :)

(In general, the best way to make sure I notice a message is to CC me.)

Actually, I think this should be up to Joanna and Marek (CCed). I
don't know enough about USB->JTAG to confidently evaluate how
dangerous it is.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYnrwuAAoJENtN07w5UDAwS3gP/21mSubz7pdmw3doEB71nJGq
pOHaJEF8l+T/TU2h3wgUcR2WvTRexuiOqrx6foG74KRpTL/l2skZlMldCLmBDvud
YXrbko2tTZ2zhYi2SWuYDPtEdeLUxH7bkfSU5kj8SKLtWYs+BWKH0OFlrkD8UUij
PofSSf70Uw4U8KST333SlgPUXyePO9157qGjmoPK3oqwI5+NSMCRF3OeMEFMEhzD
klbguA7+ktvvcZbPsETM8toJYQI4OOY9jYrWJd82r1dYriuOaepKHEsNHEKrPWz7
v+vY/2Lk7Fjp5KKlbvV8jfgcWUd7EkFtS7ccOnHCGpn/VqXkq41qOJ6cjPJIDM1a
o6FhXOByk4WyGKM3Fn/JtIJDZZOWJ2W18L2vVUXVqTiEBMsmznd9vH/1AQkjDpXw
ufXpYIlzUcofS6xmCozcj4z9uUqmJ3W7Fi7VO46UuWBGCsIsfRu2F3ubbezOgxYp
sxKPkWNu2sD1qSI9tAO3nCJWvzwskizCQtbbDpA+Lh1DOrSsQRR6whPHjoC3jKOh
9a8UKA4/OkkW63UfV/1TDMLmql9FbLl96vYYsYT1U5i/C4e7L/96M2wSwmYzvkLe
+L6Z565p8jTCFTRi9Qc2WQ9ltYuuMxUO9bX79Euunw5AkGERP7YOpQ711I+WgTZL
5umBTYbeQQRE7+urfzu0
=LSPJ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bb4f525f-bef0-9aae-8b53-2c6daa1ddf8b%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Nested virtualization

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-10 19:16, pixel fairy wrote:
> On Friday, February 10, 2017 at 5:40:36 PM UTC-8, 
> adoni...@gmail.com wrote:
>> Hi guys,
>> 
>> Is it possible to install let's say Virtual Box inside a Qube? 
>> I've done some reading and all people seem to say is that it 
>> should be possible, but nothing conclusive.
> 
> this should be a faq somewhere, it keeps getting brought up.
> 

Hard to do an FAQ on this, because there are so many ways to try to do
nested virtualization, and they don't all turn out the same way. But
feel free to submit a PR if you like. :)

> xen supports nested virtualization, see here: 
> https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen
> 
> but, this is disabled in qubes because of the large attack surface
>  it introduces. containers, like docker and lxc, are possible, as 
> is emulation like running qemu without kvm extensions or virtualbox
> with 32bit guests with acceleration turned off.
> 
> you could make your own qubes build with it on. look for marmarek 
> in qubes-devel for threads on that.
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYnrz4AAoJENtN07w5UDAwx/4P/RCSlPYYoov49xv2kVGhZy+7
CeQnNzwnsAOungeiWcT9aAUJDHI9zESIhSFpDWPwU6ypEGk52g9pYnEW4xjKjB5N
asdJXwzlYmm9DrC1FI6uFJ8JSaO5tXZZ6ufKnhqUlVAyEk1+HR+vmxs32DdlagJP
4pufFe5W/mz5Bjj6q5V5uo/S6ZMy1c3qgJkhfs3D5l1qmkQIv1ZFlS0OE998ujSY
CVqEgS7I2ul4d2Ut0LfsgdnicnHAwt3C+3xjJdOLc+an1hfTdOVyKiyyhqCN75q9
99uIKerPo77ujEyAgVWitownTql73VbGWALP+45ZmdiUM8HoGEvdUcSRB78o1vwv
9rknrPg+HaqAEUhcTny4x38H/N38oVjPEMIV0XJhK+c8lWALGwHFrzj0pV5rlVXu
YWaPm2FoRLjdehBZQ6je5WCFe6AzgrAJAO3Shh43Y+hD9qZMtfWpevTjCik6/mCy
kbLLG7nC3nKu3szos2kNi4XbKhVmel9jYfLUz54hzGALn8h1K2uMYqEWMBBeVyMn
3GTeuceg0E4P0TRiq6cEFJvHcW9RslTmmPbDiMHOXlm6oO3O+N5rk9iRToKqfux/
Q4nWDm97o5VeZ5o7I+bMtJokklSU8vnBHoNvOrQShDQtsgJ6oIDJT8k+LaaYah9m
0mTxw6U6Erm7M87vLQbY
=4B/O
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/434dbcda-dd36-6d4a-0766-7083c65b1a6c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Nested virtualization