Re: [qubes-users] Questions regarding updating a Fedora-template to a new version integer

[unman]

On Fri, Nov 13, 2020 at 02:24:27PM +0100, Effie ML wrote:
> I am not sure, it seems so:
> https://www.qubes-os.org/doc/templates/#switching
> 
> You should see the docs on upgrading:
> https://www.qubes-os.org/doc/templates/fedora/#upgrading
> 
> On 11/13/20 2:21 PM, 'M' via qubes-users wrote:
> > "[...] you need to change all AppVMs to the new template."
> > 
> > Is this done by open the "Qube Settings" in the AppVm's and under
> > Template choose the new template, or what is needed to connect the old
> > AppVM's to the new/updated template ?
> > 

There is a nice Template manager tool - look in the System Menu for "manage
Templates for qubes"
You can select multiple qubes and switch to a new template with one
press of a button.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201113151259.GD14749%40thirdeyesecurity.org.

Re: [qubes-users] Questions regarding updating a Fedora-template to a new version integer

[Effie ML]

I am not sure, it seems so: 
https://www.qubes-os.org/doc/templates/#switching


You should see the docs on upgrading: 
https://www.qubes-os.org/doc/templates/fedora/#upgrading


On 11/13/20 2:21 PM, 'M' via qubes-users wrote:

"[...] you need to change all AppVMs to the new template."

Is this done by open the "Qube Settings" in the AppVm's and under 
Template choose the new template, or what is needed to connect the old 
AppVM's to the new/updated template ?



fredag den 13. november 2020 kl. 14.08.12 UTC+1 skrev Effie ML:

On 11/13/20 1:59 PM, 'M' via qubes-users wrote:

I have the following questions regarding updating a
Fedora-template to a new version integer:

1)  Will the files in the desktop, documents, downloads and
QubesIncoming folder be deleted when updating it ?


No, this is AppVM data, template updates should not touch AppVM data.


2)  Will all the AppVM's that is connected with the
Fedora-template also be updated and still work after the update ?


No, you need to change all AppVMs to the new template. However,
they should work.


3)  Will the installed applications in the Fedora-template have
to be reinstalled afterwards ?


It depends on what update route you go.

There is the (what I find to be easier) way of downloading the
package in dom0. But it means that you will end up with a
completely clean template.

Or you can do an in-place update, it will preserve all your
applications and changes.


4)  If not, then why not let Qubes Update the Fedora-template to
a new version integer when the user accept it to do so, or at
least create a script file that a user can execute instead of
having to execute all the commands manually ?


I would like to see that too.
-- 
You received this message because you are subscribed to the

Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/qubes-users/1bde4a0f-2470-44d5-86af-e171cfcf458fn%40googlegroups.com

.



--
You received this message because you are subscribed to the Google 
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to qubes-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/09b75e02-8161-44f8-9a71-6ac833891e4bn%40googlegroups.com 
.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/21d64e5e-0e08-eedd-b4cb-822d98103bb9%40encryptionin.space.


OpenPGP_0x442D72A468025A30.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature

Re: [qubes-users] Questions regarding updating a Fedora-template to a new version integer

['M' via qubes-users]

"[...] you need to change all AppVMs to the new template."

Is this done by open the "Qube Settings" in the AppVm's and under Template 
choose the new template, or what is needed to connect the old AppVM's to 
the new/updated template ?


fredag den 13. november 2020 kl. 14.08.12 UTC+1 skrev Effie ML:

> On 11/13/20 1:59 PM, 'M' via qubes-users wrote:
>
> I have the following questions regarding updating a Fedora-template to a 
> new version integer:
>
> 1)  Will the files in the desktop, documents, downloads and QubesIncoming 
> folder be deleted when updating it ?
>
> No, this is AppVM data, template updates should not touch AppVM data.
>
> 2)  Will all the AppVM's that is connected with the Fedora-template also 
> be updated and still work after the update ?
>
> No, you need to change all AppVMs to the new template. However, they 
> should work.
>
> 3)  Will the installed applications in the Fedora-template have to be 
> reinstalled afterwards ?
>
> It depends on what update route you go.
>
> There is the (what I find to be easier) way of downloading the package in 
> dom0. But it means that you will end up with a completely clean template.
>
> Or you can do an in-place update, it will preserve all your applications 
> and changes.
>
> 4)  If not, then why not let Qubes Update the Fedora-template to a new 
> version integer when the user accept it to do so, or at least create a 
> script file that a user can execute instead of having to execute all the 
> commands manually ?
>
> I would like to see that too.
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/1bde4a0f-2470-44d5-86af-e171cfcf458fn%40googlegroups.com
>  
> 
> .
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/09b75e02-8161-44f8-9a71-6ac833891e4bn%40googlegroups.com.

Re: [qubes-users] Questions regarding updating a Fedora-template to a new version integer

[Effie ML]

On 11/13/20 1:59 PM, 'M' via qubes-users wrote:
I have the following questions regarding updating a Fedora-template to 
a new version integer:


1)  Will the files in the desktop, documents, downloads and 
QubesIncoming folder be deleted when updating it ?



No, this is AppVM data, template updates should not touch AppVM data.
2)  Will all the AppVM's that is connected with the Fedora-template 
also be updated and still work after the update ?


No, you need to change all AppVMs to the new template. However, they 
should work.
3)  Will the installed applications in the Fedora-template have to be 
reinstalled afterwards ?



It depends on what update route you go.

There is the (what I find to be easier) way of downloading the package 
in dom0. But it means that you will end up with a completely clean template.


Or you can do an in-place update, it will preserve all your applications 
and changes.


4)  If not, then why not let Qubes Update the Fedora-template to a new 
version integer when the user accept it to do so, or at least create a 
script file that a user can execute instead of having to execute all 
the commands manually ?



I would like to see that too.

--
You received this message because you are subscribed to the Google 
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to qubes-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1bde4a0f-2470-44d5-86af-e171cfcf458fn%40googlegroups.com 
.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0ee1df67-4937-c30a-4392-d97eef0b0b8e%40encryptionin.space.


OpenPGP_0xA4F7ABA43C0CCC66.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] Questions regarding updating a Fedora-template to a new version integer

['M' via qubes-users]

I have the following questions regarding updating a Fedora-template to a 
new version integer:

1)  Will the files in the desktop, documents, downloads and QubesIncoming 
folder be deleted when updating it ?

2)  Will all the AppVM's that is connected with the Fedora-template also be 
updated and still work after the update ?

3)  Will the installed applications in the Fedora-template have to be 
reinstalled afterwards ?

4)  If not, then why not let Qubes Update the Fedora-template to a new 
version integer when the user accept it to do so, or at least create a 
script file that a user can execute instead of having to execute all the 
commands manually ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1bde4a0f-2470-44d5-86af-e171cfcf458fn%40googlegroups.com.

Re: [qubes-users] Questions: Protection against local forensics/privacy problems with Fedora sys-net, sys-firewall

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-06 7:47 PM, shie1ohk via qubes-users wrote:
> 2) Is there an easy way to save the qubes-os.org wiki locally?
>

Yes. As explained on the Documentation Guidelines page [1], "All Qubes
OS documentation pages are stored as plain text files in the dedicated
qubes-doc repository. [2] By cloning and regularly pulling from this
repo, users can maintain their own up-to-date offline copy of all
Qubes documentation rather than relying solely on the web."

In fact, you can save the entire Qubes OS website this way. [3]


[1] https://www.qubes-os.org/doc/doc-guidelines/
[2] https://github.com/QubesOS/qubes-doc
[3] https://github.com/QubesOS/qubesos.github.io

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8s/ykACgkQ203TvDlQ
MDB5fRAAwAomf1I1rh79uXzMHb2NZrKmlXhwZB2wXqKMNfnYLze/XHvk1S9wo65y
T8OPd/hLuanurEJsH4Ci1/A27rl5A01+6nMWbEOiOYwHAz46Br6mt21+XmZGFoU+
xFJ29aGmRzDJFouvD2wcM3rczcAUjBoA9BZ2rduuazUeGB+KSmhfVoCwsCjQ3ijE
OJAc6zoBVSzbUinCmshj4RJr02LE0DC53RjoyvsisG7QZZTtNsFUiOaF5e5Ru6Ut
dM90sbWvdYW4fHytf67z6dB/vQVQ+vq1BlivJZSyRT9OP42rbF1enHryWHvtGjPo
t1hAyJQkmPhH9JZ0hqnwCe1IqSB0weiNMgnXhzarUhqY4Cp8KqOHgrdppc41nSBe
Vm3h2IplN5EzkG+3WYcC+r/iTxaEsXxYPWVn92Et9RaWIasIwO2L9A4shIWrfxIA
BIl69Tmw+SSM3Piihl479NxBP6bvMseOVOVHSLP8L0VdLobkTbdzPFA5VcPJvqIT
v0a2mbG3cezb95tc8C9DhjWeHoK9dQjvKh8RP0gRx1iDmJyXgLx4A1SMoTqaKrYP
yS/09jWg6KW7Xs/NyydPZDBz+gBnLzPM5EX3RB3JzqnpfCHyLGt5X6V7gklnkKxf
bqzZyfpOqvTrBnoYvi6DGLmuML6GAuw7f1qaAneZ36w77xqZso8=
=1LsF
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/accecbae-27e8-3bb3-ce66-fae89ffcb5a9%40qubes-os.org.

[qubes-users] Questions: Protection against local forensics/privacy problems with Fedora sys-net, sys-firewall

[shie1ohk via qubes-users]

The Whonix Wiki recommends disabling core dumps and swap. The idea is to
protect against local forensics by reducing usability.
1.1) Is this also recommended for Qubes-Whonix?
1.2) How can I do this?
1.3) What are the security implications? Is it recommended?

2) Is there an easy way to save the qubes-os.org wiki locally?

Fedora templates, which can be ping home (sys-net, sys-firewall) using
some captive portal detection.
My idea was to replace them with Debian.
3.1) Can I do this by simply replacing the templates?
3.2) Is there an instruction how to build a fresh sys-net, sys-firewall
from a debian 10-minute template?
3.3) What are the security implications? Is it recommended?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a90c0a6dd20ff651ee65d1554461246d.squirrel%40danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion.

[qubes-users] Questions about Qubes : OpenSC, LVM, etc ...

[Jean-Michel Pouré]

Dear all,

This is my first post, so I would like to thank the community  for the hard 
work around Qubes.

Here are some questions before I consider replacing my system with Cubes.

1) OpenSC smartcards

I would like to use OpenSC smartcard with pinpad reader to secure my SSH key. 
The pinpad reader is a USB device. Is Qubes suitable for that?

Shall I create a minimal debian template, install OpenSC and libccid, allow USB 
device. Then shall I run a disposable VM each time I want to access a remote 
server using SSH?

2) Disc access + LVM

What is the technology used for disc access? The question is that I am 
considering running a PostgreSQL database and it might be running slowly on a 
disc image. I read in documentation that dom0 had its own LVM logical volume 
(LV). I also read that VMs were stored in a disc image.

Can VMs have their own logical volume ?

Kind regards,
Alexandre Belgrand

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/729006416.57825.1547311727500%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Questions

[John Smiley]

If one were to invest in a new laptop today for Qubes use exclusively and price 
wasn't a major factor, which one(s) make the top of the list?  Assume you want 
the best security possible and are willing to invest the time to learn and 
configure Qubes/Whonix to get it.  Also assume you want something that will 
take advantage of features that are planned for near-term Qubes/Whonix release.

Are there laptops that haven't hit the market yet that would be worth waiting 
for (i.e. better than any in the list from above)?

Assume you want Anti-Evil-Maid and therefore need a TPM chip.  Does that change 
which laptops are at the top of the list and why?  Is it worth giving up the 
TPM chip if you aren't all that concerned about Evil Maid?  Pretty much every 
laptop has them these days, so a follow up question to this one would be how 
the TPM is implemented (discrete, integrated, firmware, software)?   Should the 
BIOS be set to use 1.2 or 2.0 for Qubes?

More on the BIOS - should UEFI be turned off?  Thunderbolt?  Secure boot should 
be disabled, I know.  What about power management?  Anything else (ex: if the 
laptop is Intel, ME should be disabled, correct)?

Do the keyboard and mouse/trackpad on a laptop use the USB interface?  If so, 
what is the best way to address that (buy an external PS/2 keyboard and mouse)? 
 If not, are the "safe" in the sense that only dom0 has control of them and no 
other qubes can snoop as would be the case for USB?

Are there things that can be done with a home router/firewall (such as a 
dedicated pfSense box) that improve security when using Qubes/Whonix and if so, 
what would they be?

Lot's of other questions, but this is is probably more than enough for one 
thread.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0a48d730-00d1-4ae4-970c-46010c6361c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Questions about non-standard services & selective start

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

trueriver:
> Chris L recently showed me how to touch files in a VM to enable a
> standard service to start, in that case NetworkManager
> 
> https://groups.google.com/forum/#!topic/qubes-users/0_LUn4ha8Jg
> 
> I now want to do something similar with MySQL. I want to install it
> in a template, but have it actually start in only one of the AppVMs
> based on that.
> 
> Exactly what do I need to do in the template to activate the
> "conditionality" of the service start?

Assuming that you want conditional mysql.service startup, you can
create /etc/systemd/system/mysql.service.d/ in the template and save
some .conf file there (e.g. condition.conf) containing:

[Unit]
ConditionPathExists=/var/run/qubes-service/mysql
After=qubes-sysinit.service

Then run 'systemctl enable mysql.service' in the template, shut it
down, and enable the mysql Qubes service (in the Services tab of Qube
Settings for the VM, or by running 'qvm-service --enable thevm mysql'
in a dom0 terminal).

> Secondly, nothing ever shows up in the Qubes Settings tab for
> Services. It looks like it is designed to cover exactly this case,
> but there is never anything there to display or to enable with the
> big friendly green plus sign.
> 
> Is this a bug in Qubes, or a bug in my understanding?

You have to enter it manually. Qubes services don't necessarily relate
to systemd services unless there's some configuration like the above,
e.g. [/usr]/lib/systemd/system/NetworkManager.service.d/30_qubes.conf
which is shipped in Qubes by default.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbeaUiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrff3YP/3WEfo1qIg/+8dat756zM0ay
oJQnXSSC9tVwUNhVGkoHl6353vv4dYQdUpKrtGemSQaN49KWuRgVIsxSYp0Bsk5P
Sx3FD59CKa622VBp2Y4Qifp+nfK71lO1DTAKpzTy1Jr9a7CJPzMSY4cUiaJlnO/2
iivGxxX5sFU2wGSv3k9KUYiJt2jwfIaN/Bt1ZVooWDoqBH7le47yN/3Ss7cPMDnL
6l6pie6zionEVLstXhZ6jblzfiGcKoOnnd2J4fWy6YtjUoBZV7vV7fDu8M6C2ROU
/CFFkL8KxkFaguEbWlMx4Av1ZfVuIvDg4IieKPQlEJtULwgz1SDo6Yi1BinDyjMy
++3TwJYTidhKkuCdTJ/ajfXE8woYsh0bwdMTg+p02pNjQMBnG7v3QadKOziW7JTJ
R8tmSXMRSkyqbXvDRxT4WSmUFmjtyqZm0Qn7blk1jshIRn72chg/Mcjb7oinZIre
LpckcSQRz3BiQp2I3GvVaBTOOBYr7owhRCgwHkX8V5A7EC4u9eVpOY/MnvIV6ZmO
RdJYsqFIsMIuD70/gd1SlTkUZihJcXgxlX6Yalf2CJjGYxkE1/F2dRfa/XAuFONx
poRwHmErzaTZdePsufHlkMdLhclJFV0ZQC14zTJ6mFloNFwrPWgPXpmKi1JfIUQD
ZTaT5F+035bHdod3ov2T
=XKQr
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180819171306.GA921%40mutt.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Questions about non-standard services & selective start

[trueriver]

Hi,

Chris L recently showed me how to touch files in a VM to enable a standard 
service to start, in that case NetworkManager

https://groups.google.com/forum/#!topic/qubes-users/0_LUn4ha8Jg

I now want to do something similar with MySQL. I want to install it in a 
template, but have it actually start in only one of the AppVMs based on that.

Exactly what do I need to do in the template to activate the "conditionality" 
of the service start?

Secondly, nothing ever shows up in the Qubes Settings tab for Services. It 
looks like it is designed to cover exactly this case, but there is never 
anything there to display or to enable with the big friendly green plus sign.

Is this a bug in Qubes, or a bug in my understanding?

The template in question is based on the standard Qubes Debian 9 template

MySQL was installed from the Orcale repos as it is important for one project 
that I keep in sync with the software on a particular server. (Yes, I know, I 
would prefer MariaDB and would prefer not to rely on repos outside Qubes, but 
needs must...) 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1592f2f0-290d-4dd4-8947-9cdd0770f4c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] questions - InterVM directory bind

[Drew White]

On Sunday, 22 April 2018 23:35:47 UTC+10, vic viq  wrote:
> On 18-04-22 05:26:35, trueriver wrote:
> > The page https://www.qubes-os.org/doc/qfilecopy/ decribes how to copy a 
> > file or directory to another domain. In the case of a directory the files 
> > can later be copied back, in which case they end up in a different 
> > directory than the original.
> > 
> > This has the advantage that both copies are available in the original host 
> > domain.
> > 
> > This has the disadvantage that copying may take some time, especially if 
> > there are a lot of files that were not actually changed.
> > 
> > I am wondering if there already exists the facility to bind a directory in 
> > one domain (the original domain) to one in another domain (the new domain). 
> > I envisage this working like mount --bind within a single machine. 
> 
> Random idea would be to create a file container, and either mount it
> locally with --loop, or (somehow...) use qvm-block to export the mount
> to another VM.

Not random at all. That is how I achieve it.
I mount one img file under multiple guests simultaneously.

So just the qvm-block will work.
If you want to get more in depth, use xl and set that up that way.
It can be more effective and speedy.


>  
> > This would have the advantage that edits made in the new domain would 
> > immediately be available in the original domain.
> > 
> > That would also be a security disadvantage as the attack surface now exists 
> > in both domains, but I envisage this being limited to the contents of the 
> > bound directory.
> > 
> > 1:
> > Has this idea been implemented already? If so pls post a link to some 
> > details.
> > 
> > 2:
> > If not, is there a way to copy back only the files that actually changed - 
> > like an inter domain rsync perhaps? If so, how would I do that?
> > 
> > This has the advantage of saving the redundant return copy, but still has 
> > the disadvantage of doing a forward copy on files that turn out to 
> > unnecessary.
> > 
> > 3:
> > Has the idea of an interVM bind been considered and rejected as inherently 
> > insecure?
> > 
> > 4:
> > Has this idea been considered and rejected as requiring more work than we 
> > want to do at the moment?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0433eae3-cf2c-41cc-9b6a-a5b9da09f7ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] questions - InterVM directory bind

[Manuel Amador (Rudd-O)]

On 2018-04-22 12:26, trueriver wrote:
> The page https://www.qubes-os.org/doc/qfilecopy/ decribes how to copy a file 
> or directory to another domain. In the case of a directory the files can 
> later be copied back, in which case they end up in a different directory than 
> the original.
>
> This has the advantage that both copies are available in the original host 
> domain.
>
Someone was working on a FUSE driver that would work through qrexec /
Qubes services.  You might want to look into the mailing list archives
for that.  It seems very practical (if a bit insecure?) to share VM A's
folder /x/y/z with VM B so that it appears as a mounted drive in VM B.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1c7620f3-69c8-5c47-4f2c-6403e8fc20dd%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] questions - InterVM directory bind

[viq]

On 18-04-22 05:26:35, trueriver wrote:
> The page https://www.qubes-os.org/doc/qfilecopy/ decribes how to copy a file 
> or directory to another domain. In the case of a directory the files can 
> later be copied back, in which case they end up in a different directory than 
> the original.
> 
> This has the advantage that both copies are available in the original host 
> domain.
> 
> This has the disadvantage that copying may take some time, especially if 
> there are a lot of files that were not actually changed.
> 
> I am wondering if there already exists the facility to bind a directory in 
> one domain (the original domain) to one in another domain (the new domain). I 
> envisage this working like mount --bind within a single machine. 

Random idea would be to create a file container, and either mount it
locally with --loop, or (somehow...) use qvm-block to export the mount
to another VM.
 
> This would have the advantage that edits made in the new domain would 
> immediately be available in the original domain.
> 
> That would also be a security disadvantage as the attack surface now exists 
> in both domains, but I envisage this being limited to the contents of the 
> bound directory.
> 
> 1:
> Has this idea been implemented already? If so pls post a link to some details.
> 
> 2:
> If not, is there a way to copy back only the files that actually changed - 
> like an inter domain rsync perhaps? If so, how would I do that?
> 
> This has the advantage of saving the redundant return copy, but still has the 
> disadvantage of doing a forward copy on files that turn out to unnecessary.
> 
> 3:
> Has the idea of an interVM bind been considered and rejected as inherently 
> insecure?
> 
> 4:
> Has this idea been considered and rejected as requiring more work than we 
> want to do at the moment?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180422133542.wrgn4hzm4vhzrqas%40hirauchi.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] questions - InterVM directory bind

[trueriver]

The page https://www.qubes-os.org/doc/qfilecopy/ decribes how to copy a file or 
directory to another domain. In the case of a directory the files can later be 
copied back, in which case they end up in a different directory than the 
original.

This has the advantage that both copies are available in the original host 
domain.

This has the disadvantage that copying may take some time, especially if there 
are a lot of files that were not actually changed.

I am wondering if there already exists the facility to bind a directory in one 
domain (the original domain) to one in another domain (the new domain). I 
envisage this working like mount --bind within a single machine. 

This would have the advantage that edits made in the new domain would 
immediately be available in the original domain.

That would also be a security disadvantage as the attack surface now exists in 
both domains, but I envisage this being limited to the contents of the bound 
directory.

1:
Has this idea been implemented already? If so pls post a link to some details.

2:
If not, is there a way to copy back only the files that actually changed - like 
an inter domain rsync perhaps? If so, how would I do that?

This has the advantage of saving the redundant return copy, but still has the 
disadvantage of doing a forward copy on files that turn out to unnecessary.

3:
Has the idea of an interVM bind been considered and rejected as inherently 
insecure?

4:
Has this idea been considered and rejected as requiring more work than we want 
to do at the moment?

Regards
River~~

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/81767bcd-8037-4381-b493-487340b0bb81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.