Re: [qubes-users] Special template to isolate less trusted software?
I do this, but I use a squid proxy setup from rustybird to cache updates. Starting up and shutting down VMs still takes the same amount of time though. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200906173353.GB911%40mail2-dvm.
Re: [qubes-users] Special template to isolate less trusted software?
(By "local install" I mean per-user install) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAWRcS_UUtKoj_2mrF5u7MAGc87WZmx7XdK2iuy6fwvEUaaZ5w%40mail.gmail.com.
Re: [qubes-users] Special template to isolate less trusted software?
My (perhaps naive) approach is to just use flatpak local install in the AppVM. I don't have to mess with bind-dirs. I have a couple different AppVMs where I have such proprietary software away from anything I want to keep safe/private. I'm curious why people are talking about reinstalling on startup, or the risks of keeping installed software in /rw etc. We're already treating these VMs as low trust anyway right? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAWRcS-9WJYjysrNjJpfO5AcVz3LUKQ%3DTbEt922u9tC0DL4zPw%40mail.gmail.com.
Re: [qubes-users] Special template to isolate less trusted software?
On 9/3/20 12:44 AM, 'Ryan Tate' via qubes-users wrote: I've started making special templateVMs where I install less trusted software, typically closed source binaries or code distributed directly from a vendor. I am curious if others do this and if people think it adds much security wise. For example, in addition to vanilla fedora-32, where I will install any number of packages from the standard repos, I have - fedora-32-zoom (the proprietary videoconferencing software) fedora-32-slack (the group chat app, installed from their own rpm) fedora-32-print (had to run a Brother install tool to get printer working, use it from my dvm-print wich is firewalled only to my local printer ips) fedora-32-media (has some proprietary media hnadling software) I just don't like the idea of putting untrusted code in a templateVM used by sensitive VMs. On the other hand, perhaps I worry too much, in theory at least I do control when any given app is run? The Brother install was a bash script run via sudo (!!) that could have done anything but the others typically go in as rpm files via dnf, so presumably (?) they can't just install untrusted services that get auto launched. Obviously this makes updates take longer, so it's got some cost. Is this a wise approach? Or no? Thanks for any thoughts Ryan Hi Ryan, I do very similar things. I have a debian-media and a couple of other specialised templates. Also, I have a Skype standalone VM as I didn't want a whole template just for Skype. I had to give up on my zoom standalone VM because my usb camera was very flakey when attached via sys-usb. Works OK with skype, but not zoom!?! Mike -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c435d0d3-76c0-fd06-6cc4-a4006a17fad8%40keehan.net.
Re: [qubes-users] Special template to isolate less trusted software?
On 9/2/20 11:39 PM, airelemental via qubes-users wrote: I just don't like the idea of putting untrusted code in a templateVM used by sensitive VMs. Me neither! But I avoid multiplying templates by installing apps directly into appvms. This minimizes the number of templates I have to keep up-to-date. FYI, that approach is risky. The code sitting in /rw or /home becomes a way for malware to persist between VM restarts. The general strategy with installing packages inside appvms (at least those based on debian) is to make the package cache into a bind-dir and then reinstall package from cache every appvm startup. A safer way to add apps at startup would be to use Qubes-vm-hardening (see my github below) and stash the packages in the /etc/defaults/vms/ dir... the vm-boot-protect service will run just before /rw is mounted and see that config files matching the current VM name exist. Its a good way to specialize appVMs without creating new templates. Should also mention that snaps and flatpaks may be a better fit for adding apps at boot-time, since there is a chance you can do it quicker using little more than 'mv'. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad660e38-766f-d21b-c49b-69696864b0e2%40posteo.net.
Re: [qubes-users] Special template to isolate less trusted software?
> I just don't like the idea of putting untrusted code in a templateVM used by > sensitive VMs. > Me neither! But I avoid multiplying templates by installing apps directly into appvms. This minimizes the number of templates I have to keep up-to-date. > fedora-32-zoom (the proprietary videoconferencing software) > You can save the zoom package into the appvm. Can also install its (open source) dependencies in the template. Then every time you start the appvm, just install the (already-downloaded) zoom package. > fedora-32-slack (the group chat app, installed from their own rpm) > > fedora-32-print (had to run a Brother install tool to get printer working, > use it from my dvm-print wich is firewalled only to my local printer ips) > > fedora-32-media (has some proprietary media hnadling software) > The general strategy with installing packages inside appvms (at least those based on debian) is to make the package cache into a bind-dir and then reinstall package from cache every appvm startup. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/MGH1zz7--3-2%40tutanota.com.
[qubes-users] Special template to isolate less trusted software?
I've started making special templateVMs where I install less trusted software, typically closed source binaries or code distributed directly from a vendor. I am curious if others do this and if people think it adds much security wise. For example, in addition to vanilla fedora-32, where I will install any number of packages from the standard repos, I have - fedora-32-zoom (the proprietary videoconferencing software) fedora-32-slack (the group chat app, installed from their own rpm) fedora-32-print (had to run a Brother install tool to get printer working, use it from my dvm-print wich is firewalled only to my local printer ips) fedora-32-media (has some proprietary media hnadling software) I just don't like the idea of putting untrusted code in a templateVM used by sensitive VMs. On the other hand, perhaps I worry too much, in theory at least I do control when any given app is run? The Brother install was a bash script run via sudo (!!) that could have done anything but the others typically go in as rpm files via dnf, so presumably (?) they can't just install untrusted services that get auto launched. Obviously this makes updates take longer, so it's got some cost. Is this a wise approach? Or no? Thanks for any thoughts Ryan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/87h7sfzqv3.fsf%40disp2634.
