qubes-doc/user/how-to-guides/how-to-use-disposables.rst

333 lines
13 KiB
ReStructuredText
Raw Normal View History

2024-05-21 14:59:46 -04:00
======================
How to use disposables
======================
A :ref:`disposable <user/reference/glossary:disposable>` is a lightweight
:ref:`qube <user/reference/glossary:qube>` that can be created quickly and will
self-destruct when closed. Disposables are usually created in order to
host a single application, like a viewer, editor, or web browser.
From inside an app qube, choosing the ``Open in disposable`` option on a
file will launch a disposable for just that file. Changes made to a file
opened in a disposable are passed back to the originating qube. This
means that you can safely work with untrusted files without risk of
compromising your other qubes. Disposables can be launched either
directly from dom0s app menu or terminal window, or from within app
qubes. Disposables are generated with names like ``disp####``, where
``####`` is random number.
|disposablevm-example.png|
This diagram provides a general example of how disposables can be used
to safely open untrusted links and attachments in disposables. See `this article <https://blog.invisiblethings.org/2010/06/01/disposable-vms.html>`__
for more on why one would want to use a disposable.
Security
--------
If a :ref:`disposable template <user/reference/glossary:disposable template>`
becomes compromised, then any disposable based on that disposable
template could be compromised. In particular, the *default* disposable
template is important because it is used by the “Open in disposable”
feature. This means that it will have access to everything that you open
with this feature. For this reason, it is strongly recommended that you
base the default disposable template on a trusted template.
Disposables and Local Forensics
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At this time, disposables should not be relied upon to circumvent local
forensics, as they do not run entirely in RAM. For details, see `this thread <https://groups.google.com/d/topic/qubes-devel/QwL5PjqPs-4/discussion>`__.
When it is essential to avoid leaving any trace, consider using
`Tails <https://tails.boum.org/>`__.
Disposables and Networking
--------------------------
Similarly to how app qubes are based on their underlying
:ref:`template <user/reference/glossary:template>`, disposables are based on their
underlying :ref:`disposable template <user/reference/glossary:disposable template>`.
R4.0 introduces the concept of multiple disposable templates, whereas
R3.2 was limited to only one.
On a fresh installation of Qubes, the default disposable template is
called ``fedora-X-dvm`` or ``debian-X-dvm`` (where ``X`` is a release
number). If you have included the Whonix option in your install, there
will also be a ``whonix-ws-dvm`` disposable template available for your
use.
You can set any app qube to have the ability to act as a disposable
template with:
.. code:: bash
qvm-prefs <APP_QUBE> template_for_dispvms True
The default system wide disposable template can be changed with
``qubes-prefs default_dispvm``. By combining the two, choosing
``Open in disposable`` from inside an app qube will open the document in
a disposable based on the default disposable template you specified.
You can change this behavior for individual qubes: in the Application
Menu, open Qube Settings for the qube in question and go to the
“Advanced” tab. Here you can edit the “Default disposable” setting to
specify which disposable template will be used to launch disposables
from that qube. This can also be changed from the command line with:
.. code:: bash
qvm-prefs <QUBE> default_dispvm <DISPOSABLE_TEMPLATE>
For example, ``anon-whonix`` has been set to use ``whonix-ws-dvm`` as
its ``default_dispvm``, instead of the system default. You can even set
an app qube that has also been configured as a disposable template to
use itself, so disposables launched from within the app qube/disposable
template would inherit the same settings.
Network and firewall settings for disposable templates can be set as
they can for a normal qube. By default a disposable will inherit the
network and firewall settings of the disposable template on which it is
based. This is a change in behavior from R3.2, where disposables would
inherit the settings of the app qube from which they were launched.
Therefore, launching a disposable from an app qube will result in it
using the network/firewall settings of the disposable template on which
it is based. For example, if an app qube uses sys-net as its net qube,
but the default system disposable uses sys-whonix, any disposable
launched from this app qube will have sys-whonix as its net qube.
**Warning:** The opposite is also true. This means if you have changed
``anon-whonix``s ``default_dispvm`` to use the system default, and
the system default disposable uses sys-net, launching a disposable from
inside ``anon-whonix`` will result in the disposable using ``sys-net``.
A disposable launched from the app menu inherits the net qube and
firewall settings of the disposable template on which it is based. Note
that changing the net qube setting for the system default disposable
template *does* affect the net qube of disposables launched from the app
menu. Different disposable templates with individual net qube settings
can be added to the app menu.
**Important Notes:** Some disposable templates will automatically create
a menu item to launch a disposable. If you do not see an entry and want
to add one, please use the command:
.. code:: bash
qvm-features <DISPOSABLE_TEMPLATE> appmenus-dispvm 1
To launch a disposable template from the command line, execute the
following command in dom0:
.. code:: bash
qvm-run --dispvm=<DISPOSABLE_TEMPLATE> --service qubes.StartApp+<APPLICATION>
Opening a file in a disposable via GUI
--------------------------------------
In an app qubes file manager, right click on the file you wish to open
in a disposable, then choose “View in disposable” or “Edit in
disposable”. Wait a few seconds and the default application for this
file type should appear displaying the file content. This app is running
in its own dedicated qube a disposable created for the purpose of
viewing or editing this very file. Once you close the viewing
application the whole disposable will be destroyed. If you have edited
the file and saved the changes, the changed file will be saved back to
the original app qube, overwriting the original.
.. figure:: /attachment/doc/r4.0-open-in-dispvm-1.png
:alt: r4.0-open-in-dispvm-1.png
r4.0-open-in-dispvm-1.png
.. figure:: /attachment/doc/r4.0-open-in-dispvm-2.png
:alt: r4.0-open-in-dispvm-2.png
r4.0-open-in-dispvm-2.png
Opening a fresh web browser instance in a new disposable
--------------------------------------------------------
Sometimes it is desirable to open an instance of Firefox within a new
fresh disposable. This can be done easily using the app menu: just go to
**Application Menu -> Disposable -> Disposable: Firefox web browser**.
Wait a few seconds until a web browser starts. Once you close the
viewing application the whole disposable will be destroyed.
.. figure:: /attachment/doc/r4.0-open-in-dispvm-3.png
:alt: r4.0-open-in-dispvm-3.png
r4.0-open-in-dispvm-3.png
Opening a file in a disposable via command line (from app qube)
---------------------------------------------------------------
Use the ``qvm-open-in-dvm`` command from a terminal in your app qube:
.. code:: bash
[user@work-pub ~]$ qvm-open-in-dvm Downloads/apple-sandbox.pdf
Note that the ``qvm-open-in-dvm`` process will not exit until you close
the application in the disposable.
Making a particular application open everything in a disposable
---------------------------------------------------------------
You can use the ``qvm-service`` command or the services GUI to cause an
application in a qube to open files and URLs in a disposable. To do
this, enable a service named ``app-dispvm.X`` in that qube, where ``X``
is the application ID. For instance, to have Thunderbird open all
attachments in a disposable, enable the ``app-dispvm.thunderbird``
service.
This feature is currently somewhat experimental, and only works for
Linux qubes. It is known to work with Thunderbird and Wire, but it may
fail to work with some applications that do not honor all XDG
environment variables. If the feature does not work for you, please file
a bug report.
Opening particular types of files in a disposable
-------------------------------------------------
You can set ``qvm-open-in-dvm.desktop`` as the handler for a given MIME
type. This will cause all files of that type to open in a disposable.
This works in disposable templates too, but be careful: if your
disposable template is set to use ``qvm-open-in-dvm.desktop`` to open a
certain kind of file, every disposable based on it will be as well. If
the disposable template is its own default disposable template (as is
often the case), this will result in a loop: ``qvm-open-in-dvm`` will
execute ``qubes.OpenURL`` in a new disposable, but that will in turn
execute ``qvm-open-in-dvm``. The cycle will repeat until no new
disposables can be created, most likely because your system has run out
of memory.
This will *not* override the internal handling of PDF documents in Web
browsers. This is typically okay, though: in-browser PDF viewers have a
fairly good security record, especially when compared to non-browser PDF
viewers. In particular, the attack surface of PDF viewing in Firefox is
usually less than that of viewing an ordinary Web page.
Starting an arbitrary program in a disposable from an app qube
--------------------------------------------------------------
Sometimes it can be useful to start an arbitrary program in a
disposable. The disposable will stay running so long as the process
which started the disposable has not exited. Some applications, such as
GNOME Terminal, do not wait for the application to close before the
process exits (details
`here <https://github.com/QubesOS/qubes-issues/issues/2581#issuecomment-272664009>`__).
Starting an arbitrary program can be done from an app qube by running
.. code:: bash
[user@vault ~]$ qvm-run '@dispvm' xterm
The created disposable can be accessed via other tools (such as
``qvm-copy-to-vm``) using its ``disp####`` name as shown in the Qubes
Manager or ``qvm-ls``.
Starting an arbitrary application in a disposable via command line from dom0
----------------------------------------------------------------------------
The Application Launcher has shortcuts for opening a terminal and a web
browser in dedicated disposables, since these are very common tasks. The
disposable will stay running so long as the process which started the
disposable has not exited. Some applications, such as GNOME Terminal, do
not wait for the application to close before the process exits (details
`here <https://github.com/QubesOS/qubes-issues/issues/2581#issuecomment-272664009>`__).
It is possible to start an arbitrary application in a disposable
directly from dom0 by running:
.. code:: bash
$ qvm-run --dispvm=<DISPOSABLE_TEMPLATE> --service qubes.StartApp+xterm
The label color will be inherited from ``<DISPOSABLE_TEMPLATE>``. (The
disposable Application Launcher shortcut used for starting programs runs
a very similar command to the one above.)
Opening a link in a disposable based on a non-default disposable template from a qube
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Suppose that the default disposable template for your ``email`` qube has
no networking (e.g., so that untrusted attachments cant phone home).
However, sometimes you want to open email links in disposables.
Obviously, you cant use the default disposable template, since it has
no networking, so you need to be able to specify a different disposable
template. You can do that with this command from the ``email`` qube (as
long as your RPC policies allow it):
.. code:: bash
$ qvm-open-in-vm @dispvm:<ONLINE_DISPOSABLE_TEMPLATE> https://www.qubes-os.org
This will create a new disposable based on
``<ONLINE_DISPOSABLE_TEMPLATE>``, open the default web browser in that
disposable, and navigate to ``https://www.qubes-os.org``.
Example of RPC policies to allow this behavior
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In dom0, add the following line at the beginning of the file
``/etc/qubes-rpc/policy/qubes.OpenURL``
.. code:: bash
@anyvm @dispvm:<ONLINE_DISPOSABLE_TEMPLATE> allow
This line means: - FROM: Any qube - TO: A disposable based on
``<ONLINE_DISPOSABLE_TEMPLATE>`` - WHAT: Allow sending an “Open URL”
request
In other words, any qube will be allowed to create a new disposable
based on ``<ONLINE_DISPOSABLE_TEMPLATE>`` and open a URL inside of that
disposable.
More information about RPC policies for disposables can be found
:ref:`here <developer/services/qrexec:qubes rpc administration>`.
Customizing disposables
-----------------------
You can change the template used to generate the disposables, and change
settings used in the disposable savefile. These changes will be
reflected in every new disposable based on that template. Full
instructions can be found :doc:`here </user/advanced-topics/disposable-customization>`.
.. |disposablevm-example.png| image:: /attachment/doc/disposablevm-example.png