Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-27 16:29:28 -05:00
Code Issues Packages Projects Releases Wiki Activity

qrexec: add info about new DispVM options in Qubes 4.0

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2016-08-17 01:01:42 +02:00
parent c46cd728cc
commit cce10079b3
No known key found for this signature in database
GPG Key ID: F32894BE9684938A
1 changed files with 31 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
services/qrexec3.md
View File

@ -127,10 +127,12 @@ means "new VM created for this particular request," so it is never a
source of request). Currently there is no way to specify source VM by source of request). Currently there is no way to specify source VM by
type. Whenever a rpc request for action X is received, the first line in type. Whenever a rpc request for action X is received, the first line in
`/etc/qubes-rpc/policy/X` that match srcvm/destvm is consulted to determine `/etc/qubes-rpc/policy/X` that match srcvm/destvm is consulted to determine
whether to allow rpc, what user account the program should run in target whether to allow rpc, what user account the program should run in target VM
VM under, and what VM to redirect the execution to. If the policy file does under, and what VM to redirect the execution to. Note that if the request is
not exits, user is prompted to create one; if still there is no policy file redirected (`target=` parameter), policy action remains the same - even if
after prompting, the action is denied. there is another rule which would otherwise deny such request. If the policy
file does not exits, user is prompted to create one; if still there is no
policy file after prompting, the action is denied.
In the target VM, the `/etc/qubes-rpc/RPC_ACTION_NAME` must exist, containing In the target VM, the `/etc/qubes-rpc/RPC_ACTION_NAME` must exist, containing
the file name of the program that will be invoked, or being that program itself the file name of the program that will be invoked, or being that program itself
@ -156,6 +158,31 @@ be fatal to Qubes security. On the other hand, this mechanism allows to
delegate processing of untrusted input to less privileged (or throwaway) delegate processing of untrusted input to less privileged (or throwaway)
AppVMs, thus wise usage of it increases security. AppVMs, thus wise usage of it increases security.
### Extra keywords available in Qubes 4.0 and later
**This section is about not yet released version, some details may change**
In Qubes 4.0, target VM can be specified also as `$dispvm:DISP_VM`, which is
very similar to `$dispvm` but force using particular VM (`DISP_VM`) as a base
VM to be started as Disposable VM. For example:
anon-whonix $dispvm:anon-whonix-dvm allow
Adding such policy itself will not force usage of this particular `DISP_VM` -
it will only allow it when specified by the caller. But `$dispvm:DISP_VM` can
also be used as target in request redirection, so _it is possible_ to force
particular `DISP_VM` usage, when caller didn't specified it:
anon-whonix $dispvm allow,target=$dispvm:anon-whonix-dvm
Note that without redirection, this rule would allow using default Disposable
VM (`default_dispvm` VM property, which itself defaults to global
`default_dispvm` property).
Also note that the request will be allowed (`allow` action) even if there is no
second rule allowing calls to `$dispvm:anon-whonix-dvm`, or even if
there is a rule explicitly denying it. This is because the redirection happen
_after_ considering the action.
### Service argument in policy ### Service argument in policy
Sometimes just service name isn't enough to make reasonable qrexec policy. One Sometimes just service name isn't enough to make reasonable qrexec policy. One