Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'copying'

Browse Source
This commit is contained in:
Andrew David Wong 2020-11-16 05:17:26 -08:00
commit e29d73b8d1
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
4 changed files with 107 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
user/common-tasks/copy-from-dom0.md
View File

@ -9,67 +9,71 @@ redirect_from:
- /wiki/CopyToDomZero/
---
Copying from (and to) dom0
==========================
# Copying from (and to) dom0
Copying **from** dom0
---------------------
This page covers copying files and clipboard text between [dom0](/doc/glossary/#dom0) and [domUs](/doc/glossary/#domu).
Since dom0 is special, the processes are different from [copying and pasting text between qubes](/doc/copy-paste/) and [copying and moving files between qubes](/doc/copying-files/).
To copy a file from dom0 to a VM (domU), simply use `qvm-copy-to-vm`:
## Copying **from** dom0
~~~
qvm-copy-to-vm <dest-vm> <file>
~~~
### Copying files from dom0
The file will arrive in your destination VM in the `~/QubesIncoming/dom0/` directory.
To copy a file from dom0 to a VM, simply use `qvm-copy-to-vm`:
### Copying logs from dom0 ###
qvm-copy-to-vm <target_vm> <file>
The file will arrive in the target VM in the `/home/user/QubesIncoming/dom0/` directory.
### Copying and pasting clipboard text from dom0
Use the **Qubes Clipboard** widget:
1. Copy text to the clipboard normally in dom0 (e.g., by pressing Ctrl+C).
2. Click the **Qubes Clipboard** icon in the Notification Area.
3. Click "Copy dom0 clipboard".
This displays a notification that text has been copied to the inter-qube clipboard.
4. Press Ctrl+Shift+V in the target qube.
This pastes the inter-qube clipboard contents into the target qube's normal clipboard.
5. Paste normally within that qube (e.g., by pressing Shift+V).
Alternatively, you can put your text in a file, then [copy it as a file](#copying-files-from-dom0).
Or, you can write the data you wish to copy into `/var/run/qubes/qubes-clipboard.bin`, then `echo -n dom0 > /var/run/qubes/qubes-clipboard.bin.source`.
Then use Ctrl+Shift+V to paste the data to the target qube.
### Copying logs from dom0
In order to easily copy/paste the contents of logs from dom0 to the inter-VM clipboard, you can simply:
1. Right-click on the desired VM in the Qubes VM Manager.
2. Click "Logs."
3. Click on the desired log.
4. Click "Copy to Qubes clipboard."
1. Right-click on the desired qube in the Qube Manager.
You may now paste the log contents to any VM as you normally would (i.e., Ctrl-Shift-V, then Ctrl-V).
2. Click "Logs."
### Copy/paste from dom0 ###
3. Click on the desired log.
For data other than logs, there are several options:
4. Click "Copy to Qubes clipboard."
1. Use the **Qubes Clipboard** widget:
- Copy text to the clipboard normally in dom0.
- Click the **Qubes Clipboard** icon in the Notification Area.
- Click "Copy dom0 clipboard".
- Receive a notification that text has been copied to the inter-qube clipboard.
- Press Ctrl + Shift + V in a qube to paste into the desired qube's clipboard.
- Paste normally within that qube.
2. Copy it as a file (see above)
3. Write the data you wish to copy into `/var/run/qubes/qubes-clipboard.bin`, then `echo -n dom0 > /var/run/qubes/qubes-clipboard.bin.source`.
Then use Ctrl-Shift-V to paste the data to the desired VM.
You may now paste the log contents in qube as you normally would (e.g., Ctrl+Shift+V, then Ctrl+V).
Copying **to** dom0
-------------------
## Copying **to** dom0
Copying anything into dom0 is not advised, since doing so can compromise the security of your Qubes system.
For this reason, there is no simple means of copying anything into dom0, unlike [copying from dom0](#copying-from-dom0) and [copying files between VMs](/doc/copying-files/).
For this reason, there is no simple means of copying anything into dom0, unlike [copying from dom0](#copying-from-dom0).
There should normally be few reasons for the user to want to copy anything from VMs to dom0, as dom0 only acts as a "thin trusted terminal", and no user applications run there.
One possible use-case for this is if we want to use a desktop wallpaper in dom0 we have located in one of our AppVMs (e.g. in the 'personal' AppVM where we got the wallpaper from our camera or downloaded it from the Internet).
While this use-case is understandable, imagine what would happen if the wallpaper (e.g. a JPEG file) was somehow malformed or malicious and attempted to exploit a hypothetical JPEG parser bug in dom0 code (e.g. in the dom0's Xorg/KDE code that parses the wallpaper and displays it).
There should normally be few reasons for the user to want to copy anything from domUs to dom0, as dom0 only acts as a "thin trusted terminal", and no user applications run there.
Sometimes, new users feel the urge to copy a desktop wallpaper image into dom0, but that is not necessary.
A safer approach is simply to display the image in [full-screen mode](/doc/full-screen-mode/) in an AppVM, then take a screenshot from dom0, which results in exactly the image needed for a wallpaper, created securely and natively in dom0.
If you are determined to copy some files to dom0 anyway, you can use the following method.
(If you want to copy text, first save it into a text file.)
Run this command in a dom0 terminal:
~~~
qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' > /path/to/file_name_in_dom0
~~~
qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' > /path/to/file_name_in_dom0
Note that you can use the same method to copy files from dom0 to VMs (if, for some reason, you don't want to use `qvm-copy-to-vm`):
Note that you can use the same method to copy files from dom0 to domUs (if, for some reason, you don't want to use `qvm-copy-to-vm`):
~~~
cat /path/to/file_in_dom0 | qvm-run --pass-io <dest-vm> 'cat > /path/to/file_name_in_appvm'
~~~
cat /path/to/file_in_dom0 | qvm-run --pass-io <dest-vm> 'cat > /path/to/file_name_in_appvm'

66
user/common-tasks/copy-paste.md
View File

@ -1,6 +1,6 @@
---
layout: doc
title: Copy and Paste
title: Copying and pasting text between qubes
permalink: /doc/copy-paste/
redirect_from:
- /en/doc/copy-paste/
@ -8,51 +8,49 @@ redirect_from:
- /wiki/CopyPaste/
---
Copy and Paste between domains
==============================
Copying and pasting text between qubes
======================================
Qubes fully supports secure copy and paste operation between domains.
In order to copy a clipboard from domain A to domain B, follow those steps:
*This page is about copying and pasting plain text.
If you wish to copy more complex data, such as rich text or images, see [copying and moving files between qubes](/doc/copying-files/).
For dom0, see [copying from (and to) dom0](/doc/copy-from-dom0/).*
1. Click on the application window in domain A where you have selected text for copying.
Then use the *app-specific* hot-key (or menu option) to copy this into domain's local clipboard (in other words: do the copy operation as usual, in most cases by pressing Ctrl-C).
2. Then (when the app in domain A is still in focus) press Ctrl-Shift-C magic hot-key.
This will tell Qubes that we want to select this domain's clipboard for *global copy* between domains.
3. Now select the destination app, running in domain B, and press Ctrl-Shift-V, another magic hot-key that will tell Qubes to make the clipboard marked in the previous step available to apps running in domain B.
This step is necessary because it ensures that only domain B will get access to the clipboard copied from domain A, and not any other domain that might be running in the system.
4. Now, in the destination app use the app-specific key combination (usually Ctrl-V) for pasting the clipboard.
Qubes OS features a secure inter-qube clipboard that allows you to copy and paste text between qubes.
Note that the global clipboard will be cleared after step \#3, to prevent accidental leakage to another domain, if the user accidentally pressed Ctrl-Shift-V later.
In order to copy text from qube A to qube B:
This 4-step process might look complex, but after some little practice it really is very easy and fast.
At the same time it provides the user with full control over who has access to the clipboard.
1. Select text from the source app in qube A, then copy it normally (e.g., by pressing Ctrl+C).
Note that only simple plain text copy/paste is supported between AppVMs.
This is discussed in a bit more detail in [this message](https://groups.google.com/group/qubes-devel/msg/57fe6695eb8ec8cd).
2. With the source app in qube A still in focus, press Ctrl+Shift+C.
This copies the text from qube A's clipboard to the inter-qube clipboard.
On Copy/Paste Security
----------------------
3. Select the target app in qube B and press Ctrl+Shift+V.
This copies the text from the inter-qube clipboard to qube B's clipboard and clears the inter-qube clipboard, ensuring that only qube B will have access to the copied text.
The scheme is *secure* because it doesn't allow other VMs to steal the content of the clipboard.
However, one should keep in mind that performing a copy and paste operation from *less trusted* to *more trusted* domain can always be potentially insecure, because the data that we insert might potentially try to exploit some hypothetical bug in the destination VM (e.g.
the seemingly innocent link that we copy from untrusted domain, might turn out to be, in fact, a large buffer of junk that, when pasted into the destination VM's word processor could exploit a hypothetical bug in the undo buffer).
This is a general problem and applies to any data transfer between *less trusted to more trusted* domains.
It even applies to copying files between physically separate machines (air-gapped) systems.
So, you should always copy clipboard and data only from *more trusted* to *less trusted* domains.
4. Paste the text in the target app in qube B normally (e.g., by pressing Ctrl+V).
See also [this article](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) for more information on this topic, and some ideas of how we might solve this problem in some future version of Qubes.
This process might look complicated at first glance, but in practice it is actually very easy and fast once you get used to it.
At the same time, it provides you with full control over exactly which qube receives the content of the inter-qube clipboard every time.
And [this message](https://groups.google.com/group/qubes-devel/msg/48b4b532cee06e01) from qubes-devel.
Security
--------
Copy/Paste between dom0 and other domains
-----------------------------------------
The inter-qube clipboard system is secure because it doesn't allow any qube other than your selected target to steal any contents from the inter-qube clipboard.
Without such a system in place, any password you were to copy from the password manager in your vault qube to another qube, for example, would immediately be leaked to every other running qube in the system, including qubes that are untrusted by default, such as `sys-net`.
By giving you precise control over exactly which qube receives the inter-qube clipboard content, then immediately wiping the inter-qube clipboard afterward, Qubes OS protects the confidentiality of the text being copied.
See ["Copying from (and to) dom0"](/doc/copy-from-dom0/).
However, one should keep in mind that performing a copy and paste operation from *less trusted* to *more trusted* qube is always potentially insecure, since the data that we copy could exploit some hypothetical bug in the target qube.
For example, the seemingly-innocent link that we copy from an untrusted qube could turn out to be a large buffer of junk that, when pasted into the target qube's word processor, could exploit a hypothetical bug in the undo buffer.
This is a general problem and applies to any data transfer from *less trusted* to *more trusted* qubes.
It even applies to copying files between physically separate (air-gapped) machines.
Therefore, you should always copy clipboard data only from *more trusted* to *less trusted* qubes.
See also [this article](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) for more information on this topic, and some ideas of how we might solve this problem in some future version of Qubes, as well as [this message](https://groups.google.com/group/qubes-devel/msg/48b4b532cee06e01) from qubes-devel.
Clipboard automatic policy enforcement
--------------------------------------
The Qubes clipboard [RPC policy] is configurable in:
The Qubes clipboard [RPC policy](/doc/rpc-policy/) is configurable in:
~~~
/etc/qubes-rpc/policy/qubes.ClipboardPaste
@ -66,7 +64,7 @@ For example, if you are certain that you never wish to paste *into* your "vault"
@anyvm @anyvm ask
~~~
Shortcut Configuration
Shortcut configuration
----------------------
The copy/paste shortcuts are configurable in:
@ -78,7 +76,3 @@ The copy/paste shortcuts are configurable in:
If you edit a line in this file, you must uncomment it (by removing the initial `#` character), or else it will have no effect.
VMs need to be restarted in order for changes in `/etc/qubes/guid.conf` to take effect.
[RPC policy]: /doc/rpc-policy/

56
user/common-tasks/copying-files.md
View File

@ -1,6 +1,6 @@
---
layout: doc
title: Copying Files between qubes
title: Copying and moving files between qubes
permalink: /doc/copying-files/
redirect_from:
- /en/doc/copying-files/
@ -8,31 +8,34 @@ redirect_from:
- /wiki/CopyingFiles/
---
Copying files and folders between qubes
=============================
Copying and moving files between qubes
======================================
Qubes also supports secure copying of files and folders between qubes.
These instructions refer to file(s) but equally apply to copying folders.
*This page is about copying and moving files.
If you wish to simply copy and paste text, that can be done more easily using the inter-qube clipboard.
See [copying and pasting text between qubes](/doc/copy-paste/).
For dom0, see [copying from (and to) dom0](/doc/copy-from-dom0/).*
In order to copy file(s) from qube A to qube B, follow these steps:
Qubes OS supports the secure copying and moving of files and directories (folders) between qubes.
GUI
---
For simplicity, these instructions will refer to copying/moving a single file, but they apply equally well to groups of files and directories, which are copied recursively.
1. Open file manager in the source qube (qube A), choose file(s) that you wish to copy, and right click on the selection, and choose `Copy to another AppVM`
1. Open a file manager in the qube containing the file you wish to copy (the source qube), right-click on the file you wish to copy or move, and select `Copy to Other AppVM...` or `Move to Other AppVM...`.
2. A dialog box will appear asking for the name of the destination qube (qube B).
2. A dialog box will appear in dom0 asking for the name of the target qube (qube B).
Enter or select the desired destination qube name.
3. A confirmation dialog box will appear(this will be displayed by Dom0, so none of the qubes can fake your consent).
After you click ok, qube B will be started if it is not already running, the file copy operation will start, and the files will be copied into the following folder in qube B:
3. If the target qube is not already running, it will be started automatically, and the file will be copied there.
It will show up in this directory (which will automatically be created if it does not already exist):
`/home/user/QubesIncoming/<source>`
/home/user/QubesIncoming/<source_qube>/<filename>
4. You can now move them whenever you like in the qube B filesystem using the file manager there.
If you selected **Move** rather than **Copy**, the original file in the source qube will be deleted.
(Moving a file is equivalent to copying the file, then deleting the original.)
4. If you wish, you may now move the file in the target qube to a different directory and delete the `/home/user/QubesIncoming/` directory when no longer needed.
CLI
---
The same operations are also available via these command-line tools:
```
qvm-copy [--without-progress] file [file]+
@ -42,18 +45,21 @@ qvm-copy [--without-progress] file [file]+
qvm-move [--without-progress] file [file]+
```
Security
--------
On inter-qube file copy security
----------------------------------
The scheme is *secure* because it doesn't allow other qubes to steal the files that are being copied, and also doesn't allow the source qube to overwrite arbitrary files on the destination qube.
Also, Qubes's file copy scheme doesn't use any sort of virtual block devices for file copy -- instead we use Xen shared memory, which eliminates lots of processing of untrusted data.
The inter-qube file copy system is secure because it doesn't allow other qubes to steal the files that are being copied, and it doesn't allow the source qube to overwrite arbitrary files on the destination qube.
Moreover, this system doesn't use any sort of virtual block device for file copy.
Instead, we use Xen shared memory, which eliminates a lot of processing of untrusted data.
For example, the receiving qube is *not* forced to parse untrusted partitions or file systems.
In this respect our file copy mechanism provides even more security than file copy between two physically separated (air-gapped) machines!
In this respect, the inter-qube file copy system provides even more security than file copy between two physically separated (air-gapped) machines!
(See [Software compartmentalization vs. physical separation](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) for more on this.)
However, one should keep in mind that performing a data transfer from *less trusted* to *more trusted* qubes can always be potentially insecure, because the data that we insert might potentially try to exploit some hypothetical bug in the destination qube (e.g. a seemingly innocent JPEG that we copy from an untrusted qube might contain a specially crafted exploit for a bug in JPEG parsing application in the destination qube).
This is a general problem and applies to any data transfer between *less trusted to more trusted* qubes.
However, one should keep in mind that performing a data transfer from *less trusted* to *more trusted* qubes is always potentially insecure if the data will be parsed in the target qube.
This is because the data that we copy could try to exploit some hypothetical bug in software running in the target qube.
For example, a seemingly-innocent JPEG that we copy from an untrusted qube might contain a specially-crafted exploit for a bug in a JPEG-parsing application in the target qube.
This is a general problem and applies to any data transfer from *less trusted* to *more trusted* qubes.
It even applies to the scenario of copying files between air-gapped machines.
So, you should always copy data only from *more trusted* to *less trusted* qubes.
Therefore, you should always copy data only from *more trusted* to *less trusted* qubes.
See also [this article](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) for more information on this topic, and some ideas of how we might solve this problem in some future version of Qubes.

4
user/security-in-qubes/split-gpg.md
View File

@ -378,8 +378,8 @@ As always, exercise caution and use your good judgment.)
[intro]: #what-is-split-gpg-and-why-should-i-use-it-instead-of-the-standard-gpg
[se-pinentry]: https://unix.stackexchange.com/a/379373
[subkeys]: https://wiki.debian.org/Subkeys
[copied]: /doc/copying-files#on-inter-qube-file-copy-security
[pasted]: /doc/copy-paste#on-copypaste-security
[copied]: /doc/copying-files#security
[pasted]: /doc/copy-paste#security
[MUA]: https://en.wikipedia.org/wiki/Mail_user_agent
[covert channels]: /doc/data-leaks
[trusting-templates]: /doc/templates/#trusting-your-templatevms