Minimal state app qubes #1006
Comments
|
We have some idea similar to this one, but going even further. I think Joanna will write some blog post about this in details, but basically its about creating one-service VMs with very small memory footprint. Such VM will run (almost) only qrexec-agent, which will handle service calls. There may be no Xorg (with all GUI processes) for example. I think it all can be packaged in initramfs, which will make it really fast to start - maybe even so fast that it can be started on demand when the service needs to be called (and only for that). Anyway, the better place for discussions on new features is mailing list. Here only add link to the discussion, and later paste final design. |
|
I'd like to attach it to a current discussion, but I can't find a relevant one. Is there any? should I create a new one? This sounds cool, but I am not sure if they can be easily applied to sys-net. Removing all the GUI from sys-net would require moving NetworkManager applet (i.e. nm-applet) functionality somewhere else. If we want to support everything that nm-applet supports (e.g. various WiFi options, WPA2 enterprise, certificates, VPNs, USB modems, …), this is a non-trivial task. Moreover, running Wireshark would be likely harder. Now, I can just start Wireshark from sys-net if memory limits allow it. (I've reduced memory to 300MiB for sys-net, so running Wireshark is sometimes not very great.) I can, however, imagine such ServiceVMs for FirewallVM and GPGVM and possibly some others. I've tried it in sys-firewall, but it kills the qrexec daemon, as it seems to depend on X11. But I hope it can be easily fixed. |
I think there is currently none on this subject.
Yes, this approach for NetVM (or any VM which uses some GUI) can be tricky, but it is better to assume that NetVM can always be compromised anyway (same as your local wifi for example). #806 is about how further protect against attacks from netvm. |
marmarek
added
P: major
|
DVMs in Q4 is a partial solution for this, but I agree that it is quite similar.
Note that the adjective „minimal“ was related to state (i.e., it can save just few files/directories/whatever, not whole traditional /rw with rc.local, bind-dirs, /home/user/* (especially .bashrc and similar) and so on…). It was not related to minimal templates. Having minimal templates is orthogonal to storing minimal state.
…On November 28, 2018 10:47:14 PM GMT+01:00, Esote ***@***.***> wrote:
@v6ak The original suggestion you give is very similar to using
disposable sys-{net,firewall,usb} in R4 (see #3704). As far as minimal
goes, this could be done with the minimal Fedora template (although not
as minimal as @marmarek describes with only qrexec-agent).
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#1006 (comment)
--
Sent from my fruity BlackBerry phone. Please excuse my brevity.
|
|
I started a thread on qubes-devel to propose the idea of having minimal state app qubes where extra state is explicitly declared in a Discussion conclusions
Additional implementation notes:
|
|
@andrewdavidwong candidate for privacy label. Some users may wish to preserve only minimal configurations (e.g. persist browser Downloads but nothing else). Currently they either save everything or nothing. Another privacy angle to this is that where a disposble qube is not fitting (i.e. the user needs to save some data), it can be much harder for an attacker to create persistence (e.g. a RAT) if only certain application configuration files are persistent. Something which by default is trivial to do (as soon an attacker gets remote code execution, all they have to do is to modify |
andrewdavidwong
added
the
privacy
I like or with some user prefix like I'd say this whole feature should be enabled with qvm-service, lets name it
|
I had not thought about this in the original proposal, but the possibility of having
Currently this is not possible because Commenting specifically about the template's |
|
This proposal doesn't change how template's /home works - it's still private to the template. I meant Yes, I think it's discouraged to configure apps this way in the template itself. But one can launch a (disposable) qube, configure apps there, and qvm-copy relevant files back to the template, to be placed in /etc/skel (or /home in the rootfs, if one knows the right incantation, which is |
|
Is NetworkManager secure against malicious network settings? For the specific case of sys-net, I wonder if this would be better handled by providing an RPC interface for sys-net to store its settings somewhere and later retrieve them. |
That's irrelevant for this issue, which is about generic mechanism, not a specific implementation for NetworkManager. |
|
Linux filesystems are generally not secure against malicious disk images. Is it fair to state that this does not make this issue irrelevant? |
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
Create a bunch of files/dirs and check if expected files remained and unexpected did not. QubesOS/qubes-issues#1006
* origin/pr/551: bind-dirs: fix permissions on $fso_ro bind-dirs: add x-gvfs-hide mount option to bind dirs This allows to hide mountpoints from Thunar sidebar (happens when bind mounting a file or dir in $HOME). custom-persist: prevent mount units from starting instead of bind mounting When disabling persistent /home or /usr/local, custom-persist was using a systemd drop-in to override the What= option and set it to the same value as the Where= one. This bind mount is unnecessary and was causing trouble when bind mounting other resources in /home or /usr/local. Instead, a ConditionPathExists= option is added to control whether this mount happens. custom-persist: pre-create parents with correct ownership When using custom-persist to pre-create the resource before bind mounting it, we might have to create its parents too. That was done using mkdir --parents that was causing parents to be created with root:root ownership which can leads to errors if, for example, a user wants to bind mount a directory inside its home dir. With this fix, parents are created with the same ownership as the resource. bind-dirs: fix /rw/home and /rw/usrlocal initialization from template files custom-persist: handle mounts from /rw/home and /rw/usrlocal Custom persist disables /home and /usr/local persistence by default but a user may want to bind mount a file or a directory in one of those locations without mounting the whole directories. For example, we should be able to mount /home/user/.ssh/ but keep the rest of /home/user non-persistent. With this fix, bind dirs detects when an object is located under /home or /usr/local and will look in the associated /rw/home or /rw/usrlocal instead of /rw/bind-dirs. If needed, custom-persist will pre-create the objects in the same location. custom-persist: prefer objets pre-creation in /rw This commit changes the files and dirs pre-creation path. Instead of pre-create files and dirs directly on the RO file system and let bind_dirs() function populate /rw/bind-dirs, custom-persist creates objects in /rw/bind-dirs like a regular user would do. custom-persist: files and directory auto-creation The support of metadata has been added to the custom-persist feature to allow automatic creation of files and directories declared through this feature. A type (file|dir), user, group and file mode must be specified before the path declaration. fix: bind-dirs should create files parent directories if they don't exist fix under_systemd function on debian Read command name in /proc custom-persist: init.d compatibility if the current VM is not under systemD we need to mount /home and /usr/local explicitly custom-persist: user suspend modules blacklist custom-persist: do not read user rc.local scripts when the feature is enabled custom-persist: disable user firewall rules when custom persist is enabled custom-persist: disable /home and /usr/local mounts If not explicitly configured, /rw/home and /rw/usrlocal must not be bind mounted to /home and /usr/local. Instead, the original /home and /usr/local is mounted. SystemD drop-ins are used to override the resource to mount (What= option in unit) custom-persist: mount binds configured in qubes-db Config is read from qubes database and every bind directory is mounted excepted /home and /usr/local which need to be handled differently custom-persist: systemd mount units for /home and /usr/local and services start dependencies The custom-persist feature should disable /home and /usr/local mounts by default. To do this, we can use SystemD drop-ins which requires to remove fstab entries and convert them to regular SystemD units as drop-ins does not seem to work with units generated by systemd-fstab-generator. Mount command in mount_dirs.sh is not required anymore and need to be deleted as it causes issues. Instead, a we can use SystemD unit options to ensure /home and /usr/local are mounted before loading user bind dirs custom-persist: ignore /rw/config bind-dirs if custom-persist enabled When the custom-persist feature is enabled, we no longer need to worry about the bind directories configured in /rw/config/qubes-bind-dirs.d. Pull request description: This PR adds a new feature ``custom-persist`` described in QubesOS/qubes-issues#1006
* origin/pr/650: custom-persist: add support of metadata add custom-persist unit tests add custom_persist extension Pull request description: ``custom-persist`` extension (see QubesOS/qubes-issues#1006) Adds a custom-persist feature. The service custom-persist must be activated to enable the feature. When the feature is enabled, user custom persistent file and dirs must be configured with ``qvm-features``. Example: ``qvm-features work custom-persist.var_test /var/test``
|
Now the only missing piece is documentation for the new settings (qvm-service, qvm-features man pages in core-admin-client repo). |
* origin/pr/340: doc: custom-persist man pages Pull request description: Custom persist man pages (QubesOS/qubes-issues#1006)
Minimal state AppVM would be a VM, that holds some state in some explicitly listed directories, but is does not allow malware to simply persist after reboot (unless misconfigured).
Example of usage: NetVM
Current state: When the NetVM is compromised, some malware can persist in init scripts or maybe even in .bashrc/.zshrc. This simplifies multi-stage attacks, where attacker installs some backdoor in NetVM and waits until some other useful vulnerability (e.g. XEN privilege escalation) is found. Then, some other stage of attack is initiated then.
Solution: The NetVM would just store network settings, but not anything else. It would be much harder to store a persistent malware that survives reboot, so such multi-stage attack is much less likely to be successful.
Implementation with current Qubes
Even with Qubes 3.0-RC1, one can probably make such minimal-state VM, but with some disadvantages:
nosuid(and possibly alsonoexec) attribute to /rw in /etc/fstabThere are obviously two disadvantages. First, such process is error-prone, but hopefully manageable. Second, any MSVM needs its own AppVM, which requires more space and makes administration harder. Such cloned AppVM might differ only in several symlinks and fstab options for /rw.
proposed implementation:
See #1006 (comment)
The text was updated successfully, but these errors were encountered: