I don't see any extra exposure for dom0 there. Yes, there is some qrexec call managed by dom0 (but handles by another AppVM) and this adds some (very very marginal, thanks to qrexec simplicity) risk compared to not allowing any qrexec call. However, there already are some other qrexec calls that bring the same or higher risk. See commands like qvm-open-in-dvm or qvm-run '$dispvm'. In background, they are at least the same case in terms of risks.
NFS also brings some complexities. They aren't related to dom0, but rather to AppVMs, firewall config etc. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/eb1a8f9f-64a6-4701-92ba-66ca8d94edc8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
