On Mon, Jul 24, 2017 at 5:46 PM, Jean-Philippe Ouellet <[email protected]> wrote: > On Mon, Jul 24, 2017 at 5:08 PM, Andrew Morgan <[email protected]> wrote: >> On 07/24/2017 03:11 AM, Marek Marczykowski-Górecki wrote: >>> On Mon, Jul 24, 2017 at 03:01:38AM -0700, Andrew Morgan wrote: >>>> On 07/24/2017 02:57 AM, Marek Marczykowski-Górecki wrote: >>>>> 2. You should check (and at least log non-zero) exit code of >>>>> qvm-file-trust. Failing to mark untrusted file as untrusted may result >>>>> in opening it locally and exploiting some bug in local editor, so this >>>>> case should have some serious error handling (maybe even removing such >>>>> file?). >>> >>>> Hm, we could quarantine it perhaps? Maybe in some folder TrustQuarantine >>>> a file ~/Downloads/folder/file could be moved to >>>> TrustQuarantine/home/user/Downloads/folder/file. This way the user knows >>>> where the file was originally, without us having to touch the file in >>>> any way. >>> >>> I'd be careful about rebuilding directory structure, because it could be >>> quite complex (some VM sending very deep directory like >>> a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/.../some-file). >>> But maybe I'm too paranoid here? ;) >>> >>> >> >> Yeah not sure what other potential repercussions there might be, but if >> there already exists a very deep directory structure inside of an >> untrusted folder, I'd assume that moving that structure to a different >> folder would not be a big issue, unless the path of the untrusted file >> was already right up to the max filepath limit already? >> >> Sounds like an edge case, but overall still seems like the >> easiest/simplest solution, if we do decide to implement a quarantine >> feature :) >> >> Andrew Morgan > > If quarantining is something of interest, one possibility may be to > take inspiration from the xdg Trash specification [1]. > > They purposefully do not keep the original directory structures, but > rather just the base filename, and keep a separate index of where the > files came from. > > [1]: https://standards.freedesktop.org/trash-spec/trashspec-latest.html
Oops, I am mistaken. They do indeed keep directory structures if a whole directory is deleted, but not if files are deleted one at a time. Similar to placement within ~/QubesIncoming by qvm-copy-to-vm. Ignore me :) -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CABQWM_B79_S%3D2UJyqAEMvfTmy%3DG2Axam2jSx3k2HcUH920mg8g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
