Hello, Disposable qubes are the gold-standard in mitigation malware persistence, but in the context of an app qubes one only needs to store a malicious script in /rw/config/rc.local to get persistence. [#1006](https://github.com/QubesOS/qubes-issues/issues/1006#) and [#3258](https://github.com/QubesOS/qubes-issues/issues/3258) add interesting points about making only bind-dirs be all that persists in an app qube. Getting persistence in a white-list style bind-dirs would require an attacker to exploit applications which read persisted configuration files / directories instead of just a simple bash script.
Further hardening of certain applications would become possible. For example - storing network configurations in sys-net - storing browser profiles - etc. However, even if said mitigations were to be implemented, bind-dirs would still editable within the app qube through /rw/config/qubes-bind-dirs.d (highest priority, for per VM configuration), which [3hhh hints at](https://github.com/QubesOS/qubes-issues/issues/3258#issuecomment-725516370). This makes such eventual persistence mitigations irrelevant from within app qubes. So my suggestion is: now that we have a way to expose configuration values to to qubes (through [vm-config](https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-features.html#vm-config)), to have bind-dirs stored as a vm-config, potentially replacing /rw/config/qubes-bind-dirs.d. This way it would editable only from its AdminVM (kind of like firewall rules). In particular for sys-net, this would open up the possibility of having salt set said bind-dirs by default and have only networks configurations persist. Best regards, deeplow -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/xZMzvfXlkNIDwxGiUUos_v-lCar7K1QMSriPk_MEIXSO31CIPfAGrQo1CyE5x8LkuWAT0kPvr1KS5fWgecJ0GhZz3lmLP5OoFf4c-kIXXjU%3D%40protonmail.com.
