-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Sep 26, 2024 at 02:48:18PM +0000, 'deeplow' via qubes-devel wrote: > Hello, > > Disposable qubes are the gold-standard in mitigation malware persistence, but > in the context of an app qubes one only needs to store a malicious script in > /rw/config/rc.local to get persistence. > [#1006](https://github.com/QubesOS/qubes-issues/issues/1006#) and > [#3258](https://github.com/QubesOS/qubes-issues/issues/3258) add interesting > points about making only bind-dirs be all that persists in an app qube. > Getting persistence in a white-list style bind-dirs would require an attacker > to exploit applications which read persisted configuration files / > directories instead of just a simple bash script. > > Further hardening of certain applications would become possible. For example > > - storing network configurations in sys-net > - storing browser profiles > - etc. > > However, even if said mitigations were to be implemented, bind-dirs would > still editable within the app qube through /rw/config/qubes-bind-dirs.d > (highest priority, for per VM configuration), which [3hhh hints > at](https://github.com/QubesOS/qubes-issues/issues/3258#issuecomment-725516370). > This makes such eventual persistence mitigations irrelevant from within app > qubes. > > So my suggestion is: now that we have a way to expose configuration values to > to qubes (through > [vm-config](https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-features.html#vm-config)), > to have bind-dirs stored as a vm-config, potentially replacing > /rw/config/qubes-bind-dirs.d. This way it would editable only from its > AdminVM (kind of like firewall rules). In particular for sys-net, this would > open up the possibility of having salt set said bind-dirs by default and have > only networks configurations persist.
I like this! We could put that into vm-config, or even have a new place (bind-dirs prefix?). If present, configuration in /rw/config would be ignored, and maybe also /home not bind-mounted anymore (unless listed in bind-dirs explicitly?). One remaining question is interaction with template-stored configuration (/usr/lib/qubes-bind-dirs.d) - I guess it should be respected in that case, correct? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmb1dfEACgkQ24/THMrX 1yzfIwf9GIw3cKl4SOYkhjw0GyTy01viP0tYSJ39BOivq7gXnQii2SQ1cm49fDu+ Dh76xSqxYnTIUZ8w3ACNG8+gbdlT6GlLca5j1DNVFHGNApk6BPI6dVy83I/p3HV2 AJsE2m9N4dzHjtdShCZpjIJJU3855yCmn7cQyrYopXeignce5NfSzHsi/y+l4zYo sdkp5GCVEvJPfGhhv62y43s6458U2g2Pl8OKYqel4E9Zcw/waZOWn23ziw17yOm8 dqwGVmb1cxJ5Xr078Ke1faIk0koavrQaz7+rlGe7+RCsZ8Cal3cO3UT7aVmVSIa5 6O0FDvBcCQcTXooGEeAmz7rfYjAi0w== =qpTD -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZvV18X-ZsR48RKx-%40mail-itl.
