-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Aug 19, 2016 at 08:56:38PM -0000, johnyju...@sigaint.org wrote: > > On 2016-08-19 05:11, johnyju...@sigaint.org wrote: > >> When I try to run qvm-run from within an AppVM, I get "Request refused." > >> > >> Is this by design, for security reasons? If so, I guess that's > >> perfectly > >> reasonable. I just don't see that fact documented anywhere. > >> > > > > Yes, but it's completely user-configurable. You can read all about this > > system > > here: > > > > https://www.qubes-os.org/doc/qrexec3/ > > Sweet! > > Mainly looking to have Keepass, running in an offline AppVM, to be able to > fire up specifically-allowed URL's in a browser in another AppVM, and > stuff a password into its clipboard.
Getting anything to/from qubes clipboard can be triggered only by an explicit user action (ctrl-shift-c/v). This is to prevent many types of clipboard-based attacks. > (So it sounds like I could restrict the qrexec to a custom script in the > AppVM that only opens that specific site; and stuffing the clipboard > should be pretty benign, too.) You can create new qrexec service for that (which is also described on that linked page), but it may be tricky to do it securely. Anyway, if you're talking about normal AppVM (not DispVM), and you want to paste that password there from time to time, what about simply storing that password inside the browser? It has access to this password anyway, the only difference is when. But if it is compromised, it doesn't matter, so you don't really get anything from not storing it there. This of course doesn't apply to Disposable VM (DispVM in short), which by design should start from clean state. > If I'm very careful about the permissions, I should be able to keep any > risk under control. The qrexec design looks pretty flexible. > > Thanks! > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXxEUfAAoJENuP0xzK19csYugH/0uNjnrHicHyCvMSpS2CCPyj c/SrAN3bnx7dOovAqzNV3Pz5cCrXEBevwwjnSermp4li9CGH1CCEq8Zx0XyGNCdB MNjBq+mN8NzZIR3Lj0h8Hebp8rEtC5SY0oey9Rux3iM0RVjBjk6qTGse1jz5qS9K B07vIVRAL+dX2fzvv3H8fqTUJICgVQl2H13rQbykUMm2DGvCQs3R/uldZ00V6kGn qmLqCf3DQz1tljhkcodP0hRipWRroikdmyxre62gNddQy2e7iR0dDnF00+lzKfpl +UakaaBfZtBE05bMWehDEWSxBALofrhcnIVQLtyZQf3akkTGToip658JLa3lvcs= =2KFv -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160829142224.GF21245%40mail-itl. For more options, visit https://groups.google.com/d/optout.