Jean-Philippe Ouellet:
>>From https://github.com/QubesOS/qubes-issues/issues/910#issuecomment-275872140
> (here to not pollute that issue)
>
> @marmarek wrote:
>> BTW I'm curious how many people have custom qrexec services ;) On one of my
>> machines I have 15 of them.
>
>
> I have at least the following (not all are finished or enabled):
>
> 1. requesting port forwarding (with separate policies for different
> arguments to denote different ports)
>
> 2. requesting USB device passthrough (arg to specify device)
>
> 3. requesting VM be created from particular template with particular
> RPM installed (to test in clean envs)
>
> 4. requesting ssh session from VM with no netvm (mitigates
> http://nastytrap.ru:25 issue described by @rootkovska in
> https://groups.google.com/d/topic/qubes-devel/niMbDhS_nWI/discussion)
>
> 5. render html (like qubes.PdfConvert, and allowed from any)
>
> 6. excel-to-csv
>
> 7. create hvm w/ particular iso, particular xen cfg, & point
> stdin/stdout at console device (from trusted dev vm, for WIP
> OpenBSD-in-qubes work)
>
> 8. WIP qubes.Filecopy equivalent which does not require the VM to be
> running (encrypts the file with a key only known to the dest VM &
> stores in staging area for dest VM to retrieve later). Goal is to
> safely allow transferring data to VMs with encrypted private.img while
> in a physical location where you do not want to type that VM's
> passphrase.
>
> 9. giving me a serial console without passing through the whole FTDI
> device at USB level (for safety, but also works around some issues
> when reattaching)
>
> 10. killing jtagd & reloading a driver, because dumbly broken tools
> are dumbly broken
>
> 11. queuing stuff to print
>
> 12. start ssh session via sshd -i (inetd mode) (used because i can
> multiplex multiple things (shells, scp, etc.) over a single ssh
> session, which is convenient in the case of '$dispvm' targets (because
> you don't know the name of the just-started VM to specify multiple RPC
> calls to it), so in some cases it's less hacky than trying to automate
> lots of things over a single qubes.VMShell to a dispvm)
>
> and several more
>
Cool!
Great list, and great ideas. It would be nice if generally useful
services like some of these could be included in the repos.
I use a few custom qrexec services myself.
One in particular is designed to act as a socat bridge between a VM
("tor-proxy") hosting a "HidServAuthorizeClient" Tor hidden service on
one side, and a control panel interface on a VM ("host") hosting
software which must be connected to the clearnet on the other side.
The control panel port is firewalled off on "host" and so is
inaccessible over the clearnet. However, incoming connections to
"tor-proxy" (i.e. to the hidden service) launch a qrexec request to
"host", which sets up a socat bridge.
This is probably not a good idea for applications with many new
connections, as the overhead from the Qubes RPC calls for every
connection must be pretty extreme in this context. However, serving Tor
hidden services via a qrexec link to a VM with no networking might be a
neat way to reduce risk of exploitation. Bonus points for using
per-connection disposable VMs and MirageOS unikernels!
Andrew
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1c08fd1e-d180-c746-3ca1-d122caca81b0%40riseup.net.
For more options, visit https://groups.google.com/d/optout.
