On 05/05/2017 06:02 AM, [email protected] wrote:
Suggestion: Instead of having "VMs that boot 'cleanly'" I'd propose
to add following option:
- configuration data that lives in /rw/config (usrlocal) and is
cleaned by this scripts/services to be fetched from Dom0 (or
dedicated VM) based on VM's name.
This should be done after cleanup service and before Qubes code that
executes /rw/config/rc.local (or sets firewall rules).
Purpose is to keep current (original 3.2) configuration behavior,
while ensuring configuration is not modifiable by malware, neither
getting 'clean boot'.
What do you think?
This would hinge on what "configuration data" means. IMO, most of that
in /rw consists of executables or binds... stuff that shouldn't be left
in place when the VM in question is considered at-risk.
The part about dom0 seems unnecessary. The protection service is running
from the template's read-only root, before /rw is mounted.
To "clean" /rw contents... it doesn't seem healthy to do this in a
conventional sense with parsing. It should perform removal/replacement
of files, which is already done in some sense. Going forward, it could
make exceptions for things like NetworkManager connections and Tor data
(if their formats allow no execute/scripting directives) based on a
whitelist. But for now, 'clean boot' is a usable compromise that keeps
/home data.
The latest version of the protection service does its job before the
/rw/config scripts (and bind-dirs), BTW. Another thing is that it can
'clean' (replace) any file in /rw, /home or otherwise if you add the
path+file to the /etc/defaults/vms folder in the template.
--
Chris Laprise, [email protected]
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/802415fe-fd03-9eb8-53f7-259f9bbc5c21%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
