On Fri, Aug 11, 2017 at 4:41 AM, Nicolas Mojon <nicolas.mo...@gmail.com> wrote: > Hi, > > I would like to know if on the new 4.0 it is possible to lock down data in a > VM like that nothing can go out of the VM (like no internet or copypaste > through dom0). I would like to make that specially for usb sticks or other > stocking device, that people can work on things on the usb in the VM but > nothing must be able to go out. > > Additionally to that, I would like to know if it is possible to use the > sys-usb vm but with an usb keyboard, cause for the moment, when I try to > implement it, it finish in a dead lock cause I cannot use the keyboard when > restarting. And even with the ask policy, it happens after the login so it is > pretty problematic and allow it completely,will probably cause a security > issue for my system on of the question above. > > Thank you in advance... > > Best regards > > Nicolas
You can put explicit deny rules for all qrexec services involving that VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit undefined or ask meaning yes. *HOWEVER*: To truly and completely accomplish this is pretty much impossible with modern computer architectures unless you limit to only one VM running at a time. There will likely always be ways to establish covert channels between cooperating VMs due to hardware side-channels, regardless of whatever Qubes might try to do to stop it. See also: https://www.qubes-os.org/doc/data-leaks/ Regards, Jean-Philippe -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CoQY9NuHGOf6sAQLPqGKVCd3nYsgMumwae2X6CDwb9_g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.