On Thu, Dec 07, 2017 at 10:26:44AM +0100, 'Tom Zander' via qubes-users wrote: > On Thursday, 7 December 2017 09:41:37 CET [email protected] wrote: > > My understanding is that you attach and detach block devices from the dom0 > > side, and you mount, umount, and eject from the AppVM side. > > > > Is it possible to detach and/or attach block devices from the AppVM side, > > or is this something that only dom0 can do? > > Making them available is something only dom0 can do, to make sure that a > compromised qube can’t get itself more resources. >
It is possible to attach/detach from the qube side, by using a qrexec service. You need a script in dom0 /etc/qubes-rpc which will do the actual block attach, and a policy to allow the call to dom0. Then use qrexec-client-vm dom0 ... to call the script. If your use case is quite simple - One USB device to be attached to one qube, then it's a simple script. You could identify the device from output of qvm-block and then 'qvm-block -a ' that device. If it's more complicated then you *could* parse input from the caller, but this opens up dom0 to potentially compromised qubes, and wouldn't be recommended. In any case, if the situation is more complicated, you are probably better off using the native tools. But for the simple case, or where you want to attach at boot time (using /rw/config/rc.local) it's certainly doable. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171207174206.7hprmbrjnyswutfj%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
