-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Sep 14, 2018 at 09:18:38AM -0700, Yethal wrote: > W dniu piątek, 14 września 2018 13:21:14 UTC+2 użytkownik Nils Amiet napisał: > > Hi everyone, > > > > I would like to lock-down Qubes OS so that VMs can't be created or deleted, > > nor edited (e.g. modify the associated NetVM). > > > > I already read documentation about qrexec policies, the Admin API and > > qubes-core-admin extensions. > > > > If I understand correctly, the Admin API cannot be used to prevent the user > > from creating a VM from dom0. For example, from the dom0 terminal I tried > > adding the following line to `/etc/qubes-rpc/policy/admin.vm.Create.AppVM`: > > > > ``` > > $adminvm $adminvm deny > > ``` > > > > But then I am still able to run `qvm-create test --label blue`. Is there > > something I am missing here or is the policy not being honored on dom0? Why > > is that? > > > > I also noticed that the Qubes extensions fire some events and it is > > possible to write hooks for those events > > (https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html). > > Would it be possible to write a Qubes extension that hooks to some event > > that is fired whenever a VM is created and use that mechanism to block VM > > creation? > > > > Would the GUI domain that is planned for Qubes OS 4.1 change the situation > > or help implementing this at all? > > > > The workaround I'm thinking about is to run Xfce4 in kiosk mode, remove > > application menu entries, keyboard shortcuts, desktop right click menu to > > prevent access to dom0 but this is just a workaround and it probably we > > can't be sure that it will work with upcoming Qubes OS releases. Any > > thoughts on that? > > > > Thank you, > > > > Nils > > Wait for 4.1. The plan is that users will not have direct access to dom0. > Instead gui domain will have api access to management functions and it will > be possible to restrict it for corporate use case.
Yethal is right - "the proper" solution is using GUI domain, which will be isolated from dom0 and can have policies applied. Right now, with direct dom0 access, qrexec policy is not enforced when the action is performed from dom0. Alternatively the workaround you propose could work, but needs to be extended to also Admin API - local user must be excluded from "qubes" group (which gives direct access to qubes services) and instead add a proxy which checks qrexec policy even if action is performed from dom0. That is not unthinkable, but definitely require some work, and still it is a workaround. But Qubes 4.1 is still in development and I think will not be ready this year, maybe Q1 2019, depending on progress. GUI domain related stuff can be tracked here: https://github.com/QubesOS/qubes-issues/issues/833 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlug/b4ACgkQ24/THMrX 1yzFpwf+OcFW/oMb+kbnkIAj05wLc5rFoRqTni0qpjfs/V+enUg00fJpFlxg0XTy tIwjVs9Lz4Y/OsjhNQrtzaKFJOtDhBmJjnbpORg22iQ0Lxazg3cbZ2LWTdEhD/I3 P2lrkYEelJ/qUAJ0Lybfdv2Xj+nIdDhakbRNyWo6t/0F2aXXKIVPu5LNGzh9tHmp QcDKA9hE6nKz4Vg/EJbiuvg8ENKFR5CLkOt/7aKzFCcTcBvAeeVHMPB9d5x11DSU ibNBA0Nuw6EGAE4xSP0T1DJgWB39yM4KYozhskWqUyIH19kv7pglh5rTT1UXtuvL KxyysvSKm5fSutIef/BjVlKZK2EJ9w== =+3cX -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180918132935.GB1577%40mail-itl. For more options, visit https://groups.google.com/d/optout.