Re: [qubes-users] disposible vms for sys-net, firewall, usb?

Sat, 23 Feb 2019 15:23:22 -0800 

On 2/23/19 4:15 PM, 799 wrote:

Hello,
Stumpy <stu...@posteo.net <mailto:stu...@posteo.net>> schrieb am Sa., 23. Feb. 2019, 17:58: 

    (...) dvms could be used for things like sys-net usb and firewall
    which had never occured to me.
    I may not be thinking about it right but that seemed like a really
    good security idea, so my question is, why is that not the default?
    (...)
I am also heavily interested in running "named" disposable VMs as sys-VMs with one enhancement, that I am able to store the Wifi-Credentials in a Vault-VM and that I can "push" the credentials into the sys-net VM when launching it (maybe by some custom scripts which use qvm-run --pass-io from dom0 to copy data from Vault-VM to the Sys-Net-VM).
As you may already know, I created a Qubes service that provides most of the benefits of a dispVM by removing, hash checking, repopulating or whitelisting the contents of a VM's private volume: 

https://github.com/tasket/Qubes-VM-hardening
It comes with a default that preserves Network Manager connection info for sys-net. The default also lets most /home files remain, but the executable parts are locked down with the immutable flag. This default can be changed to remove and/or repopulate the entire /home contents (along with everything else in /rw).
Settings can be universal or for each individual VM, which allows layered customizations to be made without the need to create additional templates. (All settings are erased in the VM instance before startup is completed.)
All of this happens immediately before Qubes first mounts the /rw private volume at startup. 

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4888d00a-47b5-28f7-cb01-3be2958f40b6%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to