[qubes-users] Error loading PCI Device... Can anyone explain why this is having kittens?
What is going on here? Please help? --- [{username}@dom0 {drive_id}]$ qvm-start TSTester --cdrom=/run/media/{username}/{drive_id}/isos/opsys1/opsys1_2.iso --> Loading the VM (type = HVM)... Traceback (most recent call last): File "/usr/bin/qvm-start", line 131, in main() File "/usr/bin/qvm-start", line 115, in main xid = vm.start(verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, notify_function=tray_notify_generic if options.tray else None) File "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", line 326, in start return super(QubesHVm, self).start(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line 1893, in start nd.dettach() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 5249, in dettach if ret == -1: raise libvirtError ('virNodeDeviceDettach() failed') libvirt.libvirtError: Requested operation is not valid: PCI device :06:00.0 is in use by driver xenlight, domain TSTester [{username}@dom0 {drive_id}]$ --- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f9ba8c93-b761-4f37-a059-3833be08de42%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Requirements for Qubes Tools and seamless integration?
On Thursday, 25 August 2016 07:25:20 UTC+10, Andrew David Wong wrote: > These probably aren't what you're looking for, but since you didn't say that > you've already read these documents, and since they're relevant to the topic, > I'll share the links here in case they happen to contain some information that > is relevant to you: > > https://github.com/QubesOS/qubes-template-configs > https://www.qubes-os.org/doc/building-non-fedora-template/ > https://www.qubes-os.org/doc/building-archlinux-template/ Hi Andrew, You are correct, they are relevant. Yes, I have already read them the last time I asked this question and someone linked me those. I was hoping for a new resolution and an actual answer, not a link to something that does not have any information on what I'm asking. What you linked me are instructions on how to, not what I am needing to know. I don't want to download all that and more and do many things just to find out that in the last 1% of it all that it won't work because I have to install something first, or a different version. The main reason I'm asking what the prerequisites are is to know EXACTLY what the MINIMAL requirement is to be able to get it running on Qubes. I can't use a no-gui option on the VM that is a CLI and then access it via the console commands without it having the Qubes tools installed in it. In my OP I did say "I still can't find any documentation on it that accurately tells me what I want to know" and "Pretty much all the packages that are REQUIRED as a minimum to get it all to work." This is what I'm after, not instructions. I'm trying to build a template, and the instructions there are not detailed enough to tell me what I want and need to know, because I'm not an "end-user" I'm a developer and a technician by trade. I like things to be cleaner and more efficient than they currently are in some of the templates, including the "minimal" templates, which aren't exactly minimal, since they are missing things that are NEEDED and they have things that shouldn't be there as a "minimal". (In my opinion at least) So by knowing WHAT is required, I will know what it is that I can turn into a Template with Qubes integration. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6bd1ee1c-7142-47a8-8c63-64110eab21c6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Unnecessary things in dom0/templates?
I just updated dom0 and saw a few packages - avahi and openssl - that made me curious as to why they are there. I'm all about having a lean system, so I remove things where and when I can. If there's a reason for these things being there, then that's cool, but since dom0 is network-isolated, that struck me as a little odd. I'm also curious to know if other people have thoughts on certain packages and why they're included (in dom0 or in templates), so feel free to list them on this thread. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dada00c0-bd26-4d35-9f60-72beab685e67%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] qvm-block by UUID?
Most standard Linux utilities that refer to block devices, allow you to specify by uuid as well (mount, cryptsetup are two examples). The documentation for qvm-block is sparse, but probably because it's a striaght-forward utility. There's no support in qvm-block to assign a device to a VM by UUID, is there? Could be handy for some of the automation I'd like to put in place on firing up the system. One can always lsblk|grep|sed|cut|whatever in a sh script, and then use the resulting block device for qvm-block, but it'd be a lot cleaner and less error-prone if one could say "qvm-block -a Florp UUID=kasdjflaksjdfaklsdf" or "qvm-block -a FLorp --uid asdfkasjdlfkajsd" Just a suggestion. (And for any other qvm-* that refer to block devices, perhaps.) Cheers. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2554d22727f99f1b2ce2d7444cc2b901.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Node.js global modules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-24 18:17, angelo "angico" costa wrote: > Hi, all! > > I'm using Qubes 3.1 and I'm new with all this compartimented system idea. > > I use Node.js for my work and study, and several of its modules should to be > installed globally. My question is: Should I install those modules in the VM > where I'll use them, or should I install them from the template VM? > > TIA and regards, > > Angico. > It really depends on what you're trying to accomplish. If you want it available in more than one AppVM, install it in the TemplateVM. If you only need it in a single AppVM, install it only in that AppVM (as long as all the files will be installed to /home, /usr/local, or /rw/config; otherwise they won't persist across reboots). More information: https://www.qubes-os.org/doc/templates/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXv2ATAAoJENtN07w5UDAwoccP/3lc7tjoNiweYsIKk7lRPAd/ DINg8oh9vymJ/toQCou1Jx+b0jPf/dg/XlSwKAxx4Vn2i6wtTDkHiwO2JjN1BGXs ckPKWy9WMT/aoP7D7vcnFk03fYfeMtej6VJisDamGJZuoCDzWCUZv2t+8/WDot8U 9aYsnvUYVXTEPk6DaIEd7FMvMTOfpZfEfidt72QR1Zpt2nKdWmwqCFiGxS1/iIuK jZ8++qmx+88ezjVFT6a89kupH7BhvDw4IVvrtMuNVRJjfaCZCsfMhlXUxbSFWauF D4ABdXUAJO8Oyuh6CaLQV0WPVjmKfOvaR+sJwnLc8vlkP+U+NN6eym03Eihafu/M L0Go9YTIMlxnrdmj9TtBxtZGYCSuomE/TdGBfx6AnKmsEA1PucyoG/7CaaOPFbk6 KDyPMA377DDXmK5GrEcuON6Q5XfQn16cpYz44eGOO4/SH4bPdRdrBtwox0qaf5cL /Fk6sb7DUEES9RAk+RWZcd+LhHY4q2PSAiUgpt+cYbt9zIqIEnEqVKzaa/SJqDf3 tqCXzi5cRrIJpTzV0w/oeVNbYJcYjjlPleuyD1IqXxk3hQtVcPIPOnIWB4t/qb0Q xBd0U/Fq1GRHeH/yWQcWd4Bo+SZf9Kqj34Dv1nWO3IWa2DlmpLJgezeUEtkFtC+k RPahX86ZG9KlFDF9Egd4 =tP/V -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/846b82c8-8fe2-fd9f-d1be-fdb7aa0e1e8f%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Anonymizing MAC adress through dvm ?
Hello everyone, I was just wondering if you can apply this documentation https://www.qubes-os.org/doc/anonymizing-your-mac-address/ to your disposable VM (like if you like to browse the internet being safe, not saving any data but also preserving your anonymity, in a way like Tails do). I tried to apply this on the AppVM-dvm, stopped it, then entered "qvm-create-default-dvm nameoftheTemplateVM-on-which-is-based-the-AppVM" in dom0, so eventually it would save the configuration on the img on which is based the new Disposable VM, but it don't seem to work, my interface ID don't change when I type "/sbin/ifconfig" into the new DispVM. I guess the problem comes from the fact the TemplateVM creates a symlink to /etc/systemd/ to load the service, but as you don't have persistence in dispVM, the process fails, but I'm not sure. If you have an idea on one could eventually do this, I think it would be a great feature (even if it is already really nice to be able to do so on standard VMs, problem is when you're paranoid you have to trade off in a way between a non anonymous but full secured non persistent model for a more anonymous but less secured one, lol) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/082febb6-e326-4837-bc6a-ead69cfb3254%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Template Updates through http proxy
I found tinyproxy and it's configuration file tinyproxy-updates.conf. I should be able to add an "Upstream" directive to direct traffic to another proxy. This file is apparently generated and does not survive a reboot. I could not find a configuration file in /rc. Where do I update this file? On 08/25/16 10:18, John R. Shannon wrote: I have a brand new Qubes OS 3.1 installation. In my network updates must be via a http proxy. Configuring dom0 for updates was easy. How do I configure to allow a template domain to update? -- John R. Shannon j...@johnrshannon.com (208)522-4506 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e2841000-6b55-22ed-11e8-e3f7649ca751%40johnrshannon.com. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Qubes VM compromised?
> On 08/23/2016 07:25 PM, Chris Laprise wrote: >> What threat model does this fit? If a skilled attacker tricks you into >> thinking you created an account at sigaint, but you later cannot use >> it... what is the advantage of that? The possible gain seems to be >> little or nothing. > > Well, (s)he has changed all its passwords. Tricking someone into > changing all passwords has been done before. Indeed. Psyhchological harassment can often by the goal, not necessarily theft of credentials. (There's nothing left to take, in my case, lol.) And when I said I had a psycho ex, I truly meant that she has truly shown all the signs of being a textbook psychopath or sociopath, and invested heavily in having me harassed online. (I don't think she's a genius hacker herself, lol.) When you're dealing with a psycho/socio-path, logical and rationality doesn't always factor into things, which can be hard to get your head around at times. Sheer destruction can be the goal (in her case, a stated goal). That being said, I can believe that the recent password weirdness was probably PayPal anti-fraud mechanisms being careful (or confused) with Tor. (I'd say it could also be someone trying to grab all credentials from a dodgy exit node, but the fact I saw the SSL lock/certificate and the real PayPal URL makes me doubtful, unless the browser was compromised and lying.) Part of the leverage of psychological harassment is that you start seeing unrelated screwups as part of the harassment. It's good to be careful to try and separate the two. Not always easy. Cheers. :) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/72e45af0b5117271fbbff0ae7e40d5c8.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
> I am too paranoid for using tails other than the reccomended method (two > usb drives updating each other - I have two pairs of three). No aware of the two drive method. Is that just updating to the next version from the previous version, onto another USB drive? While it's a bit slower, I prefer booting from DVD, a read-only medium. (A bit of a pain to update, having to boot to a USB stick to write the newer version, but it has to be done infrequently.) There's peace of mind in a true read-only medium, that you keep with you. > I just use Whonix within Qubes and I like it. I'm glad it comes out of > the box since 3.1 I've retreated to only using Fedora. Setting up Tor and Firefox (with noscript, ssl observatory, adblocker) to use it as a proxy is essentially the same effect as Whonix (or tbb). Even if tor/firefox are on the same vm rather than separated, you're behind sys-net and sys-firewall, so your real world address isn't going to leak. Another two VM's on top of that (whonix-gw and whonix-ws) is a bit of overkill IMO, and a memory pig. (I've wondered if it might be more natural to have tor running in sys-firewall; it is kind of a fire-wall-ish thing. But having the firewall separate is a nice additional barrier in case of compromise.) > Also, I would never use tor for banking, unless the banking wouldn't > involve my real world name - understand that one how you want. Yeah, exit nodes are too scary. Okay to keep reduce cyberstalkers, but for financial transactions, it seems a bit risky unless you got a solid HTTPS connection (and trust the govt and crooks not to abuse CA's; I guess that's not something seen in the wild much. For a high value target, maybe; for someone being harassed by an ex, less likely.) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a51f2eb8dd6a8744cf6411ed09cae47.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
On 08/25/2016 01:54 AM, johnyju...@sigaint.org wrote > (Although accepting the password change on a Tor exit, and then refusing > that on a non-Tor https: connection was rather weird. Would they silently > fail a password change? Oh well, I won't stress over it, but will keep a > close eye on things, for sure. Ever vigilant...) Not weird at all, could be just the lag between the red flag raising for a given account (yours) and someone manually deciding to block your account "for security reasons" - read that as: "we crap our pants when we see tor, and we rather block your legitimate attempt to login to risk accepting a real world account hijacking". > Worst case, I could (and have successfully) just run Tails inside Qubes, > and it should be no worse (safer, actually) than Tails standalone, for > banking or email. (I was reading that the IOMMU protection prevents DMA > attacks, which is sweet.) I am too paranoid for using tails other than the reccomended method (two usb drives updating each other - I have two pairs of three). I just use Whonix within Qubes and I like it. I'm glad it comes out of the box since 3.1 Also, I would never use tor for banking, unless the banking wouldn't involve my real world name - understand that one how you want. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1982b061-15a5-c452-b9b2-f2327f0cfe4e%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Template Updates through http proxy
I have a brand new Qubes OS 3.1 installation. In my network updates must be via a http proxy. Configuring dom0 for updates was easy. How do I configure to allow a template domain to update? -- John R. Shannon j...@johnrshannon.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef19c7a0-05f1-71f4-d519-2c2c30d5ae04%40johnrshannon.com. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Qubes VM compromised?
On 08/23/2016 07:25 PM, Chris Laprise wrote: > What threat model does this fit? If a skilled attacker tricks you into > thinking you created an account at sigaint, but you later cannot use > it... what is the advantage of that? The possible gain seems to be > little or nothing. Well, (s)he has changed all its passwords. Tricking someone into changing all passwords has been done before. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a0b37dd6-248c-eb36-31ce-94ad47efef54%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: R3.2 rc2 blank screen - screenlock issue?
@ Desobediente Yes I know it's seems trivial but I'm rolling it out to relatively inexperienced users and it never happened on any of my machines running R2, R3.0 or R3.1 (all on KDE). -- Richard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a466ed5d-2aa1-44d0-a6b6-4cae8c2accd5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] R3.2 rc2 blank screen - screenlock issue?
I have the same issue using 3.1 since it launched, never bothered to find out why, nor filed anything in the issue tracker, I just turn the computer off and on again. My screen blacks out, I can move the mouse and see the cursor moving in the screen, keyboards do not respond at all. If there's music playing, it still plays. The Qubes machine stays 24/7 on, this happens let's say once every 3-7 days, I think. -- iuri.neocities.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAF0bz4RBX_yEAF-Wd5rdgtLsNakHsPbShv0bk6bb4KO21L5i%3Dg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Custom initramfs
Dear all, how can I create a custom initramfs for dom0, using the current one as template? I was hoping for something like initramfs-tools in Debian... The aim is to include yubikey-luks in the FDE unlocking: https://github.com/cornelinux/yubikey-luks There might be other usecases, too - perhaps make a FAQ entry on this? Thanks, Raphael -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e1e934ad-2ba1-6964-3569-5421ce45f547%40raphael-susewind.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] R3.2 rc2 blank screen - screenlock issue?
Problem description: After using the system all day (including unlocking and unlocking the screen just fine) and then leaving it overnight I come back to a blank screen. Doing a Ctrl-Alt-F2 gives me a command prompt but I can't get X to respond (with Ctrl-Alt-F1). After a reboot all is well until after some apparently random period it happens again. I've gone through the screen locker and power management settings in Xfce (turned power management off) and turned of power management in BIOS. No joy. System spec: Qubes RC2 rc2 running Xfce on Intel NUC5i5YRH with 16G ssd. Kde is also installed but I'm not using it. Has anyone got a solution? -- Richard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/428b4251-0260-4ce4-81da-0c98ba71f636%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Building Archlinux Template Error
On Wednesday, August 24, 2016 at 3:15:09 PM UTC+1, Foppe de Haan wrote: > On Wednesday, August 24, 2016 at 4:14:12 PM UTC+2, Foppe de Haan wrote: > > On Thursday, August 18, 2016 at 6:40:42 PM UTC+2, Jovan Miloskovski wrote: > > > Hi, > > > I'm really learning all of this template building stuff right now but > > > I've stumbled upon an error in the Archlinux qubes template building > > > process I can't find a solution for. > > > Here is the segment of the error in my terminal output: > > > > > > -> Building vmm-xen (archlinux) for archlinux vm (logfile: > > > build-logs/vmm-xen-vm-archlinux.log) > > > --> build failed! > > > gcc -D_FORTIFY_SOURCE=2 -march=x86-64 -mtune=generic -O2 -pipe > > > -fstack-protector-strong -O2 -fomit-frame-pointer -m64 > > > -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes > > > -Wdeclaration-after-statement -Wno-unused-but-set-variable > > > -Wno-unused-local-typedefs -O2 -fomit-frame-pointer -m64 > > > -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes > > > -Wdeclaration-after-statement -Wno-unused-but-set-variable > > > -Wno-unused-local-typedefs -D__XEN_TOOLS__ -MMD -MF .subdirs-install.d > > > -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 -fomit-frame-pointer -m64 > > > -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes > > > -Wdeclaration-after-statement -Wno-unused-but-set-variable > > > -Wno-unused-local-typedefs -D__XEN_TOOLS__ -MMD -MF > > > .subdir-install-libxl.d -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 > > > -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall > > > -Wstrict-prototypes -Wdeclaration-after-statement > > > -Wno-unused-but-set-variable -Wno-unused-local-typedefs -D__XEN_TOOLS__ > > > -MMD -MF .libxl_create.o.d -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE > > > -Werror -Wno-format-zero-length -Wmissing-declarations > > > -Wno-declaration-after-statement -Wformat-nonliteral -I. -fPIC -pthread > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/libxc/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/libxc/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/xenstore/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/include > > >-Wshadow -include > > > /home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/config.h > > > -c -o libxl_create.o libxl_create.c > > > gcc -D_FORTIFY_SOURCE=2 -march=x86-64 -mtune=generic -O2 -pipe > > > -fstack-protector-strong -O2 -fomit-frame-pointer -m64 > > > -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes > > > -Wdeclaration-after-statement -Wno-unused-but-set-variable > > > -Wno-unused-local-typedefs -O2 -fomit-frame-pointer -m64 > > > -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes > > > -Wdeclaration-after-statement -Wno-unused-but-set-variable > > > -Wno-unused-local-typedefs -D__XEN_TOOLS__ -MMD -MF .subdirs-install.d > > > -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 -fomit-frame-pointer -m64 > > > -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes > > > -Wdeclaration-after-statement -Wno-unused-but-set-variable > > > -Wno-unused-local-typedefs -D__XEN_TOOLS__ -MMD -MF > > > .subdir-install-libxl.d -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -O2 > > > -fomit-frame-pointer -m64 -fno-strict-aliasing -std=gnu99 -Wall > > > -Wstrict-prototypes -Wdeclaration-after-statement > > > -Wno-unused-but-set-variable -Wno-unused-local-typedefs -D__XEN_TOOLS__ > > > -MMD -MF .libxl_dm.o.d -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE > > > -Werror -Wno-format-zero-length -Wmissing-declarations > > > -Wno-declaration-after-statement -Wformat-nonliteral -I. -fPIC -pthread > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/libxc/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/libxc/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/xenstore/include > > > > > > -I/home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/include > > >-Wshadow -include > > > /home/user/qubes-src/vmm-xen/src/xen-4.6.1/tools/libxl/../../tools/config.h > > > -c -o libxl_dm.o libxl_dm.c > > > gcc -D_FORTIFY_SOURCE=2 -march=x86-64 -mtune=generic -O2 -pipe > > > -fstack-protector-strong -O2 -fomit-frame-pointer -m64 > > > -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes > > > -Wdeclaration-after-statement -Wno-unused-but-set-variable > > > -Wno-unused-local-typedefs -O2
Re: [qubes-users] Isn't it bad, that compromized vm can create any number of dispVMs?
On 08/25/2016 12:53 PM, Arqwer wrote: > Command qvm-run '$dispvm' xterm if called from an appVM will run > xterm in a new dispVM. If attacker gained access to an appvm, he > possibly can run script, that will create thousands of new dispVMs > and freeze my computer. I don't like this. May be it's better to > disable this functionality by default? > I see your point, but I'd rather appreciate a limit on the number of dispVM that can be launched (e.g. per hour/appvm?) before some confirmation from dom0 is needed to open any more. This way actual functionality is not broken nor reverted, and the denial of service scenario is prevented. -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1b45ff95-95e9-f3a5-fe4e-065b8c2d36af%40gmx.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
[qubes-users] Isn't it bad, that compromized vm can create any number of dispVMs?
Command qvm-run '$dispvm' xterm if called from an appVM will run xterm in a new dispVM. If attacker gained access to an appvm, he possibly can run script, that will create thousands of new dispVMs and freeze my computer. I don't like this. May be it's better to disable this functionality by default? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5e1cb9a7-1cf3-4c8e-9d6c-084e5377ba4e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.