subject:"\[qubes\-users\] Re\: Custom qrexec services"

[qubes-users] Re: Custom qrexec services

2017-03-31 Thread Jean-Philippe Ouellet

On Sat, Jan 28, 2017 at 9:04 PM, Marek Marczykowski-Górecki
 wrote:
> 1. write USB - _unidirectional_ service to write an fs image into USB
> stick (service into USB VM)

I like this idea (mostly got tired of ... | qvm-run -p sys-usb 'dd
of=/dev/sda') and wrote my own. [1]

Not unidirectional, mine passes back the hashes of reading back what
it just wrote (more to detect failing media than for security). Also
allows the device name to be controlled with argument-specific policy.

[1]: https://gist.github.com/jpouellet/abe5cf438267afffc851a1a11d8be8f0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BGLDqHnQ9%3DAJB3LwbccR%3DScAVW02yrFmY3KPGPHaXXcw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Custom qrexec services

2017-01-28 Thread Marek Marczykowski-Górecki

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jan 28, 2017 at 05:55:14PM -0500, Jean-Philippe Ouellet wrote:
> From https://github.com/QubesOS/qubes-issues/issues/910#issuecomment-275872140
> (here to not pollute that issue)
> 
> @marmarek wrote:
> > BTW I'm curious how many people have custom qrexec services ;) On one of my 
> > machines I have 15 of them.
> 
> 
> I have at least the following (not all are finished or enabled):

So, if we're listing them, here are few of mine:

1. write USB - _unidirectional_ service to write an fs image into USB
stick (service into USB VM)

2. update local apt/yum repository[1] - get packages just uploaded via
qubes.Filecopy and expose them to LAN as yum/apt repo

3. inter-VM git connection[1]

4. send SMS - use built-in modem to send a SMS (using ModemManager d-bus
API) - currently both destination number and text are inside of pipe,
but I consider putting the number into service argument (to allow some
VM to send SMSes only to selected numbers)

5. all those defined in qubes-builder[2], recently published details in [3]

6. (WIP) trigger build in response to github notification (notification
received in one VM, then send a simple signal "something have changed"
to build VM(s) - those VMs will fetch appropriate git repositories (with
signed tags verification), and check if any new package needs to be
built. 

7. activate screenlocker - this service is launched when I unplug 
yubikey from USB VM (USB VM->dom0, without any data inside the pipe)

8. Send wake-on-lan signal to other machine (service into netvm)


In context of the #910 ticket, here are those where I have multiple
target domains with "allow" rule:

 - qubes.Filecopy - I have various scripts to automate my workflow, for
   example:
- build rpm package
- qubes.Filecopy it to a VM running repository exposed to my LAN
- run another service to update metadata on that repository (see
  service 2)
   or this:
- get a build log(s)
- qubes.Filecopy it to another VM with gist tool installed[4], and
  limited github API key configured
- launch another service to upload those file to gist
   or this:
- build a kernel + initrd
- qubes.Filecopy it to a VM with tftpserver - there
  ~/QubesIncoming is exposed into LAN using tftp (and my DHCP server
  points there to look for PXE files)
   In all the above cases, a source VM have multiple "allow" rules to
   different destination VMs. In fact on this system the final line of
   qubes.Filecopy policy is "$anyvm $anyvm deny", not "ask" ;)

 - inter-vm git access - this allows me to push code into different
   build/test environment - for example I have different VM to build
   some preliminary PoC code, different VM to build test templates (not
   using DispVM there, to not rebuild everything each time), etc

 - service in point 6 will need to notify _multiple_ build VMs when some
   notify arrive - for example to build all Fedora and Debian packages
   (those are different build environments)

[1] https://www.qubes-os.org/doc/development-workflow/
[2] https://github.com/QubesOS/qubes-builder/tree/master/rpc-services
[3] https://github.com/QubesOS/qubes-infrastructure
[4] https://github.com/defunkt/gist

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYjU2mAAoJENuP0xzK19csR4wH/0xHbXH6K6QksHe7e8Gxj4ky
a79M1I/Yhq8av4PZvAWSP2WnUomKU2VH9/KSle2GekXIVahpjH3ieVvvsgEFyWJc
5CW0/a0Aq3fLM4rXcsU7R/0YQtfjnu1OgmVQa3CbFTaLFArcyATxD8ODMSfdvtHH
5fFPFiBCplLM3pFIm57hp0+CpqE4fYOonsPsXeBdD9EorhwqyFh9Vbnyx9JbhKFA
1hZ9yBCgM6Hd4AhvUH2zj6bcxfRINHDJ4EYikiBjvAzYIgQq3cxqGhZNKK6k+h9D
ERatifySW6HeKwGXPTHqerxApP131MlucZxIm6sKVsum6nUQs0b72lY12cJjncs=
=nFoR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170129020422.GU1285%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Custom qrexec services

[qubes-users] Re: Custom qrexec services

2 matches

Site Navigation

Mail list logo

Footer information