[qubes-users] SystemTap in dom0 – kernel debug symbols
Hello,
I wanted to use systemtap (stap) in order to preprocess keyboard events.
However, when I try to use a simple script, it fails:
$ sudo stap numpad.stp
> semantic error: while resolving probe point: identifier 'module' at
> numpad.stp:1:7
> source: probe module("evdev").function("evdev_events"){
> ^
>
> semantic error: missing x86_64 kernel/module debuginfo [man
> warning::debuginfo] under '/lib/modules/4.19.79-1.pvops.qubes.x86_64/build'
>
> Missing separate debuginfos, use: debuginfo-install
> kernel-4.19.79-1.pvops.qubes.x86_64
> Pass 2: analysis failed. [man error::pass2]
>
>
The directory /lib/modules/4.19.79-1.pvops.qubes.x86_64/build exists and
contains some files, but it probably does not contain debuginfo – it does
not contain any file matching *debug*.
I have tried running debuginfo-install kernel-4.19.79-1.pvops.qubes.x86_64,
but it uses DNF/YUM internally, so it cannot work.
Is there any way to get kernel debug symbols in dom0?
Regards,
Vít Šesták 'v6ak'
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6c29c262-48c8-4b35-9ea7-755738e29004%40googlegroups.com.
Re: [qubes-users] Qubes 4 and VPN, client VMs cannot access Internet
>
>
>
Thanks for quick response, see following replies.
> 'fedora-30' would be the name of a template VM, not a regular app VM.
> Templates are blocked from regular Internet access in Qubes.
>
Sorry for the confusion. The actual app VM is named 'work' and is based on
fedora-30 template. I also have two identical VMs named 'personal' and
'personal-vpn' based on ubuntu-18 template. The NetVM for 'personal' is
sys-firewall, and I have full Internet access (i.e. 'ping 8.8.8.8' is
success response). The NetVM for 'personal-vpn' is sys-vpn, and no Internet
traffic goes through ('ping 8.8.8.8' is 100% packet loss).
>
> If all you want fedora-30 to do is update or install software, it can be
> done if an update proxy is added to the system (the existing update
> proxy in sys-net can no longer see the template's requests bc its
> traffic is encrypted by sys-vpn). This could be done by enabling the
> Qubes service 'qubes-updates-proxy' for your sys-firewall-vpn VM.
> Alternately, you could make the templates update directly by adding
> 'updates-proxy-setup' to their Qubes services tab and then un-checking
> it (this has the effect of disabling the updates-proxy client).
>
Good to know, thanks. I did read this in the qubes documentation and had
played around with it a bit on test VMs, but have not needed to perform any
proxy updates as all the template updates are performing as expected, and I
only need to restart my app VMs and net VMs to inherit software updates
from the templates. I have not needed to add update proxy to any app VMs.
>
> A note about the firewall in qubes-vpn-support: If its configured
> correctly with the example settings (using the 'vpn-handler-openvpn'
> Qubes service) then you should not be able to browse Internet sites from
> inside sys-vpn. Also, you should see a popup notification stating that
> the VPN link is 'UP' when sys-vpn starts.
>
Great point. Initially I was having connection problems on sys-vpn. I was
only able to get the popup notification and Internet access after I added
'vpn-handler-egress' service (I had already added 'vpn-handler-openvpn'
when I created the VM).
>
> You can check on the VPN status in sys-vpn with 'sudo journalctl -u
> qubes-vpn-handler'. You can also check firewall settings with 'sudo
> iptables -L -v -t nat' and the 'Chain PR-QBS' should have ip addresses
> pointing to your VPN provider's DNS server in the rightmost column
> (traffic can appear to be blocked if this doesn't get set).
>
> I did use 'sudo journalctl -u qubes-vpn-handler' to troubleshoot problems
when I first tried to install qubes-vpn-suport. On my first go-around I
cloned sys-net and then installed the scripts as instructed. I had failures
reported in journalctl (sorry, I cannot remember what the errors were), so
I ended up deleting that VM and instead of cloning off sys-net, I created a
new VM based on fedora-30, added the 'vpn-handler-openvpn' service, and
installed qubes-vpn-support. This time no failures reported from
journalctl.
I verified that my VPN provider's DNS servers are listed correctly in
iptables.
Open to additional suggestions or insights, will perform any commands you
request for details. Thanks for your help
> --
>
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6f03041f-f927-4274-9563-57833caca9ba%40googlegroups.com.
[qubes-users] Re: Why is there no option to save VM state?
Actually, not saving state is not a security feature per se*. It is a consequence of template-based VM design. The root filesystem of a template-based VM is cloned from the template on boot. This allows performing updates of many VMs at once by updating just one TemplateVM. There is however a filesystem for storing some state (typically mounted at /rw). If it was a security feature, it would be quite weak. On typical OSes, the attacker has plenty of places where they can drop/hook a malware, for example .bashrc and /rw/config/rc.local. If you want to store something in other directories than /home, /usr/local and similar, you can: a. Extend the list of persisted directories: https://www.qubes-os.org/doc/bind-dirs/ b. Create a Standalone VM. This allows you full control of the VM, but it will take more space and you won't be able to update it just by updating its template. Regards, Vít Šesták 'v6ak' *) Well, it can improve security by making administration easier. Without that, it would be easy to make some infrequently-used VM outdated. When you would start the VM after some time, you would risk various attacks sooner or lated. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c9b2123-86a5-4c55-859d-f9c10708757c%40googlegroups.com.
[qubes-users] Re: Panic Button in Dom0
Also I found this 2 scripts which could be: 1. https://github.com/hephaest0s/usbkill « usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. 2. https://github.com/defuse/swatd "...For example, you can set a sensor to detect if your WiFi network is in range, and when it goes out of range, automatically unmount encrypted volumes. So if someone steals your laptop from your house, your files will be safe..." -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f705e3b9-0dcf-436d-9390-190b175ebaa9%40googlegroups.com.
