[qubes-users] "Qubes Architecture Next Steps: The New Qrexec Policy System" by Marek Marczykowski-Górecki & Marta Marczykowska-Górecka

2020-06-22 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

A new article has just been published on the Qubes website:

"Qubes Architecture Next Steps: The New Qrexec Policy System"
by Marek Marczykowski-Górecki & Marta Marczykowska-Górecka

https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/

The original Markdown source is included below:

- ---
layout: post
title: "Qubes Architecture Next Steps: The New Qrexec Policy System"
categories: articles
author: Marek Marczykowski-Górecki, Marta Marczykowska-Górecka
- ---

This is the second article in the "What's new in Qubes 4.1?" series. You
can find the previous one (about GUI Domains)
[here](https://www.qubes-os.org/news/2020/03/18/gui-domain/). While the
introduction of GUI domains is a big, singular feature, the changes to
qrexec are more complex and varied --- but also very important.

## What is qrexec?

You might have been using Qubes for a while and never encountered the
word "qrexec," but it is one of the crucial components in the system.
Qubes provides isolation and compartmentalization. Separate qubes are
separate worlds, and what the user does in one qube should not impact
another qube. That is, of course, not realistic. In the real world, we
often need and want to do things like copying and pasting, sending
files, routing internet traffic, and simply synchronizing the time. This
is where qrexec comes in: It is an RPC (remote procedure call) mechanism
that allows one qube to do something inside another qube. Of course,
allowing everything all the time would be extremely dangerous. Thus, a
part of qrexec called "qrexec policy" is also used to enforce who can do
what and where. Furthermore, we want to be able to audit what was done,
and this is provided with the logging capabilities of qrexec. The *how*
is controlled by qrexec services, which are executed by qrexec and also
must be designed in a secure and resilient way. This post focuses mainly
on qrexec itself, but qrexec services will make a brief appearance.

## Overview of changes

*Most of this post will be very technical. If you don't care about
writing your own qrexec policies and services, feel free to just read
this overview.*

Before we get into nitty-gritty technical details, here's a brief, less
technical overview of Qubes 4.1 qrexec changes and what they mean for
users and developers:

 - A new qrexec policy format. (The old format is still supported, but
   the new one is very much superior, allowing for easier-to-read
   policies, more qube-centered customization, better auditing, and
   more.)
 - Big performance improvements: bigger data chunk sizes for faster
   transfers of large amounts of data, qrexec policy daemon for faster
   policy evaluation and call setup, resulting in up to seven-fold
   faster qrexec service calls.
 - Support for socket services: better performance for services that can
   use a socket-based implementation with significantly faster setup and
   connection times.
 - Policy notifications that make any abnormal behavior easier to detect
   and any problems resulting from incorrect permissions easier to
   solve.

There is one other big upcoming change (which is not yet fully
implemented and will arrive after Qubes 4.1): We are working on a qrexec
policy API, that is, a set of qrexec services that will allow for
managing qrexec policies without manually editing policy files. It's
another step toward separating the user from dom0 and protecting the
vulnerable system internals by isolating them from the outside world to
the greatest extent possible.

## New policy format

In Qubes 4.0 and earlier, policies were stored as multiple files, one
for each service. While changing permissions for a single action was
easy, managing permissions for an entire qube was very cumbersome. The
new Qubes 4.1 policy format completely overhauls this approach and
introduces several convenience features to make policy management easier
and more secure. 

What if you've already spent time carefully crafting your policies in
Qubes 4.0? Don't worry. The old policy format will still be supported
until at least Qubes 5.0.

You can find details of the development of the new policy format
[here](https://github.com/QubesOS/qubes-issues/issues/4370).

### Policy files

The biggest difference between the old and new policy formats is that,
under the new format, the entire policy is a single entity. It is not
divided into separate, per-service fragments. While it can be stored in
multiple files located in multiple places, the files are equivalent, and
each can describe policies for multiple services. In other words, we are
moving from a set of tables to one big, flat table.

The policy files, stored previously in `/etc/qubes-rpc/policy/`, are now
located in `/etc/qubes/policy.d/`. Furthermore, each file must have a
`.policy` extension, and any temporary files will no longer cause
issues. Under the old format, there were dozens files:

```
/etc/qubes-rpc/policy/

[qubes-users] Mounting Network Shares

2020-06-22 Thread Qubes

Hi

When I mount a samba share, if it matters from where I will share, 
inside an AppVM the mount is mounted, I suspect, as 'user'. Yes root is 
doing the mount, but I think the user that is used to connect to the 
network share is the uid of the logged in user which is by default user 
and I don't think that can be changed.


If I need to mount the network share as user xyz, because user xyz has 
certain permissions, is there a way to do that?



Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd810637-e399-cff4-3bba-20e51b357d03%40ak47.co.za.


[qubes-users] better solution to configure firewall rules?

2020-06-22 Thread Sven Semmler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

I find myself manually entering the IP ranges from
https://api.github.com/meta into the firewall rules of my 'dev' qube.
Obviously this is tedious.

Is there a better way for me to import the ranges from
https://api.github.com/meta or any other such configuration and import
them into a qubes firewall rules?

/Sven

- -- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xJKwACgkQ2m4We49U
H7bWAxAAwFuxVTsmDAoULxP9aFEkia28S7XI6pCG4T5IOJ76DorQwHTcQn2cSEF2
+lI+Gn2YCy0J+f+4op3cqS1dfLgjY1nO1oX+BbVV0MSFqzIdepmEpyh1N+JEBlWU
nxW5g7ywONDOBgbGn8AkF+OQ7beNoX4yKmBnJaRtdOGluXH2SlOd0HOUV1COsqEM
vJoRj7vfCQOs/YmNO5BGGFQZqof/61VqPCnpg9/5fMoXBrUDIvqLcxiH0qA3bXCz
gfI/rlaPPFJPgZZZ6AlmHRp4sBRhsjJtXAc2DfHA8BgwSI4czlFUCfujPgA6Qtp5
6hYZuv39rzaX5P9vb5UdjRSAyxWyJlW7AdS1yPG01qEjNBnWbi3hCiCRQM1Mt4E1
weg315JZiPmCrl4KMjHXcqcmVNcPaL/J7nCqXJ4eGHh2o7B8XfpbEn7ZOrxdek+z
w4nZi23fdXLikfdi5Bz9uoRQouUjsCt8FwYK60J9atnf0QuCupH2pNMnfy1/8E3V
Aa44MH4EVXUcUkggcsBPIsLtD9yOR0ZORLDW0Gcp/Y/Er7Bd5vj3NXWspPL0Bm0j
GZnnW1FvpwyCsgyUfZw/V427wbzDI83NHVnHUVGFZnzcuXyw/I/aTMK5/WAANyya
5mHZ8+NfvAA9r3rSDVnKwpf34NpTeAYCFxUTIuNS53Z7GezB/uA=
=BZho
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc8e4b7a-d601-6954-0636-228a33b335a7%40SvenSemmler.org.


[qubes-users] How to split into two gateways

2020-06-22 Thread 'Matt Drez' via qubes-users
Hey guys,

I'm working on my 2nd qubes machine but this task I could never figure out on 
the first one to begin with.

Can someone please tell me if you were able to achieve the following?
- Have two NICs handling two separate sys-net
- Behind each sys-net their own firewall
- behind the firewalls their own set of VMs.

I was able to handle the firewall rules and everything else but I cannot make 
it work to have 2 sys-net each handling a NIC separately. Can someone please 
tell me step by step how you achieved that?

Thanks a bunch

Matt

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Eu0jDbf7v-N2lymh-uLget7fmUNSrq9tiI9Z_KRLVt0ROmb306D9dQefNzg8L21Jbmq-t6XC6SuktToMOs1iPP1Z-7Op2xAqyF1L_lYWjBQ%3D%40pm.me.


publickey - mattdrez@pm.me - 0x8196D0F4.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature


Re: [qubes-users] better solution to configure firewall rules?

2020-06-22 Thread verifiablelist

On 2020-06-22 16:37, Sven Semmler wrote:


Is there a better way for me to import the ranges from
https://api.github.com/meta or any other such configuration and import
them into a qubes firewall rules?



You can add firewall rules from Dom0. I've got a one-liner that will 
read IPs from a file and add them to the firewall of an AppVM.


WARNING, once you edit the firewall rules "manually" from within Dom0, 
you can no longer edit them from within the GUI. So, I recommend making 
a copy of your AppVM to test with before running it for real.


The script:

cat ips.txt | while read line; do qvm-firewall appvm-name add --before 0 
accept dsthost=$line; done


Where:
ips.txt is a text file containing a list of ip addresses, one per line.
appvm-name is the name of the AppVM you want to add the rules to.

Note that this script will add each IP "before 0" (meaning, at the top 
of the rule list). Also note that this is set to "accept" connections 
from all of the IPs. If either of these things is not what you want, 
you'll need to edit it accordingly.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/03b0ec30-6418-0145-bfc8-e437bd4e5777%4086.is.


Re: [qubes-users] installing qubes

2020-06-22 Thread Sven Semmler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 6/22/20 7:44 PM, 'Jon will' via qubes-users wrote:
> I have the OS of my dreams!

This is not said nearly often enough! Thanks Qubes Team!

/Sven

- -- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xWCEACgkQ2m4We49U
H7bW6g//TQZq3VGHXDGGeCMVbhXHzoRuJ/DgvYtix70JMh9kvjYhgQaw3EzZo/aD
IQpmYf7sLFPrjsDu0NHm/oxHv5f5UziLy90W+K4IlF8R9ZRrQVXT8xSscLfP7myo
MEVHcirKi8E42XYXPX0Ns3tLRskYhXhhhFYKdPL/Y2VX5HmRR9SqvqmeuJREawZe
3JzjUxBFQqnXvrwuMTQm9Di1OBpSjGUkche9ahPKXj3oG6yp+5ga5MSYmlreNuBc
tlhjYfBmQF/aTaLzw57QQajD+uTcGFN9NNuRjZYd5LWjvvTZdsIkiaT4RpsNvDJo
A4vx2Qmyze/osrEU5W1KQ9fzmFoK7X96v7suKEmkb0OVS9ff71KNsc82MmUMdBE4
eEv0X8N/6wVsn2Hwq9XSAgjoQNvRfWF//1SFRBYV2aDI29R6tlfe3h8CZIBno5rS
NJaVVktZUp8S4U2Y6Z9YIBemiHF/52rccZp9FJx/m06veAmJph00hKBFeY7Jn3W/
JCBf6fMs5zNEUl9xloy/toEVRmMaIJYE/XgHQ7/yOXQuxpd1bY2KKAb95ab1ZSfm
RPgXsLWkP7UndrY0oDtZzFvOH+gu2GVO/uvDTDZOWbUJMd04iRX12oXgbYtFDIea
Fx17LnpYvn0rfwdp6xaT+4KJocld7oZP3UtW17RHXNj5ncZ0ecc=
=3Cqk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/895155e6-f318-c6e0-f163-d59063bd92b9%40SvenSemmler.org.


Re: [qubes-users] better solution to configure firewall rules?

2020-06-22 Thread Sven Semmler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 6/22/20 9:19 PM, verifiablel...@86.is wrote:
> cat ips.txt | while read line; do qvm-firewall appvm-name add
> --before 0 accept dsthost=$line; done

Thank you! I'll look into qvm-firewall and then write a little script
to parse the downloaded file and fire off the respective calls.

/Sven

- -- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xaTMACgkQ2m4We49U
H7aSmw//XfG81QchyOQUA8UoCUjxJ7B3XRI1xMhpca3YkQ+clKg1/ja7MvjwjvPM
kg/wFDhky1xr0BcHSvhtXOuHJiI2PAR2XcMde+1NwKIKYhfhHhs8p+bN6vPj/+Fe
vKx0LbOklt5N4CweawlbFOWfeN5xZb94VA9SLtVYgb2cmx/FDcg3VJ1t5beTB3Oh
cmo9LDF6DZ1o8n2IbZww/4viS2j/YuPbBBL7OdTF1eAe7aAE68s2/QDgz2n70xJs
1CwsGdQ3g15+mWFFI9okyBqkdUXxiEGsdrXTuD+kZfasYL+v+m5jTZAbtQMlSsAJ
+2uFbSbml+JWkzo/BAgIBZFoIhVjL4xEGGboimxQ6bs900+0Rx4Zd9crRXHaure6
9CWBaLW/cqt3ZcWtZZTBKfq7m+0w/+006W2TiQWWi2w9A/10MRWYtD6557Vkmw2d
MyTMqsRr2Mx9EC+4JSsLZLYCllz5AcNDPLwBat/Wz8VUdTSBkFTj+F3Ct4F4OPcW
JOmmARpv5zNBFho8ljvZuH8BRgACJeRMU7QfFI660KJwbTqdRqqi91iQB9vdqYWF
4rmEZiErBrO3jmVebVQ9TSzeow09lqHX+hBDlcfXRbCMD9Gtn6p3V0mGf5sC+vDn
axEEfyDRBxDGIAqL7Avujdi8WlXleSpvCvu8gpGgj69L4G+JArI=
=YrUq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af079c63-5073-f4f9-d532-bb2fa0984f36%40SvenSemmler.org.


Re: [qubes-users] installing qubes

2020-06-22 Thread 'Jon will' via qubes-users
GOT IT! Now the only thing I need to do is get HVMs working and I have 
the OS of my dreams! Thanks!


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ecc3700-a714-d8c0-a54e-887d60741f99%40jonsweb.io.


Re: [qubes-users] Debian10 - Reading From Proxy Failed

2020-06-22 Thread dhorf-hfref . 4a288f10
On Mon, Jun 22, 2020 at 04:54:18PM +, 'Matt Drez' via qubes-users wrote:
>   Reading from proxy failed - read (104: Connection reset by peer) [IP: 
> 127.0.0.1 8082]

try ...
qrexec-client-vm '$default' qubes.UpdatesProxy
... and/or ...
(echo -e 'GET http://google.com/ HTTP/1.1\n\n' ; sleep 5) | 
qrexec-client-vm '$default' qubes.UpdatesProxy



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200622175152.GB137863%40priv-mua.


Re: [qubes-users] installing qubes

2020-06-22 Thread Jarrah


> Sorry for the late response, It took forever for the iso to download.
> IT'S WORKING! There is just one last problem. I can't get wireless
> working. Any ideas?
Congratulations on getting it working. Just remember that is a
pre-release version of Qubes. It's not fully supported and may have bugs.

Looks like your card isn't well supported in Linux, but there is a DKMS
driver [0].

If you trust this and want to install it, I would recommend creating a
new template and installing the driver [2] in that template. You may
need to set sys-net and the new template to use a VM provided kernel [1]
for this to work, I haven't tried it.


[0] https://github.com/tomaspinho/rtl8821ce

[1] https://www.qubes-os.org/doc/managing-vm-kernel/ (under "Using
kernel installed in the VM")

[2]
https://ask.fedoraproject.org/t/install-drivers-for-rtl8821ce-network-chipset-on-fedora-30/3672

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c5b7151b-010a-9898-5652-8c69055734b0%40undef.tools.


Re: [qubes-users] qubes installation problem on MS-16R3

2020-06-22 Thread Jarrah
> I'm having this installation issue when trying to Install Qubes on a MSI 
> Laptop
Can we get a little more info on the laptop? CPU, GPU, etc.
> [image: qubes_error.png]
> How should I find out how to continue the installation (if there is any 
> chance) ?

Could you provide output of `dmesg` in a terminal while installing?
(ctl-alt-f2 for TTY2) Also have a look at the logs in `/tmp/` and
`/var/log/`, specifically the Xorg logs.

If you need to get a file off, the installer will detect and allow you
to mount another USB drive to copy them to.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1440cb55-a5ca-c8a7-39c2-eb16520e9252%40undef.tools.


Re: [qubes-users] Weird Windows Install Error

2020-06-22 Thread 'Matt Drez' via qubes-users
> It's not an uncommon error.
> Try the obvious - go in to the qube settings, and change VCPU to

Thanks. That helped to install it but I'd like to run it with more than one 
core. Do you have a solution for that? It's still a BSOD after install if I try 
to give more than one core.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/MgPdZMXIw1SZfV5Mh2-KfRr1IPWcE6KVQ3v-u5DFLERBmdB8RM0Uz7DdlpHCRmna4tqFoN6eHDDO1NK1OzsWY887usQg80KR1qWwb5Ny2wM%3D%40pm.me.


publickey - mattdrez@pm.me - 0x8196D0F4.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature


[qubes-users] Debian10 - Reading From Proxy Failed

2020-06-22 Thread 'Matt Drez' via qubes-users
Hey guys,

I'm working on my 2nd Qubes machine and this one is giving me a hell of a ride.

My debian based templates no longer updating. It did work after the fresh 
install but during setting things up at some point it stopped. I'm not sure at 
what step so I couldn't backtrack. Fedora 31 still works but not debian. I 
tried reinstalling it (`sudo qubes-dom0-update --action=reinstall 
qubes-template-package-name)`but that made no difference. I tried adding all 
the Services under settings that had 'proxy' in their name but that didn't work 
either. Any ideas how to fix it? Please, see outputs below

user@debian-10:~$ sudo apt update
Err:1 https://deb.qubes-os.org/r4.0/vm buster InRelease
  Reading from proxy failed - read (104: Connection reset by peer) [IP: 
127.0.0.1 8082]
Err:2 https://deb.debian.org/debian buster InRelease
  Reading from proxy failed - read (104: Connection reset by peer) [IP: 
127.0.0.1 8082]
Err:3 https://deb.debian.org/debian-security buster/updates InRelease
  Reading from proxy failed - read (104: Connection reset by peer) [IP: 
127.0.0.1 8082]
Reading package lists... Done   
Building dependency tree  
Reading state information... Done
All packages are up to date.
W: Failed to fetch https://deb.debian.org/debian/dists/buster/InRelease  
Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 
8082]
W: Failed to fetch 
https://deb.debian.org/debian-security/dists/buster/updates/InRelease  Reading 
from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 8082]
W: Failed to fetch https://deb.qubes-os.org/r4.0/vm/dists/buster/InRelease  
Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 
8082]
W: Some index files failed to download. They have been ignored, or old ones 
used instead.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/oc62lm7GAsIDTbNVTPhIByH3Zz4PWZZCrzxHBnwX7z6Z1cc315hjfupXdDt3OEvHFrFQL9aX_VsRZfjaVTIIY7bDRW5LXKVA6eoQ0dVlYLw%3D%40pm.me.


publickey - mattdrez@pm.me - 0x8196D0F4.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature