Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
On Monday, October 17, 2016 at 11:43:26 AM UTC-4, Robert Mittendorf wrote: > > The data copied to that VM (i.e. the pdf file or whatever you opened) > > must be considered leaked if the VM gets compromised via e.g. drive-by > > exploits. > > Agreed, it's limited to that data, but nevertheless an unexpected > > potential impact. And depending on your data it can be critical. > Well, that is why it is a distinct DispVM. If I open a legit PDF from my > mail client in a DispVM (say dispvm1) and I open a non-legit URL in a > DispVM, this will not be the same dispVM and thereby not leak the PDFs > data. If the PDF itself is malicious, I most likely will not care about > the leak. Only exception: A legit PDF gets infected and is then mailed > to me. Usually that would allow the attacker to leak the PDF from the > system it was send from in the first place. > > From a usability point of view you'll also get annoyed if you cannot > > print in dispVMs just because your firewall rules allowing > > connectivity to your printer aren't inherited, but those to allowing > > connectivity to the internet suddenly are in place. > agreed, basically. > > > > Btw inheriting netVMs makes a lot of sense if you imagine one Tor > > proxy VM and one directly connected one. So a dispVM from a Tor > > connected VM would spawn a direct internet connection in your case... > > Currently it fortunately does not. > agreed. > > Well, I was actually suprised that there is more than 1 DispVM. Do the > child-DispVMs use the fedora-23-dvm template as well? oh yes thats a good point. thats another reason I liked to create dispvm menu entries in the applications list,to also inherit that vm's window border color that they are launched from. To remind me what level trust it is. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/257d4379-fcc6-46d8-b93a-7f4b5f555e66%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
The data copied to that VM (i.e. the pdf file or whatever you opened) must be considered leaked if the VM gets compromised via e.g. drive-by exploits. Agreed, it's limited to that data, but nevertheless an unexpected potential impact. And depending on your data it can be critical. Well, that is why it is a distinct DispVM. If I open a legit PDF from my mail client in a DispVM (say dispvm1) and I open a non-legit URL in a DispVM, this will not be the same dispVM and thereby not leak the PDFs data. If the PDF itself is malicious, I most likely will not care about the leak. Only exception: A legit PDF gets infected and is then mailed to me. Usually that would allow the attacker to leak the PDF from the system it was send from in the first place. From a usability point of view you'll also get annoyed if you cannot print in dispVMs just because your firewall rules allowing connectivity to your printer aren't inherited, but those to allowing connectivity to the internet suddenly are in place. agreed, basically. Btw inheriting netVMs makes a lot of sense if you imagine one Tor proxy VM and one directly connected one. So a dispVM from a Tor connected VM would spawn a direct internet connection in your case... Currently it fortunately does not. agreed. Well, I was actually suprised that there is more than 1 DispVM. Do the child-DispVMs use the fedora-23-dvm template as well? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a8dfee0a-0107-64f1-7ed2-8ae82809b638%40digitrace.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
On 10/17/2016 09:42 AM, Robert Mittendorf wrote: Currently your easiest option is not to click on the links, but to copy-paste them to an open dispVM. Small sacrifice for a major security gain. Well, the "easiest" option is to use a net-vm directly. What is the security gain? Its a dispVM after all. The data copied to that VM (i.e. the pdf file or whatever you opened) must be considered leaked if the VM gets compromised via e.g. drive-by exploits. Agreed, it's limited to that data, but nevertheless an unexpected potential impact. And depending on your data it can be critical. From a usability point of view you'll also get annoyed if you cannot print in dispVMs just because your firewall rules allowing connectivity to your printer aren't inherited, but those to allowing connectivity to the internet suddenly are in place. Moreover your netVM is also inherited and firewall rules can have a different meaning depending on your netvm (just imagine the same private subnets being used for 2 different networks), i.e. it makes sense to inherit firewall rules, if you do it for netVMs. Btw inheriting netVMs makes a lot of sense if you imagine one Tor proxy VM and one directly connected one. So a dispVM from a Tor connected VM would spawn a direct internet connection in your case... Currently it fortunately does not. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1b04afd0-8e3f-087b-9db1-a381495deb64%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
On Saturday, October 15, 2016 at 7:23:12 AM UTC-4, raah...@gmail.com wrote: > On Friday, October 14, 2016 at 11:06:48 PM UTC-4, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > On 2016-10-14 15:18, raahe...@gmail.com wrote: > > > On Friday, October 14, 2016 at 6:16:16 PM UTC-4, raah...@gmail.com wrote: > > >> On Thursday, October 13, 2016 at 2:36:30 PM UTC-4, Andrew David Wong > > >> wrote: > > > On 2016-10-13 03:45, Robert Mittendorf wrote: > > > Am 10/13/2016 um 04:50 AM schrieb raahe...@gmail.com: > > >> > > >> feature. I use to make menu shortcuts to launch programs in dispvms > > >> inheriting firewall rules. But xfce only lets you edit already > > >> existing rules, not create new ones :( editing a config file is a > > >> little too much effort for me lol. > > >> > > > You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?! > > > > > > How can this "feature" be disabled? I want to start a normal DispVM, > > > not a "special" DispVM. > > > > > > Use Case: Mail VM is only allowed to access Mail-Server. I want to > > > start a Browser in DispVM for urls in Mails. > > > This works fine, but those "special" DispVMs have the same > > > limitations. I want just a normal DispVM like the one started via > > > Dom0. The only way to achieve this afaik is to let the special DispVM > > > connect to NetVM, so no ProxyVM is used. But this means that the > > > DispVM has access to the intranet. > > > > > > > > > This is precisely the use case I described in issue #1296, which I linked > > > in my previous message: > > > > > > https://github.com/QubesOS/qubes-issues/issues/1296 > > > > > >> > > >> couldn't you just use a normal dispvm then? meaning why even launch > > >> anything from within an appvm? Just run it from dom0, like the default > > >> firefox dispvm menu item. > > > > > > only reason i'd launch a program in a dispvm from within an appvm, is to > > > inherit its firewall rules. > > > > > > > Starting a new DispVM from dom0 and setting its NetVM is a lot more > > labor-intensive than simply clicking a link in an email and having the rest > > work automatically. > > > > - -- > > Andrew David Wong (Axon) > > Community Manager, Qubes OS > > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > > > iQIcBAEBCgAGBQJYAZ06AAoJENtN07w5UDAwJJoQAIvVrJe8k7MWk2PxHc3sXvv/ > > C4MGgOLJ31WiZAfk1EAz/3MmVgZzG5nNII3ViDEXqGBppk7jxlF3p9UhpmMJNBju > > xZB3z1MgVzSm5hXkHQ+enU/hv6RoO5iE+MdBSUnE9QGZiSf1Vg3xkCWzabGgjmuV > > jGBXaRJXt1ioeBpvpke+NGwmtcd52/KJbGJLo9HRDZhBSz7us0T6e2Kh7Z9snDNe > > mXTYpUvwriFbxnB4VEkfa52V4druYN3DWx39+nBsKZAzHSMpGfqAI7g0ZKdrLpHw > > J8MQ4YxM1qaMZKOBQX2BOgTQs0V92255u5RiX1atVJmctYFZ4GQEdeJ/nln0I7VT > > 86+mhkemBhzHVxvZkyPalZLi6+5INyjR8noJZpqkIsUUV50HmX0ZjG4yYPv88yTa > > EQvglEY+/wjed9mE+M9dB73E7DLFMJr858ime5AYtDai8Baotf1bIRW5XjsxNPdf > > h5zDU1ciEpoTYsX5O4bx4Fj+nF7+RMH5g0wC/o0/9A/3ougqEQ+9/sn7CWWBnPgA > > Ucv4c7sd9A3zU80PYy1RSZiW2MxdTkKNMD+rCL97JaeKgUxHWLE2M6wPQbkMRl9d > > XmbVBZpsj97ifpasDRRmA/zIeDqZT+Fg7F6GhuIyRUV2ym0UT8VvqOznp3Znvaj6 > > 9RV4PZn2lL6pywgVQfY2 > > =BVEY > > -END PGP SIGNATURE- > > oh yes absolutely, especially for email links for sure thats awesome. But I > thought the OP was asking how *not to inherit firewall rules in general. So > i was just suggesting why even bother opening it in specific appvms anyways > then. xfce is a little frustrating cause you need a 3rd party tool to easily create menu entries like in kde to launch diff programs with while inheriting firewall rules. but i'm leary to install one to dom0 so I just gave up and type it out. rather do that then edit the cfg file lol. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e1a92e5e-799c-4f54-b9b3-ef23b44f2872%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
On Friday, October 14, 2016 at 11:06:48 PM UTC-4, Andrew David Wong wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-10-14 15:18, raahe...@gmail.com wrote: > > On Friday, October 14, 2016 at 6:16:16 PM UTC-4, raah...@gmail.com wrote: > >> On Thursday, October 13, 2016 at 2:36:30 PM UTC-4, Andrew David Wong wrote: > > On 2016-10-13 03:45, Robert Mittendorf wrote: > > Am 10/13/2016 um 04:50 AM schrieb raahe...@gmail.com: > >> > >> feature. I use to make menu shortcuts to launch programs in dispvms > >> inheriting firewall rules. But xfce only lets you edit already > >> existing rules, not create new ones :( editing a config file is a > >> little too much effort for me lol. > >> > > You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?! > > > > How can this "feature" be disabled? I want to start a normal DispVM, > > not a "special" DispVM. > > > > Use Case: Mail VM is only allowed to access Mail-Server. I want to > > start a Browser in DispVM for urls in Mails. > > This works fine, but those "special" DispVMs have the same limitations. > > I want just a normal DispVM like the one started via Dom0. The only way > > to achieve this afaik is to let the special DispVM connect to NetVM, so > > no ProxyVM is used. But this means that the DispVM has access to the > > intranet. > > > > > > This is precisely the use case I described in issue #1296, which I linked > > in my previous message: > > > > https://github.com/QubesOS/qubes-issues/issues/1296 > > > >> > >> couldn't you just use a normal dispvm then? meaning why even launch > >> anything from within an appvm? Just run it from dom0, like the default > >> firefox dispvm menu item. > > > > only reason i'd launch a program in a dispvm from within an appvm, is to > > inherit its firewall rules. > > > > Starting a new DispVM from dom0 and setting its NetVM is a lot more > labor-intensive than simply clicking a link in an email and having the rest > work automatically. > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJYAZ06AAoJENtN07w5UDAwJJoQAIvVrJe8k7MWk2PxHc3sXvv/ > C4MGgOLJ31WiZAfk1EAz/3MmVgZzG5nNII3ViDEXqGBppk7jxlF3p9UhpmMJNBju > xZB3z1MgVzSm5hXkHQ+enU/hv6RoO5iE+MdBSUnE9QGZiSf1Vg3xkCWzabGgjmuV > jGBXaRJXt1ioeBpvpke+NGwmtcd52/KJbGJLo9HRDZhBSz7us0T6e2Kh7Z9snDNe > mXTYpUvwriFbxnB4VEkfa52V4druYN3DWx39+nBsKZAzHSMpGfqAI7g0ZKdrLpHw > J8MQ4YxM1qaMZKOBQX2BOgTQs0V92255u5RiX1atVJmctYFZ4GQEdeJ/nln0I7VT > 86+mhkemBhzHVxvZkyPalZLi6+5INyjR8noJZpqkIsUUV50HmX0ZjG4yYPv88yTa > EQvglEY+/wjed9mE+M9dB73E7DLFMJr858ime5AYtDai8Baotf1bIRW5XjsxNPdf > h5zDU1ciEpoTYsX5O4bx4Fj+nF7+RMH5g0wC/o0/9A/3ougqEQ+9/sn7CWWBnPgA > Ucv4c7sd9A3zU80PYy1RSZiW2MxdTkKNMD+rCL97JaeKgUxHWLE2M6wPQbkMRl9d > XmbVBZpsj97ifpasDRRmA/zIeDqZT+Fg7F6GhuIyRUV2ym0UT8VvqOznp3Znvaj6 > 9RV4PZn2lL6pywgVQfY2 > =BVEY > -END PGP SIGNATURE- oh yes absolutely, especially for email links for sure thats awesome. But I thought the OP was asking how *not to inherit firewall rules in general. So i was just suggesting why even bother opening it in specific appvms anyways then. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad541753-69e1-431c-aedb-99c609bc787a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
On Friday, October 14, 2016 at 6:16:16 PM UTC-4, raah...@gmail.com wrote: > On Thursday, October 13, 2016 at 2:36:30 PM UTC-4, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > On 2016-10-13 03:45, Robert Mittendorf wrote: > > > Am 10/13/2016 um 04:50 AM schrieb raahe...@gmail.com: > > >> > > >> feature. I use to make menu shortcuts to launch programs in dispvms > > >> inheriting firewall rules. But xfce only lets you edit already existing > > >> rules, not create new ones :( editing a config file is a little too > > >> much effort for me lol. > > >> > > > You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?! > > > > > > How can this "feature" be disabled? I want to start a normal DispVM, not > > > a "special" DispVM. > > > > > > Use Case: Mail VM is only allowed to access Mail-Server. I want to start > > > a Browser in DispVM for urls in Mails. > > > This works fine, but those "special" DispVMs have the same limitations. I > > > want just a normal DispVM like the one started via Dom0. The only way to > > > achieve this afaik is to let the special DispVM connect to NetVM, so no > > > ProxyVM is used. But this means that the DispVM has access to the > > > intranet. > > > > > > > This is precisely the use case I described in issue #1296, which I linked > > in my previous message: > > > > https://github.com/QubesOS/qubes-issues/issues/1296 > > > > - -- > > Andrew David Wong (Axon) > > Community Manager, Qubes OS > > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > > > iQIcBAEBCgAGBQJX/9QlAAoJENtN07w5UDAweRkP/0uhxA8ARtTJuYuroi0znFNb > > gXb/LRC0rCy9F1TdiwXAhj7kHMSx+HObeXCqTGFlvCYl6sJGkTW0GWulN2M6XtCj > > KLHQ+vS6YpMTB4EYrDu2QBVlMuFoZoNuj+O/XVcup3aK1MUvpeJJwX6VzCc/X2Y4 > > NHYthK8PtbPZ8WHEdsdAYWBrKWw14ewtaQY9bIsx4SBjf/iq0sr/vGeWOR6Trok1 > > 0SCYo0UBgWKKDPCUeRFUKPSrL/ZCPzeF5fC+F4oG+LZE5xHM5Vu8++U5D9lCuOoS > > pfqfWI9zKib4WTjwv+tQth5G3khM+W9vfmLJfkwuO6bIGO2B59gKSwwh/DCcTH0q > > jPUgGv7dn4Ypobh15YKxynvilYMNXBLoN5nst/3ZWh2tGMwsJ9Qicc7LRg5lUpWq > > Gm+V27OEmwf40G3ejFKXr937Jc3j+GjiBAMN3hhTbfb9FkMjTS5HJqVl0rpTOX7V > > p6YW+JfdtiRGEPhiCY/24ld0p//TIyL72Ry5mT4naSP2mJyViFt3cZr91Uvcr4/p > > 5BltNOzPvpGvlR+S1CM8Kn3LcV9GZb1uKdHBGRfAVA0Y6Ikh8t8N/i1h28e0gSdr > > 02Wf9tssdixLIJL5kNQDew36kwqcW79c28qJTsfv60EM+nYHFfhrPSoZyyzrT4ty > > Jv8Ojecj2huxgn9KS0ln > > =uR2N > > -END PGP SIGNATURE- > > couldn't you just use a normal dispvm then? meaning why even launch anything > from within an appvm? Just run it from dom0, like the default firefox dispvm > menu item. only reason i'd launch a program in a dispvm from within an appvm, is to inherit its firewall rules. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a36758a3-7a85-42fb-a6b6-2fcea9463102%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
On Thursday, October 13, 2016 at 2:36:30 PM UTC-4, Andrew David Wong wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-10-13 03:45, Robert Mittendorf wrote: > > Am 10/13/2016 um 04:50 AM schrieb raahe...@gmail.com: > >> > >> feature. I use to make menu shortcuts to launch programs in dispvms > >> inheriting firewall rules. But xfce only lets you edit already existing > >> rules, not create new ones :( editing a config file is a little too > >> much effort for me lol. > >> > > You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?! > > > > How can this "feature" be disabled? I want to start a normal DispVM, not a > > "special" DispVM. > > > > Use Case: Mail VM is only allowed to access Mail-Server. I want to start a > > Browser in DispVM for urls in Mails. > > This works fine, but those "special" DispVMs have the same limitations. I > > want just a normal DispVM like the one started via Dom0. The only way to > > achieve this afaik is to let the special DispVM connect to NetVM, so no > > ProxyVM is used. But this means that the DispVM has access to the > > intranet. > > > > This is precisely the use case I described in issue #1296, which I linked in > my previous message: > > https://github.com/QubesOS/qubes-issues/issues/1296 > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJX/9QlAAoJENtN07w5UDAweRkP/0uhxA8ARtTJuYuroi0znFNb > gXb/LRC0rCy9F1TdiwXAhj7kHMSx+HObeXCqTGFlvCYl6sJGkTW0GWulN2M6XtCj > KLHQ+vS6YpMTB4EYrDu2QBVlMuFoZoNuj+O/XVcup3aK1MUvpeJJwX6VzCc/X2Y4 > NHYthK8PtbPZ8WHEdsdAYWBrKWw14ewtaQY9bIsx4SBjf/iq0sr/vGeWOR6Trok1 > 0SCYo0UBgWKKDPCUeRFUKPSrL/ZCPzeF5fC+F4oG+LZE5xHM5Vu8++U5D9lCuOoS > pfqfWI9zKib4WTjwv+tQth5G3khM+W9vfmLJfkwuO6bIGO2B59gKSwwh/DCcTH0q > jPUgGv7dn4Ypobh15YKxynvilYMNXBLoN5nst/3ZWh2tGMwsJ9Qicc7LRg5lUpWq > Gm+V27OEmwf40G3ejFKXr937Jc3j+GjiBAMN3hhTbfb9FkMjTS5HJqVl0rpTOX7V > p6YW+JfdtiRGEPhiCY/24ld0p//TIyL72Ry5mT4naSP2mJyViFt3cZr91Uvcr4/p > 5BltNOzPvpGvlR+S1CM8Kn3LcV9GZb1uKdHBGRfAVA0Y6Ikh8t8N/i1h28e0gSdr > 02Wf9tssdixLIJL5kNQDew36kwqcW79c28qJTsfv60EM+nYHFfhrPSoZyyzrT4ty > Jv8Ojecj2huxgn9KS0ln > =uR2N > -END PGP SIGNATURE- couldn't you just use a normal dispvm then? meaning why even launch anything from within an appvm? Just run it from dom0, like the default firefox dispvm menu item. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ed12f24e-eb0f-4b2a-8232-c4f13a496877%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-10-13 03:45, Robert Mittendorf wrote: > Am 10/13/2016 um 04:50 AM schrieb raahe...@gmail.com: >> >> feature. I use to make menu shortcuts to launch programs in dispvms >> inheriting firewall rules. But xfce only lets you edit already existing >> rules, not create new ones :( editing a config file is a little too much >> effort for me lol. >> > You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?! > > How can this "feature" be disabled? I want to start a normal DispVM, not a > "special" DispVM. > > Use Case: Mail VM is only allowed to access Mail-Server. I want to start a > Browser in DispVM for urls in Mails. > This works fine, but those "special" DispVMs have the same limitations. I > want just a normal DispVM like the one started via Dom0. The only way to > achieve this afaik is to let the special DispVM connect to NetVM, so no > ProxyVM is used. But this means that the DispVM has access to the > intranet. > This is precisely the use case I described in issue #1296, which I linked in my previous message: https://github.com/QubesOS/qubes-issues/issues/1296 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJX/9QlAAoJENtN07w5UDAweRkP/0uhxA8ARtTJuYuroi0znFNb gXb/LRC0rCy9F1TdiwXAhj7kHMSx+HObeXCqTGFlvCYl6sJGkTW0GWulN2M6XtCj KLHQ+vS6YpMTB4EYrDu2QBVlMuFoZoNuj+O/XVcup3aK1MUvpeJJwX6VzCc/X2Y4 NHYthK8PtbPZ8WHEdsdAYWBrKWw14ewtaQY9bIsx4SBjf/iq0sr/vGeWOR6Trok1 0SCYo0UBgWKKDPCUeRFUKPSrL/ZCPzeF5fC+F4oG+LZE5xHM5Vu8++U5D9lCuOoS pfqfWI9zKib4WTjwv+tQth5G3khM+W9vfmLJfkwuO6bIGO2B59gKSwwh/DCcTH0q jPUgGv7dn4Ypobh15YKxynvilYMNXBLoN5nst/3ZWh2tGMwsJ9Qicc7LRg5lUpWq Gm+V27OEmwf40G3ejFKXr937Jc3j+GjiBAMN3hhTbfb9FkMjTS5HJqVl0rpTOX7V p6YW+JfdtiRGEPhiCY/24ld0p//TIyL72Ry5mT4naSP2mJyViFt3cZr91Uvcr4/p 5BltNOzPvpGvlR+S1CM8Kn3LcV9GZb1uKdHBGRfAVA0Y6Ikh8t8N/i1h28e0gSdr 02Wf9tssdixLIJL5kNQDew36kwqcW79c28qJTsfv60EM+nYHFfhrPSoZyyzrT4ty Jv8Ojecj2huxgn9KS0ln =uR2N -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d649c65f-b049-f544-6d3f-709bb0936176%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM
On 10/13/2016 12:45 PM, Robert Mittendorf wrote: Am 10/13/2016 um 04:50 AM schrieb raahe...@gmail.com: feature. I use to make menu shortcuts to launch programs in dispvms inheriting firewall rules. But xfce only lets you edit already existing rules, not create new ones :( editing a config file is a little too much effort for me lol. You can edit the rules in Xfce-Dom0 via the Qubes VM Manager?! How can this "feature" be disabled? I want to start a normal DispVM, not a "special" DispVM. Of course it's a feature. You want to open those pesky attachments of your mail VM in a dispVM, don't you? But do you want to grant that VM internet access? At least I wouldn't want that and thus would expect that those firewall rules are inherited. Use Case: Mail VM is only allowed to access Mail-Server. I want to start a Browser in DispVM for urls in Mails. This works fine, but those "special" DispVMs have the same limitations. I want just a normal DispVM like the one started via Dom0. The only way to achieve this afaik is to let the special DispVM connect to NetVM, so no ProxyVM is used. But this means that the DispVM has access to the intranet. Currently your easiest option is not to click on the links, but to copy-paste them to an open dispVM. Small sacrifice for a major security gain. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a906460e-0754-3b34-ca6e-232d3252ef34%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature