Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qubes.RequestRpmInstallinDom0 #2239

Closed
rootkovska opened this issue Aug 7, 2016 · 3 comments
Closed

qubes.RequestRpmInstallinDom0 #2239

rootkovska opened this issue Aug 7, 2016 · 3 comments
Labels
C: core C: mgmt P: major Priority: major. Between "default" and "critical" in severity. R: declined Resolution: While a legitimate bug or proposal, it has been decided that no action will be taken. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@rootkovska
Copy link
Member

Usecase: an AppVm downloading a new Qubes Cfg Package (e.g. for setting up YubiKey for Qubes login, or a wallpaper, or whatever) via a nice Internet-connected Appstore-like UI, later offering this RPM for installation and deployment in Dom0.

Of course Dom0 would first verify the digital signature on the RPM offered, same way as it currently does for the Dom0 updates, and install only if signature correct, plus user confirms operation.

Consider also to move the whole Dom0 updating to use this method, i.e. the whole logic triggered by a predefined AppVM rather by Dom0. Of course there is a risk of DoS (i.e. not delivering updates to Dom0 if the AppVM got compromised), but this is the case today anyway.
@rootkovska rootkovska added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. C: core P: major Priority: major. Between "default" and "critical" in severity. C: mgmt labels Aug 7, 2016
@rootkovska rootkovska added this to the Release 4.0 milestone Aug 7, 2016
@marmarek
Copy link
Member

marmarek commented Aug 7, 2016

I think this is really bad idea. This would allow AppVM to trick the user to install potentially harmful package. Lets use os-prober as an example, but there are probably a lot more such harmful packages in the Fedora repositories.

I think the better approach would be to implement #1939 , which may include similar service (qubes.RequestSaltFormulaInstall). The formula would be of course signed (after being reviewed by us). And such formula may request some package being installed of course.

@rootkovska
Copy link
Member Author

Only pre-defined AppVM would be allowed to issue the service (enforced via qrexec policy).

@marmarek
Copy link
Member

marmarek commented Aug 7, 2016

Still, I think this is a step in wrong direction. This will ease (and maybe even encourage) users/admins to easily break system security. By implementing this service we'll be relying on some network-connected AppVM to not misbehave in order to preserve dom0 isolation. The fact it is only a single AppVM isn't really comforting.

@marmarek marmarek closed this as completed Sep 8, 2021
@andrewdavidwong andrewdavidwong added the R: declined Resolution: While a legitimate bug or proposal, it has been decided that no action will be taken. label Sep 8, 2021
@andrewdavidwong andrewdavidwong removed this from the Release 4.1 milestone Aug 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: core C: mgmt P: major Priority: major. Between "default" and "critical" in severity. R: declined Resolution: While a legitimate bug or proposal, it has been decided that no action will be taken. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marmarek @rootkovska @andrewdavidwong