[Whonix-devel] Disposable VMs on Qubes 4.0

• Previous message: [Whonix-devel] Disposable VMs on Qubes 4.0
• Next message: [Whonix-devel] [qubes-devel] Disposable VMs on Qubes 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(Was written by Marek. Forwarding this to qubes-devel in hope someone
will have better answers than I might have. :)

Hi,

Disposable VMs in Qubes 4.0 are much more flexible. The major difference
is possibility to use different Disposable VMs "templates" (which in
fact can be any AppVM) for different purposes (different services,
different calling VM etc). All settings of Disposable VM are inherited
from its "template", including private image (IOW, it isn't required to
create /home/user/.qubes-dispvm-customized file for that anymore).
This "all settings" include also netvm - it is no longer inherited from
calling VM, but from Disposable VM "template". But since it's possible
to create multiple such templates, it is possible to achieve the same
behavior.

What is used where is configured using qrexec policy.
I'm preparing the policy for Whonix-related VMs for Qubes 4.0. Here are
possible options I see:

1. Allow starting default Disposable VMs from both Whonix Gateway
(sys-whonix) and Whonix Workstation (anon-whonix or other). This is the
default (if you don't modify policy for Whonix), but it's a very bad
idea, since such Disposable VM most likely will have access to clearnet
directly.

2. Prevent starting Disposable VMs from any of Whonix VMs. This is safe
option, but also it limit functionality.

3. Allow creating Disposable VMs based on anon-whonix, then allow only
such DispVMs be started from Whonix VMs.

3a. Similar, but create separate anon-whonix-dvm for that. Major
difference is that DispVMs based on anon-whonix-dvm will not have access
to private image of anon-whonix here.

Should the above be only about Whonix Workstation VM(s)? Whonix Gateway
have access to the clearnet anyway (at least in theory), so it's much
less important there.

What about templates?

I think preferred is point 3a, but it require that Whonix-based
Disposable VMs works. OTOH, it should be much easier there, because in
Qubes 4.0 there are no more savefiles - DisposableVM is started the
same way as AppVM.


-------- Forwarded Message --------
Subject: [Whonix-devel] Disposable VMs on Qubes 4.0
Date: Sun, 10 Sep 2017 15:28:15 +0200
From: Marek Marczykowski-Górecki <marmarek at invisiblethingslab.com>
Reply-To: whonix-devel at whonix.org
To: whonix-devel at whonix.org

• Previous message: [Whonix-devel] Disposable VMs on Qubes 4.0
• Next message: [Whonix-devel] [qubes-devel] Disposable VMs on Qubes 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]