Options to set `dispvm_netvm` to 'none' for all VMs and as default

[andrewdavidwong]

Currently, the default for dispvm_netvm is same as VM own NetVM. Rarely do I want this. Almost always, I want to set this to none. However, there is no way to change this setting for all VMs simultaneously, and there is no way to change the default to none, so my only option is to change the setting for each VM manually, which, having many VMs, is very tedious.

Ref: #1272 (comment)

Edit: Corrected current default.

[andrewdavidwong]

Would the current default count as an example of an "insecure default"?

Imagine a new Qubes user opens a malicious file in a DispVM which communicates against the user's wishes with an external server.

User: "Why did Qubes allow that to happen? I opened the file in a DispVM."
Us: "Well, by default, the DispVM inherits its NetVM from the VM from which it was generated. If you want to change that behavior, you have to change the setting. For example, you can change it to none."
User: "So, I have to change it manually if I want the most secure setting? Why wouldn't you just make it secure by default?"

[andrewdavidwong]

Would the current default count as an example of an "insecure default"?

Imagine a new Qubes user opens a malicious file in a DispVM which communicates against the user's wishes with an external server.

User: "Why did Qubes allow that to happen? I opened the file in a DispVM."
Us: "Well, by default, the DispVM inherits its NetVM from the VM from which it was generated. If you want to change that behavior, you have to change the setting. For example, you can change it to none."
User: "So, I have to change it manually if I want the most secure setting? Why wouldn't you just make it secure by default?"

[adrelanos]

I agree this being an insecure default. At very least as far as Qubes-Whonix is concerned. The Qubes-Whonix documentation on using DispVMs is also getting quite cryptic because of this.

The NetVM of DispVM is inherited from calling VM's netvm setting or - if set - from the dispvm_netvm setting. So when run Open in DispVM from a VM behind sys-whonix, that DispVM will also have sys-whonix as NetVM. But when you run Open in DispVM from a VM behind sys-net, it will not be through Tor. If you want that, you can set the dispvm_netvm setting of all the VMs to sys-whonix to achieve what you want. [5] Here is an example how to set the dispvm_netvm setting of the VM work-mail to sys-whonix.

qvm-prefs -s work-mail dispvm_netvm sys-whonix

(Related: Whonix default VM settings fixes - salt management (#1954))

Related: In edits in DispVM are saved, counter to user expectations (#1118) I commented on the various conflicting use cases and expectations: #1118 (comment)

Possible duplicate: DispVM should be non-networked by default, or have a clear option to users to do so (#1121)

[adrelanos]

I agree this being an insecure default. At very least as far as Qubes-Whonix is concerned. The Qubes-Whonix documentation on using DispVMs is also getting quite cryptic because of this.

The NetVM of DispVM is inherited from calling VM's netvm setting or - if set - from the dispvm_netvm setting. So when run Open in DispVM from a VM behind sys-whonix, that DispVM will also have sys-whonix as NetVM. But when you run Open in DispVM from a VM behind sys-net, it will not be through Tor. If you want that, you can set the dispvm_netvm setting of all the VMs to sys-whonix to achieve what you want. [5] Here is an example how to set the dispvm_netvm setting of the VM work-mail to sys-whonix.

qvm-prefs -s work-mail dispvm_netvm sys-whonix

(Related: Whonix default VM settings fixes - salt management (#1954))

Related: In edits in DispVM are saved, counter to user expectations (#1118) I commented on the various conflicting use cases and expectations: #1118 (comment)

Possible duplicate: DispVM should be non-networked by default, or have a clear option to users to do so (#1121)

[andrewdavidwong]

I thought #1121 was about setting the NetVM of the DVM template (e.g., fedora-23-dvm) to none, whereas this is about setting the dispvm_netvm property of each VM to none, but on second look, they may indeed be duplicates. @marmarek?

[andrewdavidwong]

I thought #1121 was about setting the NetVM of the DVM template (e.g., fedora-23-dvm) to none, whereas this is about setting the dispvm_netvm property of each VM to none, but on second look, they may indeed be duplicates. @marmarek?

[andrewdavidwong]

In the meantime, here's a simple script that sets every VM's dispvm_netvm property to none and reads back the value of that property for confirmation:

#!/bin/bash
for vm in `qvm-ls --raw-list`; do
    echo -n "$vm : ";
    qvm-prefs -s $vm dispvm_netvm none;
    qvm-prefs -l $vm | grep dispvm_netvm:
done;
exit

[andrewdavidwong]

In the meantime, here's a simple script that sets every VM's dispvm_netvm property to none and reads back the value of that property for confirmation:

#!/bin/bash
for vm in `qvm-ls --raw-list`; do
    echo -n "$vm : ";
    qvm-prefs -s $vm dispvm_netvm none;
    qvm-prefs -l $vm | grep dispvm_netvm:
done;
exit