Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upDo not allow to rename VMs directly #2868
Comments
marmarek
added
C: core
enhancement
P: major
labels
Jun 26, 2017
marmarek
added this to the Release 4.0 milestone
Jun 26, 2017
marmarek
self-assigned this
Jun 26, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
jpouellet
Jun 26, 2017
Contributor
Are the initial and final system states as a result of "rename" vs. "clone & remove" different? How?
Are mgmt/admin VMs somehow restricted from performing the latter?
I believe I understand the underlying security motivation, but I do not see what is gained by only disallowing vm name change while clone & rm is still possible.
|
Are the initial and final system states as a result of "rename" vs. "clone & remove" different? How? Are mgmt/admin VMs somehow restricted from performing the latter? I believe I understand the underlying security motivation, but I do not see what is gained by only disallowing vm name change while clone & rm is still possible. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Jun 26, 2017
Member
Yes, Mgmt VM needs permission to manage both "old" and "new" VMs. If it's limited only to set few properties, it can't perform full clone. For example if you don't allow it to add new tags to a VM, the new VM will not have those tags set (it's up to Mgmt VM what to do - either ignore the error, or abort operation).
As of security aspect - this is mostly because we use VM names to reference VMs - for example in qrexec policy, in created-by-* tag etc. If you consider VM rename, those things can easily end out of sync - so in many cases you'd block VM rename anyway.
Also, renaming VM have a lot of corner cases (technically-wise) - for example tracking VM rename over Admin API is tricky. New VM have new UUID, so it's easy to detect remove & create.
Even in personal system (with user having full control) this is sometimes tricky - like application menu being out of sync, or Qubes Manger not noticing renamed VM.
|
Yes, Mgmt VM needs permission to manage both "old" and "new" VMs. If it's limited only to set few properties, it can't perform full clone. For example if you don't allow it to add new tags to a VM, the new VM will not have those tags set (it's up to Mgmt VM what to do - either ignore the error, or abort operation). Also, renaming VM have a lot of corner cases (technically-wise) - for example tracking VM rename over Admin API is tricky. New VM have new UUID, so it's easy to detect remove & create. |
marmarek
closed this
in
marmarek/qubes-core-admin@3074a40
Jun 27, 2017
added a commit
to marmarek/qubes-core-admin
that referenced
this issue
Jul 4, 2017
added a commit
to marmarek/qubes-core-admin
that referenced
this issue
Jul 4, 2017
added a commit
to marmarek/qubes-core-admin
that referenced
this issue
Jul 4, 2017
added a commit
to marmarek/qubes-core-admin
that referenced
this issue
Jul 4, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
qubesos-bot
Jul 4, 2017
Automated announcement from builder-github
The package qubes-core-dom0-4.0.1-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
qubesos-bot
commented
Jul 4, 2017
|
Automated announcement from builder-github The package |
marmarek commentedJun 26, 2017
In Qubes 4.0 we want to forbid changing VM
nameproperty. This is mostly because VM name is used in Qubes RPC policy as identifier, so renaming VM can have severe security consequences. This is especially important when such operation could be performed by semi-trusted Management VM (through Admin API).In practice changing VM name will still be possible, in two steps: