/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow "hooks" into various qubes functions such as start vm, shutdown vm, create VM, delete VM, clone VM, etc #4126

Closed
t4777sd opened this Issue Jul 22, 2018 · 1 comment

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
3 participants
@t4777sd @marmarek @andrewdavidwong
@t4777sd

t4777sd commented Jul 22, 2018

Many features and management require running scripts before / after qubes tasks. Here are examples:

  1. #4121 If there was a hook that always ran before a VM started and that could modify the rest of the startup (such as preventing startup), then this hook could be utilized to solve this issue

  2. #2748 refer to my comments about how the VM disk should be monitored for changes in a management VM and not within the VM itself on startup. This is only possible if there was a reliable way to hook into the VM startup command such that it's disks can be mounted to another VM, analyzed, unmounted, and startup continued if checks pass

  3. #4122 In this case, the hook could be used to automatically add a VM on creation to the sudo file so that by default it is a password-less sudo

These are just based on issues I have seen in the last couple days. There are likely many more things that could be done by allowing hooks into these commands.

Qubes OS version:

4.0
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 22, 2018

Member

This is already possible, see https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html
Most interesting events are described here: https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-vm/qubesvm.html#qubes.vm.qubesvm.QubesVM
We use it for example for additional settings for Whonix: https://github.com/QubesOS/qubes-core-admin-addon-whonix/blob/master/qubeswhonix/__init__.py

#4122 In this case, the hook could be used to automatically add a VM on creation to the sudo file so that by default it is a password-less sudo

As for policy, it's much better to use tags in policy (also something new in 4.0), then add/del tag to the VM, than modify (automatically or not) policy file. For example you can use policy like this:

$tag:root-always-allow dom0 allow
$tag:root-always-deny dom0 deny
$anyvm dom0 ask,default_target=dom0

Then, add or remove appropriate tags.

So, closing this, as already implemented.
Member

marmarek commented Jul 22, 2018

This is already possible, see https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html
Most interesting events are described here: https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-vm/qubesvm.html#qubes.vm.qubesvm.QubesVM
We use it for example for additional settings for Whonix: https://github.com/QubesOS/qubes-core-admin-addon-whonix/blob/master/qubeswhonix/__init__.py

#4122 In this case, the hook could be used to automatically add a VM on creation to the sudo file so that by default it is a password-less sudo

As for policy, it's much better to use tags in policy (also something new in 4.0), then add/del tag to the VM, than modify (automatically or not) policy file. For example you can use policy like this:

$tag:root-always-allow dom0 allow
$tag:root-always-deny dom0 deny
$anyvm dom0 ask,default_target=dom0

Then, add or remove appropriate tags.

So, closing this, as already implemented.

@marmarek marmarek closed this Jul 22, 2018

@andrewdavidwong andrewdavidwong added the notanissue label Jul 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment