New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Qubes Domains: "Open File Manager" button similar to "Run Terminal" #5170
Comments
Yes, that's definitely a good idea. Does anyone know if there is something like "default file manager" in Linux, or we need to invent it? |
Agreed it's a nice idea. |
Not sure if that use case is common enough to merit adding another button to the list. |
I think this is right, although not infallible. |
Technically adding running DisposableVMs to the menu is not a problem. But doing so will easily lead to another usability issue: DisposableVM by design is destroyed as soon as the application running there is closed. If you start another application there and then close the initial one, DisposableVM will be destroyed, potentially destroying the data you had open in another application. Changing DisposableVM mechanism to destroy it only when last application there is closed also isn't such a good idea, because it could lead to the opposite problem: closing an application and expecting the VM to be destroyed, but in fact it will stay there, because some other application (on another desktop? minimized?) is still running. As for the proposed menu layout, it looks nice on paper, but multi level menus are hard to navigate. Anyway I like the idea of putting "New" word somewhere in the menu entry for creating new DisposableVM. So, instead of "Disposable: whonix-ws-15-dvm" it could be "New Disposable: whonix-ws-15-dvm". It would be also logical to keep that DisposableVM Template (whonix-ws-15-dvm) somewhere visible, next to dispXXXX names. But that's getting offtopic now. |
This style of DisposableVM are already implemented (persist until shutdown, automatic app menu entry) but must be created using CLI (no GUI): https://groups.google.com/d/msg/qubes-users/LB9f9OSWCzM/Grsk5VDjCQAJ IMHO they are really the natural VM type for VMs as sys-net, sys-usb, untrusted, email VMs, viewing-only VMs, etc... that are untrusted and whose state is mostly static (except for careful changes applied to the DVM template), so that any unauthorized state change disappears next restart. |
ON TOPIC: DisposableVMs were primarily designed for the former (e.g. open in disposable VM...) and the transient nature of the VMs came out of that use case, primarily for resource recovery (RAM, CPU). They are only somewhat useful for the latter user case, in that there is no guarantee that the sensitive data does not stick around as plaintext within the context of the live environment after the disposable VMs shut down or even after Qubes is rebooted and running again (see TAILS-related discourse below). I think it may be worth separating out the two use cases into two different feature sets and engineering a different solution for the latter use case. DisposableVMs and AmnesiacVMs (or whatever the names should really be, I've been using Ephemeral, but that's probably not right either). Tangentially related, but probably off-topic of the original ask:
"more like Tails" can be misleading and I believe quite a few Qubes users assume that DisposableVMs provide more assurances than they actually do. DisposableVMs write to disk and, at least currently. When they are removed, the data they wrote to disk is persisted, at least for a while, in the available space in the LVM thin pool. This due to the "zero-on-allocate" model of thin-pool space allocation. Granted, if you are running LUKS, the plaintext of what was in the DisposableVM is only available once you unlock and boot your Qubes system but that's still not "gone forever".
The approach I am taking is to: Yes, not very user friendly. In addition, due to the issue of data remaining in the unallocated space on exit, I have two other mitigations (one hardware specific, one not):
And yet, even this isn't to the standard of Tails...but it's more comfortably close. E.g. is it possible for storage layer data from a VM that writes to a separately encrypted layer in dom0 to leak plaintext elsehwere in dom0 (swap, temporary files, logs)? I think @marmarek has expressed a preference for storage encryption running within the VM, which might mitigate this, but then exposes control of what is written plaintext in dom0 to an in-VM attacker. Maybe ephemeral encryption is needed on both the dom0 and VM side? It's turtles all the way down... :) Brendan |
To be used by GUI tools to provide a convenient 'open file manager' shortcut. references QubesOS/qubes-issues#5170
The problem you're addressing (if any)
It could be easier to open the file manager in a qube.
Describe the solution you'd like
In the Qubes Domains widget, we have a "Run Terminal" button for each running qube. I suggest also having an "Open File Manager" button.
Where is the value to a user, and who might that user be?
This would make it easier to open the file manager in a qube, especially in a DisposableVM that doesn't have an Applications menu entry.
Describe alternatives you've considered
I usually just do
qvm-run
in a dom0 terminal.Additional context
(None)
Relevant documentation you've consulted
N/A
Related, non-duplicate issues
#2132, #4398
The text was updated successfully, but these errors were encountered: