/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Containers tags/attributes #865

Closed
marmarek opened this Issue Mar 8, 2015 · 3 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@marmarek @Rudd-O @andrewdavidwong
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by joanna on 2 Jun 2014 12:45 UTC
See:

https://groups.google.com/forum/#!topic/qubes-devel/qzM5QRE8Ua8

I don't like the idea with using the VM type as a policy parameter,
because it is not meant to reflect the "security/trust level" of the
VM in question. We have a special property in Qubes that is specifically
allocated for this purpose and this is the VM color label.

So, I like the idea of using the vm names and labels (as Marek wrote
above) in the policy definitions, but not vm types.

The regexp-based rules (but only expanding to vm names, not labels!)
might be a good idea, although I'm worrying a bit that they might easily
lead to situations when the user shoots themselves in the foot, simply
because the regexp is to be expanded differently than the user expect, a
popular problem with advanced regexp usage (Happens to me all the time
when I use grep or sed ;) So this really would need to be "simple" regexp...

I'm thinking whether vm name and label will be "enough for everybody" or
should we consider introduction of also additional properties to VMs?
Perhaps user definable properties? E.g.:

qvm-prefs work -s corporate
qvm-prefs accounting -s corporate

And then in the policy (e.g. qubes.ClipboardPaste):

$property:corporate $property:corporate allow
$property:corporate $anyvm deny

joanna.

Migrated-From: https://wiki.qubes-os.org/ticket/865

@marmarek marmarek added this to the Release 3 milestone Mar 8, 2015

@marmarek marmarek added enhancement C: core P: major labels Mar 8, 2015

@marmarek marmarek referenced this issue Mar 8, 2015

Open

Centralized Qubes Policy #867

@marmarek marmarek modified the milestones: Release 4.0, Release 3.0 May 13, 2015

@marmarek marmarek referenced this issue Jan 15, 2016

Closed

Template policy, services->features, core plugins #1637

This was referenced Feb 23, 2016

Closed
Open

@andrewdavidwong andrewdavidwong added the help wanted label Jun 9, 2016

andrewdavidwong added a commit that referenced this issue Jun 9, 2016

@andrewdavidwong
Update #865 status
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: DB4DD3BC39503030 Learn about signing commits
fb91fdb

@andrewdavidwong andrewdavidwong referenced this issue Jul 30, 2016

Open

VM description #899

@woju woju referenced this issue Oct 21, 2016

Open

Useful metadata about VMs #2388

@Rudd-O

This comment has been minimized.

Show comment
Hide comment
@Rudd-O

Rudd-O Oct 28, 2016

It's certainly time to evolve past colors and into labels. Of course, each label can have a color / stipple pattern associated with it (by default we just pick one that hasn't been used before), but the color itself is a bad mnemonic for what the security properties of the VM ought to be.

Rudd-O commented Oct 28, 2016

It's certainly time to evolve past colors and into labels. Of course, each label can have a color / stipple pattern associated with it (by default we just pick one that hasn't been used before), but the color itself is a bad mnemonic for what the security properties of the VM ought to be.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Oct 28, 2016

Member

Actually, in the current shape of Qubes 4.0 it is already possible to assign tags to VMs. The missing part is have them used somewhere (for example qrexec policy as described above).
Member

marmarek commented Oct 28, 2016

Actually, in the current shape of Qubes 4.0 it is already possible to assign tags to VMs. The missing part is have them used somewhere (for example qrexec policy as described above).

@marmarek marmarek referenced this issue Nov 15, 2016

Closed

vm-existence confirmation attacks #2436

woju added a commit to woju/qubes-core-admin that referenced this issue Dec 1, 2016

@woju
qubes/tools: add qvm-tags 
QubesOS/qubes-issues#865
648c190

woju added a commit to woju/qubes-core-admin that referenced this issue Dec 2, 2016

@woju
qubes/tools: add qvm-tags 
QubesOS/qubes-issues#865
7526fe4

woju added a commit to woju/qubes-core-admin that referenced this issue Dec 2, 2016

@woju
qubes/tools: add qvm-tags 
QubesOS/qubes-issues#865
25912f5

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 20, 2017

@marmarek
qubespolicy: initial version for core3 
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.

It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.

QubesOS/qubes-issues#865
QubesOS/qubes-issues#910
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
952dea9

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 21, 2017

@marmarek
qubespolicy: initial version for core3 
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.

It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.

QubesOS/qubes-issues#865
QubesOS/qubes-issues#910
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
40f46b2

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 21, 2017

@marmarek
qubespolicy: initial version for core3 
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.

It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.

QubesOS/qubes-issues#865
QubesOS/qubes-issues#910
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
2124ecd

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 31, 2017

@marmarek
qubespolicy: initial version for core3 
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.

It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.

QubesOS/qubes-issues#865
QubesOS/qubes-issues#910
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
af81e16

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Apr 6, 2017

@marmarek
qubespolicy: initial version for core3 
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.

It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.

QubesOS/qubes-issues#865
QubesOS/qubes-issues#910
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
e705a04

@andrewdavidwong andrewdavidwong referenced this issue Jun 25, 2017

Open

Runtime exclusion criteria for VM tags/groups #2866

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 13, 2017

Member

Done
Member

marmarek commented Jul 13, 2017

Done

@marmarek marmarek closed this Jul 13, 2017

@marmarek marmarek added release-notes and removed help wanted labels Jul 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment