I’m trying to assign the qvm-run command output to a variable that dom0 will use in a script.
Short of writing the output to a file in the qube, and then copying the file to dom0, is there any other more direct ways?
I’m trying to assign the qvm-run command output to a variable that dom0 will use in a script.
Short of writing the output to a file in the qube, and then copying the file to dom0, is there any other more direct ways?
One way is to use the --pass-io
option, as described in the intro of the qvm-run
documentation:
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-run.html
Note that by doing that you’ll be essentially copying data from a less trusted qube to dom0, which is generally discouraged. Please make sure that fits within your threat model.
Example (from the docs):
qvm-run --pass-io personal -- ls -a
--pass-io
is a qvm-run
optionpersona
l is the name of the less trusted qube--
indicates that no more qvm-run
options will be provided, so options after that are part of the command to runls
is an example command that prints a list of files within a directory-a
is an ls
option that allows to include hidden files in the list (by default they’re not shown)The result would print in dom0 a list of all files within the home directory of the personal
qube. Again, that’s assuming that the ls
command in the personal
qube does what it says it does, see security warnings associated with copying less trusted data to dom0.
Edit: There is a real world example of that in the SecureDrop Developer docs:
https://developers.securedrop.org/en/latest/workstation_setup.html#download-configure-copy-to-dom0