I’m trying to assign the qvm-run command output to a variable that dom0 will use in a script.
Short of writing the output to a file in the qube, and then copying the file to dom0, is there any other more direct ways?
One way is to use the --pass-io option, as described in the intro of the qvm-run documentation:
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-run.html
Note that by doing that you’ll be essentially copying data from a less trusted qube to dom0, which is generally discouraged. Please make sure that fits within your threat model.
Example (from the docs):
qvm-run --pass-io personal -- ls -a
-
--pass-iois aqvm-runoption -
personal is the name of the less trusted qube -
--indicates that no moreqvm-runoptions will be provided, so options after that are part of the command to run -
lsis an example command that prints a list of files within a directory -
-ais anlsoption that allows to include hidden files in the list (by default they’re not shown)
The result would print in dom0 a list of all files within the home directory of the personal qube. Again, that’s assuming that the ls command in the personal qube does what it says it does, see security warnings associated with copying less trusted data to dom0.
Edit: There is a real world example of that in the SecureDrop Developer docs:
https://developers.securedrop.org/en/latest/workstation_setup.html#download-configure-copy-to-dom0
1 Like