Copying files to dom0

!! Note: copying untrusted content (or trusted content from an untrusted VM) compromises the whole Qubes OS security model !!

Technically, the output of a file in a VM (generated by a qvm-run --pass-io ... command) is redirected into a file in dom0:

qvm-run --pass-io vm-name "cat /path/to/file/in/vm" > "/path/to/file/in/dom0"

or with a pipe into dd, with the conv=sparse option to recreate a sparse file in dom0:

qvm-run --pass-io vm-name "cat /path/to/file/in/vm" | dd conv=sparse of=/path/to/file/in/dom0

Note that in this case the whole file is read by cat so the operation will take some time to complete for large files. Alternatively, one could pipe the output of tar -Scf - large_file into tar in dom0, but this is not recommended since an attacker could use potential vulnerabilities in tar to compromise dom0.

Script to automate copying:

# qvm-copy-to-dom0
# Copy a file from an AppVM to dom0
# qvm-copy-to-dom0 appVM srcPath [ dst ]

AppVM=$1       # mandatory
Source=$2      # mandatory
Destination=$3 # optional (will use ~/QubesIncoming/AppVM/ folder if null)

if [ -z "$Destination" ]; then
  Destination="$HOME/QubesIncoming/$AppVM/$(basename "$Source")"
  mkdir -p "$HOME/QubesIncoming/$AppVM"

if [ -e "$Destination" ]; then
  echo "'$Destination' exists; aborting" >&2
  exit 1

qvm-run --pass-io $AppVM "cat $Source" > "$Destination"

This document was migrated from the qubes-community project
  • Page archive
  • First commit: 04 Apr 2018. Last commit: 04 Apr 2018.
  • Applicable Qubes OS releases based on commit dates and supported releases: 3.2, 4.0
  • Original author(s) (GitHub usernames): taradiddles
  • Original author(s) (forum usernames): @taradiddles
  • Document license: CC BY 4.0