When I made my sys-* qubes disposable, I based them on my Fedora-35-dvm, but I just now realized that this disposable template has a net-vm (vpn-vm) assigned to it, for when I load disposables to browse and perform online functions.
Question: Did I make a mistake by using this network connected template as the template for my disposable sys-* qubes?
No networking is assigned to those specific VM’s (i.e. sys-usb), but of course the template is net connected which I know is not smart.
Please help clarify if I have made a mistake in this respect and what the security implications of it is.
I take it the proper solution is to have a disposable template without an assigned net-vm and base them off that.
I’m thinking the issue here is that I mistook disposable templates for being treated similar as regular templates, in that the disposable templates are actually appvm’s that get their root from regular template vm’s, and so having internet connection to that AppVM doesn’t risk compromise of the underlying root file system the same way that it would in a regular template vm with a persistent root.
In a regular Template VM if a net-vm is directly attached there is a risk of the root file system being altered without any of the protections of the proxy update system.
By assigning a network vm to a Disposable Template AppVM there should be no additional risk if the Disposable AppVM itself does not have a network VM assigned. Is this correct?
Sorry for being long winded but I confused myself a bit here.
Well, it depends on what happens inside the disposable template. Merely having a net qube assigned doesn’t do anything if the connection is never used. However, suppose you do some untrusted web browsing in the disposable template, for example. Any subsequent disposables generated from this disposable template should likewise be untrusted.