Do network service qubes require a disposable vm?

2 Likes

This is not exactly what Iā€™m suggesting. I know that a DisposableVM based on a non-networked DVM Template will not have networking.

I suggest that the system should have a separate, preconfigured, non-networked DVM Template by default, which is used for ā€œdefault DisposableVM Templateā€ in various other AppVMs/TemplateVMs. Otherwise, as I mentioned above, an offline AppVM (or TemplateVM!) could in principle access the Internet.

I think my concern is that thereā€™s a low-cost deanonymization attack vector in VMs that are upstream of a VPN or TOR connection that will bypass that VPN or TOR connection. Information disclosure and/or ā€œpersona disclosureā€ could break compartmentalization.

Avoiding the discussion on the default settings being secure and preventing the user from (unintentionally?) undermining them by changing themā€¦how aboutā€¦

Perhaps there should be new a Qubes RPC policy that monitors when the invoking VM and the disposable VM either have different network VMs assigned (including the case where the invoking VM has none but the disposable has network). The default policy would then be ASK (giving the reason of potential unintentional informational/persona disclosure)?

If this is already done/in the works, apologies.