Feature request: Restricting moving/copying files/text between qubes

Feature request: Restricting moving/copying files/text between qubes

Before opening an issue for this feature request, I would like to discuss it here.

How to copy and paste text | Qubes OS reads:

However, one should keep in mind that performing a copy and paste operation from less trusted to more trusted qube is always potentially insecure, since the data that we copy could exploit some hypothetical bug in the target qube. […] Therefore, you should always copy clipboard data only from more trusted to less trusted qubes.

Besides “keeping in mind” and “you should [be careful]”, there should be a technical solution to that problem. I suggest to restrict moving/copying files/text between qubes. The user should be able to configure for every pair of qubes to which direction(s) copying/moving of files/text is allowed (or not). When trying to copy/move files/text when it is not allowed, the operation should be aborted and an error message should appear stating the problem and giving a solution, e.g. “You cannot move/copy to the clipboard of qube Y from qube X. If you want to do so, please adapt the copying/moving rules in the settings of qube X.”.

With this feature, the user can enforce the rule not to copy from less trusted qubes to more trusted qubes. It can also enforce the rule not to copy secrets from a more trusted qube to a less trusted one. Thus, accidents can be avoided.

In summary, this feature request gives a security level not just a border color and a name but a technical implementation.

Drawback: Configuring the restrictions has complexity O(n^2) with n being the number of qubes.

The default for new Qubes installations should be “nothing allowed”.

The default for existing Qubes installations should be “everything allowed” (for compatibility reasons) or “nothing allowed” (for security reasons). In the latter case, an announcement could be helpful.

What do you think?

PS: The post What would you like to see improved in Qubes OS? - #169 by qubist seems to mention the problem, too:

Additionally, one may decide to take extra measures for not allowing copying from/to other qubes.

You can already achieve this using qrexec policies:

For example, to restrict file copy/move to/from one of your qubes you can add this policy:

qubes.Filecopy          *           MyProtectedQubeName     @default                 deny
qubes.Filecopy          *           *                       MyProtectedQubeName      deny                

You can add it in Q → gear icon → Qubes Tools → Qubes Policy Editor → menu File → Open → 30-user.

Thank you, apparatus, for your quick reply. I did not work with qrexec policies before but it sounds very interesting. Editing a text file is feasible but very technical. I rather thought of a GUI solution since a non-tech user could easily make mistakes when editing files (I see that your first link points to the developer documentation). Is there already a GUI solution for editing qrexec policies? I found this:

• Policy Manager GUI: Why, How, What?
• Facilitate intuitive user access to qrexec RPC policies in the GUI · Issue #4721 · QubesOS/qubes-issues · GitHub

Would it be worth to mention (and link to) the GUI policy manager on the pages How to copy and move files | Qubes OS and How to copy and paste text | Qubes OS ?

PS: TBH, I screwed up my Qubes installation and did not have the time to reinstall it yet. So, currently, I write my ideas by using my memories and I cannot reproduce steps.

If you’re using Qubes OS 4.2 then there is already a GUI to configure some simple policies using Qubes OS Global Config.

@apparatus is correct on both counts. The requested features already exist.

Thank you, @apparatus and @adw, I will first re-install Qubes OS and then try everything out. If I have more questions on that, I will come back here again.