Hello,
Qubes OS provides write protection for the root filesystem via templates. To also clean up home, disposables can be used.
What I now really would like to do:
- create a fully immutable app qube with volatile root and home
- keep one (or certain) folders inside home persistent
Qubes template docs already list some of its potential advantages:
It is possible that malware, especially malware that could be specifically written to target Qubes, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be:
.bashrc
, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user’s home directory.
[…] the problem of finding malware hooks in general is hard
Also note that the user filesystem’s metadata might got maliciously modified by malware in order to exploit a hypothetical bug in the app qube kernel whenever it mounts the malformed filesystem.
An immutable- by-default filesystem in combination with minimal templates would reduce attack vectors, provide clean state on restart and give an easy mental model, where to look for potential malware.
Example case for me is a specific self-contained AppImage (*1) jailed in a sandbox. This app relies on one persistent data
folder, which gets mutated during usage. Otherwise no write access should be permitted to other folders in home.
My first idea has been to use disposables in combination with bind-dirs (*2), but according to #3704 (*3), this does not seem to be possible yet.
I also found a second issue “Feature suggestion: optionally immutable /home #3258” (*4). There has been done some work (*5) by @tasket . User 3hhh mentioned (*6), a folder can be mounted somehow with qvm-block
inside a disposable as a kind of persistent storage. Based on my little experience with Qubes OS, I cannot fully understand and judge both solutions yet.
So I am asking: Has there been some progess on this area or is something planned? What would be the easiest, up-to-date, non-hacky solution for disposables with whitelisted persistent folders?
Thank you for this great project!
Note:
I could only post max. two links (new user restriction). So I cut the remaining here:
*1: _appimage.org
*2: _www.qubes-os.org/doc/bind-dirs/
*3: _github.com/QubesOS/qubes-issues/issues/3704#issuecomment-538323722
*4: _github.com/QubesOS/qubes-issues/issues/3258
*5: _github.com/QubesOS/qubes-issues/issues/3258#issuecomment-340436310
*6: _github.com/QubesOS/qubes-issues/issues/3258#issuecomment-725516370