How I can run any vm from another vm?

How I can run any vm [and/or an app] from another vm?

I need to create a vm (let’s say control-panel-vm) that executes others vms. So that I don`t have to place many Launchers icons in Qubes desktop.

PS.: I had partial success with:

user@control-panel-vm:~$ qvm-run-vm @dispvm firefox

It runs firefox from a disposable vm from default-dvm. That is good but I`m after something like:

user@control-panel-vm:~$ qvm-run-vm anyVM anyApp 

You could set a policy allowing control-panel-vm to use qubes.VMShell

Copy the relevant sections from /etc/qubes/policy.d/90-default.policy to a
new file, /etc/qubes/policy.d/10-vmshell.policy
Set the policy as you will -
e.g, a line like qubes.VMShell * control-panel-vm work ask
will allow you to run any installed application in the work qube from
control-panel-vm, after a prompt.

If you do this you should read carefully the health warning in
90-default.policy about using VMShell

WARNING: The qubes.VMShell service is dangerous and there are really few
cases when it could be safely used. Especially when policy set to "ask" you
have no way to know for sure what command(s) will be called. Compromissed
source VM can substitute the command. Allowing one VM to execute
qubes.VMShell over the other VM allows the former to TAKE FULL CONTROL over
the later. In most cases this is not what we want!

Instead we should be using task-specific qrexec services which provide
assurance as to what program will be responding to the (untrusted) VM
1 Like

EDIT: unman, who replied the same time I did, has a better and more specific answer. Nonetheless you may find the link I included to be of interest in case you don’t want to use qvm-run (which is actually pretty scary from a security sytandpoint). What you want to do can be done by other mechanisms more safely but it will be more work–this is the qrexec his quoted warning message references.

With qrexec you can in theory run any app on any VM.

I imagine that you will want to restrict things…for example ONLY run certain apps on certain VMs.

I don’t know your level of knowledge about QubesOS so if you already know this, I apologize, but the general mechanism involved is qrexec, and it is regulated/restricted by policy files. The policy files are something you can edit, to allow exactly those things you want to allow:

I’ve done a lot with such things (though not the sorts of things you’re talking about) and the system works well for straightforward things like this. (More complex cases get more interesting and sometimes counterintuitive.)

1 Like