Continuing the discussion from Qubes OS 4.2.0-rc3 is available for testing:
For existing qubes, just make a script in dom0 (e.g. with qvm-service and qvm-ls).
For template, there is no default setting, you need to use qvm-service.
For newly created app qube, yes, it’s possible, somehow, it’s not really a default setting.
After a little bit of digging and testing, here we are.
You can use qvm-features-request to enable clipboard-wiping when a qube start.
As explained in the above link, this command is used for:
VM package can advertise what services are supported.
It does work for enabling some services (e.g. qubes-firewall or qrexec):
By example, see /etc/qubes/post-install.d/10-qubes-core-agent-features.sh.
But, it doesn’t work with gui-agent-clipboard-wipe.
So we need to create our own “Extension handling”.
Extension handling
The following code is almost the same as the example in the dev documentation.
It will be called when you use qvm-features-request.
Extension
In dom0, create your extension.
[user@dom0 ~]$ cat /usr/lib/python3.11/site-packages/qubes/ext/clipboard_wipe.py
# -*- encoding: utf-8 -*-
import qubes.ext
class ClipboardWipeExtension(qubes.ext.Extension):
"""This extension handle a qube enabling Clipboard-Wipe service."""
@qubes.ext.handler('features-request')
def on_clipboard_wipe_request(self, vm, event, untrusted_features):
untrusted_value = untrusted_features.get('service.clipboard-wiping', None)
if untrusted_value != '1':
return
vm.features['service.gui-agent-clipboard-wipe'] = True
Entry point
Still in dom0, add your extension as an entry point.
It is needed to tell dom0 that your extension exist and how to handle the feature service.clipboard-wiping.
[user@dom0 ~]$ cat /usr/lib/python3.11/site-packages/qubes-4.2.17-py3.11.egg-info/entry_points.txt
[...]
[qubes.ext]
[...]
qubes.ext.clipboard_wipe = qubes.ext.clipboard_wipe:ClipboardWipeExtension
[...]
The entry point must match your file name and your class name.
After adding your entry point, a reboot is needed to take effect.
There is maybe a service (or something) to restart for avoiding the reboot.
I didn’t search, a reboot was way more faster.
Template config
Create two files in the /etc/skel directory of your template.
Everything in that directory will be copied (upon creation) to the home directory of newly created app qube.
Enable clipboard-wiping
Create a script that will enable the clipboard-wiping service.
Make also the script delete the desktop file and itself.
It also need to be executable.
[user@tpl ~]$ sudo chmod +x /etc/skel/clipboard_wipe.sh
[user@tpl ~]$ cat /etc/skel/clipboard_wipe.sh
#!/usr/bin/bash
qvm-features-request --commit service.clipboard-wiping=1
rm -f /home/user/.config/autostart/clipboard_wipe.desktop \
/home/user/clipboard_wipe.sh
The service.clipboard-wiping must match the untrusted_features.get('service.clipboard-wiping', None) in the extension.
Autostart desktop file
Create an autostart desktop file to laucnh your script.
[user@tpl ~]$ cat /etc/skel/.config/autostart/clipboard_wipe.desktop
[Desktop Entry]
Name=Clipboard Wipe
Type=Application
Exec=/home/user/clipboard_wipe.sh
Remarks
Obviously, you will need to do that to all of your template.
Automate it with a script in dom0.
Adjusts to your need.
e.g.
If you want to enforce the service, do not delete the desktop file and the script.
If you want to enfore it in the template, copy both files to its home directory.