How to prohibit browsing with the default DVM template

kzlz · August 7, 2024, 10:41am

I accidentally use Firefox with the default DVM template. Is it possible to prohibit browsing like with the Whonix DVM template?

parulin · August 7, 2024, 11:47am

Is setting the net qube to none an option?

solene · August 7, 2024, 11:53am

Remove web browsers in this template

tempmail · August 7, 2024, 6:28pm

Compartmentalize and set none for default netVm qube. I have over 100 qubes for different tasks.

XMachina · August 9, 2024, 12:53pm

It looks like @kzlz is asking if a popup can be displayed instead of the installed browser when it is launched in the dvm template instead of an actual disposable.

apparatus · August 10, 2024, 3:47am

Run these commands in your disposable template terminal:

mkdir ~/.local/share/applications/
cp /usr/share/applications/firefox-esr.desktop ~/.local/share/applications/
sed -i "s|/usr/lib/firefox-esr/firefox-esr|/usr/local/bin/firefox-esr|" ~/.local/share/applications/firefox-esr.desktop
cat << 'EOF' | sudo tee /usr/local/bin/firefox-esr > /dev/null
#!/bin/bash
#Not running in Template.
if test -f /run/qubes/this-is-templatevm ; then
    exit 1
fi
#Not running inside Qubes DVM Template.
if echo "$(qubesdb-read /name)" | grep -q "\-dvm" ; then
    exit 1
fi
/usr/lib/firefox-esr/firefox-esr "$@"
EOF
sudo chmod +x /usr/local/bin/firefox-esr

But it’ll only work if your disposable template name ends with -dvm.

kzlz · August 17, 2024, 4:28pm

it worked. thank you. could you explain what i did?

apparatus · August 17, 2024, 4:53pm

The applications in Qubes OS menu are calling the associated desktop files in the qubes.
So when you start the the firefox app using Qubes OS menu it’ll search for desktop file named firefox-esr.desktop and will run it.
The firefox-esr package is installing the default desktop file in this location:

/usr/share/applications/firefox-esr.desktop

But you can override this desktop file by placing the new desktop file with the same name in the user home directory:

~/.local/share/applications/

The files in user home directory will have precedence over default system files in /usr/share/applications.

Then you create a script that will check if it’s running in a template or in disposable template and will run firefox binary only if it’s running in AppVM/DispVM.
And you change the ~/.local/share/applications/firefox-esr.desktop so it’ll run this script instead of firefox binary directly.

tempmail · August 17, 2024, 5:12pm

Wouldn’t be more effficient to check for template_for_dispvms True pref than to check for qube name?

apparatus · August 17, 2024, 5:18pm

You can’t check it from inside the qube.

tempmail · August 17, 2024, 11:56pm

I thought something like this?

[user@dom0 ~]$ qvm-tags my-dvm add template_for_dispvms

Then, to put in 30-user.policy

qubes.OpenInVM * @tag:template_for_dispvms @anyvm deny

At least looks more like Now You’re Thinking With Qubes

apparatus · August 18, 2024, 8:19am

I think, as @XMachina said, the OP wants to disallow the browser start in the disposable template qube itself. E.g. when you open it using Qubes menu Q → TEMPLATES → default-dvm → Firefox ESR.

tempmail · August 18, 2024, 9:51am

Yes, you are absolutely right. I just thought that actually nothing should be executed in any (kind of) template. At least I’m following that logic.