Hello!
I’m would like to launch an app in an new disposable vm from another vm but with additional restrictions.
I am able to launch Thunderbird in a new vm with the following command:
qrexec-client-vm @dispvm qubes.StartApp+thunderbird
With the command, it appears the stdout of the remote program is forwarded to the calling vm. However, I would not like a trusted calling vm to receive anything back from a untrusted vm.
Question: Is there a way to prevent info from coming back?
I also don’t really need the calling vm to wait until the remote program exits. It is fine for me to have a simple signal to start the app.
Some partial work arounds I’ve tried:
- I see
qrexec-client-vm
has--filter-escape-chars-stdout
, which may be helpful but does not solve the issue. - On the target vm, I could redirect output away (
&>/dev/null
) but this relies on the untrusted vm to behave. I am looking for something on the caller side.
Thank you community!